MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e90fc6d470ff84b3a179067b82f2bba3ad33a369251adf54b012cbad4cc32b53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e90fc6d470ff84b3a179067b82f2bba3ad33a369251adf54b012cbad4cc32b53
SHA3-384 hash: c1f02d72340b62bb80ef64d7af315ea12f483b1e0e57e0575aa727bd80dc7f3bfa52b9e4dad92380259af5f95b268cca
SHA1 hash: 23897d577ca865d945f504696f4da6a614627dab
MD5 hash: 723d47565dfc726f53ef9f5f80dae593
humanhash: four-sodium-timing-diet
File name:CN-Invoice-XXXXX9808-190111432879948.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:59'072 bytes
First seen:2021-03-04 15:26:06 UTC
Last seen:2021-03-04 16:38:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:pdA2OZfsTT4vvvF1hcKjRpg0eQzkqYhQhb:DiGTGRpg0eQzkhY
Threatray 7 similar samples on MalwareBazaar
TLSH FA4302213EF79418F2B3BFB62FDCB4560A67F3726B46E0ED611003069612981DD9AE35
Reporter abuse_ch
Tags:BitRAT exe FedEx RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: [45.85.90.67]
Sending IP: 45.85.90.67
From: FedEx Express - Do Not Reply <Carrie.Park@expeditors.com>
Reply-To: nopeply-fedeoxngr@iname.com
Subject: [CN]: FedEx Invoice 账单 (CustomerAccount - XXXXX9808-190111432879948)
Attachment: CN-Invoice-XXXXX9808-190111432879948.iso (contains "CN-Invoice-XXXXX9808-190111432879948.exe")

BitRAT C2:
biret.linkpc.net

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CN-Invoice-XXXXX9808-190111432879948.exe
Verdict:
Malicious activity
Analysis date:
2021-03-04 15:30:40 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/f210d50a-d63a-48d3-8640-c80b5c4c2372

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/122295/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17546.18307.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending an HTTP GET request
Sending a UDP request
Creating a file
Moving a recently created file
Launching a process
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a service
Deleting a recently created file
Running batch commands
Adding an access-denied ACE
Setting a global event handler
Sending a custom TCP request
Setting a single autorun event
Forced shutdown of a system process
Setting a global event handler for the keyboard
Adding exclusions to Windows Defender
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/628778
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 363365 Sample: CN-Invoice-XXXXX9808-190111... Startdate: 04/03/2021 Architecture: WINDOWS Score: 96 70 biret.linkpc.net 2->70 84 Executable has a suspicious name (potential lure to open the executable) 2->84 86 Machine Learning detection for sample 2->86 88 Initial sample is a PE file and has a suspicious name 2->88 90 4 other signatures 2->90 10 CN-Invoice-XXXXX9808-190111432879948.exe 23 14 2->10         started        15 explorer.exe 2->15         started        17 explorer.exe 2->17         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 82 bptransfer007.com 172.67.186.244, 49735, 49745, 80 CLOUDFLARENETUS United States 10->82 60 C:\Windows\Cursors\...\svchost.exe, PE32 10->60 dropped 62 C:\Windows\...\svchost.exe:Zone.Identifier, ASCII 10->62 dropped 64 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 10->64 dropped 100 Creates an autostart registry key pointing to binary in C:\Windows 10->100 102 Adds a directory exclusion to Windows Defender 10->102 104 Hides threads from debuggers 10->104 106 Drops PE files with benign system names 10->106 21 AppLaunch.exe 10->21         started        25 cmd.exe 10->25         started        27 AdvancedRun.exe 1 10->27         started        36 3 other processes 10->36 29 svchost.exe 15->29         started        108 Drops executables to the windows directory (C:\Windows) and starts them 17->108 32 svchost.exe 17->32         started        34 WerFault.exe 19->34         started        file6 signatures7 process8 dnsIp9 72 biret.linkpc.net 185.157.161.20, 20058, 49747, 49755 OBE-EUROPEObenetworkEuropeSE Sweden 21->72 92 Hides threads from debuggers 21->92 38 conhost.exe 25->38         started        40 timeout.exe 25->40         started        74 192.168.2.1 unknown unknown 27->74 42 AdvancedRun.exe 27->42         started        76 bptransfer007.com 29->76 66 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 29->66 dropped 94 System process connects to network (likely due to code injection or exploit) 29->94 96 Machine Learning detection for dropped file 29->96 98 Adds a directory exclusion to Windows Defender 29->98 44 powershell.exe 29->44         started        46 AdvancedRun.exe 29->46         started        78 104.21.19.160, 49752, 80 CLOUDFLARENETUS United States 32->78 80 bptransfer007.com 32->80 68 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 32->68 dropped 48 conhost.exe 36->48         started        50 conhost.exe 36->50         started        file10 signatures11 process12 process13 52 powershell.exe 38->52         started        54 AdvancedRun.exe 38->54         started        56 conhost.exe 44->56         started        process14 58 conhost.exe 52->58         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e90fc6d470ff84b3a179067b82f2bba3ad33a369251adf54b012cbad4cc32b53/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 15:27:17 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5eh4nvdq76clhilzaz5yf4v3uowthi3jeunn6vfqclf22tgdfnjq._file
Verdict:
suspicious
Similar samples:
0beae8b47f2299b1c8b6e90ae5395cb520585d48670d8355bf1b86c151912152
BitRAT
1b9a8645d519702352a1e6234f560e05395e661309f210008297e767296a3c10
BitRAT
496582d7d67b1550e8125986a011340fea205f882c7dfafd8384798eb2089480
BitRAT
93153bf16e8e0660d61c9c9d19ee13ec055b9b7032a543a7b25d5776534b87ed
BitRAT
a510e53b9d4890169698ec59c0fc2ad559f1cc476a35b199b01a07827bd29899
BitRAT
c95fccca993c0c82dc2cebb81669922d791e144eafddb01a1a357b0ec0f1c064
BitRAT
f0283bad61e9a074dca5e4eef2b3d1b47915c5a4c4e673da7dd8902da0731791
BitRAT
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat evasion persistence trojan upx
Link:
https://tria.ge/reports/210304-wjnzvk6rex/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Windows security modification
Executes dropped EXE
UPX packed file
Nirsoft
BitRAT
BitRAT Payload
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
e90fc6d470ff84b3a179067b82f2bba3ad33a369251adf54b012cbad4cc32b53
MD5 hash:
723d47565dfc726f53ef9f5f80dae593
SHA1 hash:
23897d577ca865d945f504696f4da6a614627dab
Link:
https://www.unpac.me/results/830f4236-3470-4ee1-a61c-d3a3dd9f8088/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/e90fc6d470ff84b3a179067b82f2bba3ad33a369251adf54b012cbad4cc32b53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

iso 0057ddfef956186999acd8b5f4aaef91d4766c49806d3d36d5bfd210322c7a13

BitRAT

Executable exe e90fc6d470ff84b3a179067b82f2bba3ad33a369251adf54b012cbad4cc32b53

(this sample)

  
Dropped by
MD5 aeed76f1ad5cf71ee52a3baa23dc65fa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0057ddfef956186999acd8b5f4aaef91d4766c49806d3d36d5bfd210322c7a13
Cape
Cape
https://www.capesandbox.com/analysis/122295/

Comments