MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebe3a8a66db805806dd55d6b4dca64e24d9f7dd6d7dae730c514c5c4e58caa39. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebe3a8a66db805806dd55d6b4dca64e24d9f7dd6d7dae730c514c5c4e58caa39
SHA3-384 hash: 13ce8392550c3b3b2bb277cfc669bb92b92104c6dc560f8b4bee7f89a8ede3b08ecabe415f0441f22cd236d18f857e7c
SHA1 hash: 69165f62bcceb4607848186e37ff6603c8ebbe87
MD5 hash: fa31d26884b6c2b5d32b5459f7bbec60
humanhash: green-mobile-oklahoma-colorado
File name:soa5.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:874'136 bytes
First seen:2021-06-03 18:31:22 UTC
Last seen:2021-06-03 19:48:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c13589351b888eacb104575a16a88b27 (2 x RemcosRAT, 1 x BitRAT, 1 x Formbook)
ssdeep 12288:9wZeGjiyhybwk6VAn0+A2NUj4pfIMNFkKOOikhoAOpbAF++n/tu:9sjhyZn4VuIMzOAAbAl/tu
Threatray 578 similar samples on MalwareBazaar
TLSH C5059F22A6F1DC33C1B2257F4F4AB2D85C2D7E412DE4B44676D4794CFF3A641B91A08A
Reporter abuse_ch
Tags:BitRAT exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
soa5.exe
Verdict:
Malicious activity
Analysis date:
2021-06-03 18:35:20 UTC
Tags:
installer
Link:
https://app.any.run/tasks/1603872b-b85f-4b1f-8c4b-65752ac7f12a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164487/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Launching a process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching the default Windows debugger (dwwin.exe)
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796923
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 429319 Sample: soa5.exe Startdate: 03/06/2021 Architecture: WINDOWS Score: 100 51 bleyfitness.publicvm.com 2->51 69 Yara detected BitRAT 2->69 71 Yara detected Xmrig cryptocurrency miner 2->71 73 Machine Learning detection for sample 2->73 75 2 other signatures 2->75 9 soa5.exe 1 23 2->9         started        14 Mvkjdl.exe 13 2->14         started        16 Mvkjdl.exe 14 2->16         started        signatures3 process4 dnsIp5 57 cdn.discordapp.com 162.159.130.233, 443, 49729, 49730 CLOUDFLARENETUS United States 9->57 49 C:\Users\Public\Mvkjdl\Mvkjdl.exe, PE32 9->49 dropped 77 Writes to foreign memory regions 9->77 79 Creates a thread in another existing process (thread injection) 9->79 81 Injects a PE file into a foreign processes 9->81 18 cmd.exe 1 9->18         started        21 ieinstal.exe 1 1 9->21         started        59 162.159.133.233, 443, 49751, 49752 CLOUDFLARENETUS United States 14->59 83 Multi AV Scanner detection for dropped file 14->83 85 Machine Learning detection for dropped file 14->85 25 secinit.exe 14->25         started        27 ieinstal.exe 16->27         started        file6 signatures7 process8 dnsIp9 61 Uses cmd line tools excessively to alter registry or file data 18->61 63 Uses schtasks.exe or at.exe to add and modify task schedules 18->63 29 cmd.exe 1 18->29         started        32 conhost.exe 18->32         started        55 bleyfitness.publicvm.com 194.5.98.48, 2862, 49734, 49758 DANILENKODE Netherlands 21->55 47 C:\Users\user\AppData\Local:03-06-2021, ASCII 21->47 dropped 65 Creates files in alternative data streams (ADS) 21->65 67 Hides threads from debuggers 21->67 34 WerFault.exe 23 9 25->34         started        37 WerFault.exe 27->37         started        file10 signatures11 process12 dnsIp13 87 Uses cmd line tools excessively to alter registry or file data 29->87 39 conhost.exe 29->39         started        41 reg.exe 1 1 29->41         started        43 schtasks.exe 1 29->43         started        45 reg.exe 1 29->45         started        53 192.168.2.1 unknown unknown 34->53 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebe3a8a66db805806dd55d6b4dca64e24d9f7dd6d7dae730c514c5c4e58caa39/
Threat name:
Win32.Trojan.Jacard
Create hunting rule
Status:
Malicious
First seen:
2021-06-03 18:32:10 UTC
AV detection:
18 of 46 (39.13%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pr2rjtnxacya3ovlvvu3ste4jgz67ow27noomgfctc4jzmmvi4q._file
Verdict:
malicious
Similar samples:
134427c58b0e1acd504b9f8980bfa29a808a27216adb1999e8dbc4a3fe2b0031
BitRAT
2fdce87bc669c931d88ccf1d794d293821c0488cd1f61600027e92b518bb3b79
BitRAT
321e7fea6ceb5255c592162c7781c524b7569c3f1244274a247f5f0c97702c49
BitRAT
6698fffa953b2fefcce456ca8fd15e80bf4478277166c9017d3aa519f9462e37
BitRAT
6eee5d1c67a8e34e6d03d64fca1195bf26ceac2a68f454cc37e743ace0483a9f
BitRAT
7666f3d19250bc9b6d75e1b081407ea6a71c81f22a2c027d85b6445a65a0f247
BitRAT
885df0a00031141c2f94c6c2abce71977fa184fd4af6592c685a001c98eea50d
BitRAT
9ef305091f40e275d536c509669d30ca345e09cf887bb77ba01099e7f6de3ec5
BitRAT
a9b0173e087fa0c22544734ea476afba2ac75d32b22d88abcfea206517dded8e
BitRAT
e9e5ea15e87532d4a481ce2b493ebf914e67e25d2ee9ca8c9ae8e0df7a8eac45
BitRAT
+ 568 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210603-sxhwj38fjj/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
Unpacked files
SH256 hash:
d032680838be795905e8c0db6ff9a21bb0cd11f21e87370051b3e67d59844cba
MD5 hash:
e28a49f9cf5ffb0cc39d6f47099beb11
SHA1 hash:
03fef0f5e64905a1a0e7923358d3cf12f07818df
Link:
https://www.unpac.me/results/d0c95bdb-b5c0-4716-b680-2ea1eccbd7f8/
SH256 hash:
5381c6276fc0f552d71efe7fb4d43a9e1a1e776c4cb7a572f72207b777ff2a32
MD5 hash:
3e9b080fb62948db627a904b7af653ea
SHA1 hash:
93a66126bdeb846724b41d44c6a7cac15c5ed636
Link:
https://www.unpac.me/results/d0c95bdb-b5c0-4716-b680-2ea1eccbd7f8/
SH256 hash:
f03f90ab14d3474e145aa55e0a7682fa751cde1576b375acacebae0e01c3eff2
MD5 hash:
3ccfe9a4bb1ff6db4a189b3b4025b4c6
SHA1 hash:
1a218037190e6ca67568a186a2978533398afd83
Link:
https://www.unpac.me/results/d0c95bdb-b5c0-4716-b680-2ea1eccbd7f8/
SH256 hash:
ebe3a8a66db805806dd55d6b4dca64e24d9f7dd6d7dae730c514c5c4e58caa39
MD5 hash:
fa31d26884b6c2b5d32b5459f7bbec60
SHA1 hash:
69165f62bcceb4607848186e37ff6603c8ebbe87
Link:
https://www.unpac.me/results/d0c95bdb-b5c0-4716-b680-2ea1eccbd7f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/ebe3a8a66db805806dd55d6b4dca64e24d9f7dd6d7dae730c514c5c4e58caa39

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_KB_CERT_0be3f393d1ef0272aed0e2319c1b5dd0
Create hunting rule
Author:ditekSHen
Description:Detects executables signed with stolen, revoked or invalid certificates

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

Executable exe ebe3a8a66db805806dd55d6b4dca64e24d9f7dd6d7dae730c514c5c4e58caa39

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164487/

Comments