MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e57c5a86edabac44bf073a9c49a7dbf9cae0b546d452c57ed57f08f8d338e2e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e57c5a86edabac44bf073a9c49a7dbf9cae0b546d452c57ed57f08f8d338e2e2
SHA3-384 hash: 928a0f4fcf81aff252a9bd2db59663a35de45f5041ab4a6f05c5651075c67a9cdb4e1b67f2e6e678873be17871a87421
SHA1 hash: f508d83fc98865570bdd47e59ba1f2cfc3803a73
MD5 hash: d92bb196ebdec2b71cc17ae64fd84909
humanhash: venus-spring-two-pluto
File name:Eiequlvoxhirduoofhmimhxnhmquledinx.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:911'872 bytes
First seen:2022-05-31 12:04:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9981138599f14f08c7fbb955324b1ef6 (2 x AveMariaRAT, 1 x BitRAT, 1 x RemcosRAT)
ssdeep 12288:/zrlc1bK1O+apZWSNnjAPwf7cI/tICqwT7lcsAEMb+dxAWMeM7jEOd/:/nyE7apA0AP9R4csfdxD/MMOd/
Threatray 8'563 similar samples on MalwareBazaar
TLSH T18A158E23B3908533D3531A385C1BE6A99E35BE302F29B94667F42E0C5F7A541B9392D3
TrID 68.5% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
27.0% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
1.4% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.3% (.SCR) Windows screen saver (13101/52/3)
0.4% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c8c982848998ac94 (10 x Formbook, 6 x DBatLoader, 4 x RemcosRAT)
Reporter malwarelabnet
Tags:BitRAT bitrat modiloader xenarmor exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
bitrat
Create hunting rule
ID:
1
File name:
Eiequlvoxhirduoofhmimhxnhmquledinx.exe
Verdict:
Malicious activity
Analysis date:
2022-05-31 12:11:48 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/307d264c-0a29-4063-94d0-7d877a236693

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/275722/
Detection(s):
Win.Trojan.Trojanx-9942338-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a file
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the process to interact with network services
Launching a process
Using the Windows Management Instrumentation requests
Setting a global event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe keylogger packed remote.exe replace.exe
Link:
https://www.filescan.io/uploads/629604869bfd7f19bcdc7f75/reports/61426961-9bdf-4a68-abfd-d0e34a05e67d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/757af776-5f69-448b-a730-b7839c52c724
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1004222
Signature
Creates a thread in another existing process (thread injection)
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 636714 Sample: Eiequlvoxhirduoofhmimhxnhmq... Startdate: 31/05/2022 Architecture: WINDOWS Score: 96 36 zoppere.nerdpol.ovh 2->36 44 Malicious sample detected (through community Yara rule) 2->44 46 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->46 48 Yara detected BitRAT 2->48 50 Machine Learning detection for sample 2->50 9 Eiequlvoxh.exe 12 2->9         started        13 Eiequlvoxhirduoofhmimhxnhmquledinx.exe 1 19 2->13         started        16 Eiequlvoxh.exe 12 2->16         started        signatures3 process4 dnsIp5 54 Multi AV Scanner detection for dropped file 9->54 56 Machine Learning detection for dropped file 9->56 58 Writes to foreign memory regions 9->58 18 logagent.exe 9->18         started        42 transfer.sh 144.76.136.153, 443, 49734, 49742 HETZNER-ASDE Germany 13->42 32 C:\Users\Public\Librariesiequlvoxh.exe, PE32 13->32 dropped 34 C:\Users\...iequlvoxh.exe:Zone.Identifier, ASCII 13->34 dropped 60 Creates a thread in another existing process (thread injection) 13->60 62 Injects a PE file into a foreign processes 13->62 22 DpiScaling.exe 1 2 13->22         started        24 cmd.exe 1 13->24         started        file6 signatures7 process8 dnsIp9 38 zoppere.nerdpol.ovh 20.106.247.22, 2222, 49771, 49778 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->38 40 192.168.2.1 unknown unknown 22->40 52 Hides threads from debuggers 22->52 26 cmd.exe 1 24->26         started        28 conhost.exe 24->28         started        signatures10 process11 process12 30 conhost.exe 26->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e57c5a86edabac44bf073a9c49a7dbf9cae0b546d452c57ed57f08f8d338e2e2/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2022-05-31 12:05:11 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4v6fvbxnvowejpyhhkoetj637hfobnkg2rjmk7wvp4epruzy4lra._file
Verdict:
malicious
Similar samples:
1777cad58e9516ffbeb10b73f8b751d8689a71712266f223e2281a425ed09551
BitRAT
30e4c4c41a6a4d31abc2f98c77a01a5d5fdb562bdc19362728a65d986820352e
BitRAT
34bca356c816bb71cc7c496f8238af91033119e324be0a82067aa3b20a9bad4a
BitRAT
8753275f0bd22cca6a047c6cd870f3b88aaf9f19b49fa9f2719794a6226e9e35
BitRAT
b161e9594ef8849e7a1c09a801b5d248cfff6b08c65ed6459dda75b25fdeafee
BitRAT
b165bdbad9821670da9ee9293016ff57e07266cf5695e69688934e00b565a4cf
BitRAT
bd54feaedda33ef8e611cd540e84b8c44d989f2417ddca33472cea3b7892afaf
BitRAT
df4529d0592f28fbe9ad1918f19fc78db86e7abbca15b24cd016e5f34774bdcc
BitRAT
ea5a2cf2a4c8ddc7f01d6b8a573efa20b7dd35fe633e0d1413b0d41e2cd31874
BitRAT
+ 8'553 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:modiloader family:xenarmor collection password persistence recovery spyware stealer suricata trojan upx
Link:
https://tria.ge/reports/220531-n86b9sbba3/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
ModiLoader Second Stage
BitRAT
ModiLoader, DBatLoader
XenArmor Suite
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Malware Config
C2 Extraction:
zoppere.nerdpol.ovh:2222
Unpacked files
SH256 hash:
0b4b7d7628499c9d0c62562dc64f22baf5390cd32f71e0317c259511ae85b5b6
MD5 hash:
d6e8fb9c9383709a7475144fbc74cb44
SHA1 hash:
3dc32f98eb13d725511b64924730132883ad3591
Link:
https://www.unpac.me/results/6b30e4ae-f5bb-4c30-814f-5d46a454aabd/
SH256 hash:
e57c5a86edabac44bf073a9c49a7dbf9cae0b546d452c57ed57f08f8d338e2e2
MD5 hash:
d92bb196ebdec2b71cc17ae64fd84909
SHA1 hash:
f508d83fc98865570bdd47e59ba1f2cfc3803a73
Link:
https://www.unpac.me/results/6b30e4ae-f5bb-4c30-814f-5d46a454aabd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e57c5a86edabac44bf073a9c49a7dbf9cae0b546d452c57ed57f08f8d338e2e2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/275722/

Comments