MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e6df0473885248cf7c449ac57120d90c000ee847f27452a426d4bb3e7e0fee7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e6df0473885248cf7c449ac57120d90c000ee847f27452a426d4bb3e7e0fee7a
SHA3-384 hash: 2f07b95c93d84aea96c5c65513ebe5c26586ed2e31ebadae06ec62e0ff5c1c681e0e8b2fc0a18fc273197db25169fb9a
SHA1 hash: e46c87bddf2227c583a2c9e30ee9984db82b32a2
MD5 hash: 07d781828a2e31ae1748f114c5fe9fd5
humanhash: beer-twenty-speaker-montana
File name:Terms and Conditions pdf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'110'016 bytes
First seen:2021-06-24 11:47:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:X3jJ+bAaMd3REebAaMd3nLc7PA2CxQQ7UbdnZ0uD:nYAaMVRE2AaMVA7Y2Ms
Threatray 319 similar samples on MalwareBazaar
TLSH E835F1217AEB9019F0777F794EE435859AAFBF633B13D80D2851324A4733A41DE9063A
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
103.151.125.18:1234

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.151.125.18:1234 https://threatfox.abuse.ch/ioc/153207/

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Terms and Conditions pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-06-24 11:59:57 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/b7872748-3f9f-4b25-a4bc-7e9b6d5e1f0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168005/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.867-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/459cae14-8202-4adf-9f87-add53fc86131
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/807429
Signature
Antivirus detection for dropped file
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439841 Sample: Terms and Conditions pdf.exe Startdate: 24/06/2021 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->45 47 9 other signatures 2->47 7 Terms and Conditions pdf.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\zJAQFbftkdPi.exe, PE32 7->23 dropped 25 C:\Users\...\zJAQFbftkdPi.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmpD313.tmp, XML 7->27 dropped 29 C:\Users\...\Terms and Conditions pdf.exe.log, ASCII 7->29 dropped 57 Injects a PE file into a foreign processes 7->57 11 Terms and Conditions pdf.exe 16 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 37 jsmoveisdemadeirarustica.com.br 191.252.129.230, 443, 49713 LocawebServicosdeInternetSABR Brazil 11->37 39 www.jsmoveisdemadeirarustica.com.br 11->39 31 C:\Users\user\...\ka9mQUSma8f7O7AV.exe, PE32 11->31 dropped 33 C:\Users\user\AppData\Local\...\1[1].exe, PE32 11->33 dropped 17 ka9mQUSma8f7O7AV.exe 1 2 11->17         started        21 conhost.exe 15->21         started        file8 process9 dnsIp10 35 103.151.125.18, 1234, 49719, 49720 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 17->35 49 Antivirus detection for dropped file 17->49 51 Multi AV Scanner detection for dropped file 17->51 53 Machine Learning detection for dropped file 17->53 55 2 other signatures 17->55 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e6df0473885248cf7c449ac57120d90c000ee847f27452a426d4bb3e7e0fee7a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-24 09:33:49 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=43pqi44ikjem67cetlcxcigzbqaa52ch6j2ffjbg2s5t47qp5z5a._file
Verdict:
malicious
Similar samples:
1e92ffaaee0217be3540c5a8e0b465d639008e15bb1335fc1aab14ef252f4072
BitRAT
405615def0f1ed392a6273ab7c23a2e5fc01bc2cb978b7f3f2040d4a3c57d37a
BitRAT
4cf44d352a41e3125ec55db9e83843e57a8a4345781fb7a4a8535935b0b87906
BitRAT
53592d15fc275a7c603b2c80baf9ca7d3e2f7eebe82ba8eca971ff1c005ab353
BitRAT
6110c332c287a7ac7fadde14aa3b69190a415e11f664f6746b461b589e0276cd
BitRAT
6387b0ded51410f864b093626cfa7e711c8885d6870996f8138de12ced45730c
BitRAT
6cd85d78caec047483007ee54b8f4cea13d29c648b7f4bd500ce199f360f1518
BitRAT
8f09e478721eecc723aa346c56541183c78bcaa6b97f08b8d33b84022881178a
BitRAT
dfeaef515d92681d5d23ace741b56e14ec71b9042427874c15ef2db030c47b95
BitRAT
e5aea3844b9f8f3811b6c3e3ff58e84793806b58da0064743235b7c6e476e624
BitRAT
+ 309 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xenarmor password recovery spyware stealer trojan upx
Link:
https://tria.ge/reports/210624-v2wppypfr6/
Behaviour
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
BitRAT
BitRAT Payload
XenArmor Suite
Unpacked files
SH256 hash:
2e5c50e8d6c89b45daca2e47c54136e91b1c0e848c90ec429c4db501eb7cf0f0
MD5 hash:
cd243e46983109927cbed27b661961ff
SHA1 hash:
e555151e9072cc6918b2ad85e3f21c6f82b0d3a8
Link:
https://www.unpac.me/results/79ec334e-a4c8-4bc4-921e-32f42f6afc5f/
SH256 hash:
c35404375695c2b339a53838f1bdf07082f753e13f66ad4fdd5501e61d805f59
MD5 hash:
2a1009f54fffb2ec74c379eeecae4774
SHA1 hash:
3e2d87419077105690296e8aca1fc99293ad3109
Link:
https://www.unpac.me/results/79ec334e-a4c8-4bc4-921e-32f42f6afc5f/
SH256 hash:
2e706ba1c2eeaa3b4e6c35c2cffcab51fc05f81a0c1f1bea279f8b774acc3643
MD5 hash:
4ff70bf4a6484a8b696153407b3eda04
SHA1 hash:
28fe798325d935707fb4b0df585c500d8dcf7c90
Link:
https://www.unpac.me/results/79ec334e-a4c8-4bc4-921e-32f42f6afc5f/
SH256 hash:
e6df0473885248cf7c449ac57120d90c000ee847f27452a426d4bb3e7e0fee7a
MD5 hash:
07d781828a2e31ae1748f114c5fe9fd5
SHA1 hash:
e46c87bddf2227c583a2c9e30ee9984db82b32a2
Link:
https://www.unpac.me/results/79ec334e-a4c8-4bc4-921e-32f42f6afc5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e6df0473885248cf7c449ac57120d90c000ee847f27452a426d4bb3e7e0fee7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168005/

Comments