MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edb2077ae4bfdc5b987c2191fe2afad2746453533a5f300df530a26014f45298. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edb2077ae4bfdc5b987c2191fe2afad2746453533a5f300df530a26014f45298
SHA3-384 hash: 3d21deca507fdf9f545f9e85791d8ddc046d0daeb9c5d92ef42962a5d3e2f2816c8e4db6fbb0b4560f967b293111da4e
SHA1 hash: 141a78b848889b3d832940a484533977a725e2ad
MD5 hash: 51c5b90e39a471b71750df24ebc69155
humanhash: zebra-oscar-fix-crazy
File name:51C5B90E39A471B71750DF24EBC69155.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:7'074'304 bytes
First seen:2021-06-27 23:10:38 UTC
Last seen:2021-06-27 23:42:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae28306bf70f5963ea0555dfe529913b (3 x BitRAT)
ssdeep 98304:zX6OQ/8VlovPDuc7xwPtswZvPshkLxddIIxx3cCRe9E1hCY21:zX6OLGnac7xw1vPsGzCIxx37e4oY
Threatray 49 similar samples on MalwareBazaar
TLSH C9662327B7191041D0D29C3AD823EFB032B12E669BD0783432D67EFB6136BE56A1651F
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
185.158.113.59:45324

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.158.113.59:45324 https://threatfox.abuse.ch/ioc/154633/

Intelligence

File Origin
# of uploads :
2
# of downloads :
152
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
51C5B90E39A471B71750DF24EBC69155.exe
Verdict:
Malicious activity
Analysis date:
2021-06-27 23:12:13 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/b551ebc1-d96d-4d5a-9a3c-5465bc76364a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/168505/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46539612.17823.22404.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/959e9ae4-0585-4449-8425-dffb270ef816
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/808629
Signature
Found potential dummy code loops (likely to delay analysis)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edb2077ae4bfdc5b987c2191fe2afad2746453533a5f300df530a26014f45298/
Threat name:
Win32.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-06-25 09:48:15 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wzao6xex7ofxgd4egi74kx22j2giu2thjptadpvgcrgafhukkma._file
Verdict:
suspicious
Similar samples:
22f105861b8c373e94d70ac51cdbc0f03e784acee57727dae0d734587c6033a7
BitRAT
3e5bbf9fcae918011ec4eee75ac6402fddf20d09fef95b362d0e226d56b80f1d
BitRAT
412baf955c1e256c4e8bf7e07ce0f1fbf14c03d11ed98932be45a58a14d55690
BitRAT
790c213e1227adefd2d564217de86ac9fe660946e1240b5415c55770a951abfd
BitRAT
88741b14f426f4cb2f942dea22a70f85ae06a9e86ee03decd1ae79e6371f1b59
BitRAT
8e4f30afa8d0ce48c46a39e2754d8f7adad90ae8ccaf0132b354be76076b20cc
BitRAT
a761168b889a5c5ff56defeb1cedb786ffa90e3b61b6660cfc41e49b1ee638f0
BitRAT
b52960b7ce7ae8c007c59626859816296471b7810036baaa7b7b86c2cd6d6218
BitRAT
e8cdc889ac43fb8a641ef365c17196f4600ea07688d0a627e1e6bff7255a4946
BitRAT
eebd330208d3021ba7caf06e78588daaa3e9de826c373025aad1bea09a94865d
BitRAT
+ 39 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan
Link:
https://tria.ge/reports/210627-7fc943dbtn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
c47e6160385833be99970f078c1a2e549dd1b633f23ee896f3643506a8a10e4a
MD5 hash:
db7d61225ca8302bced3f79638c0d1b1
SHA1 hash:
a6397e3e69697c11c09e88395e89cad5013d62da
Link:
https://www.unpac.me/results/46afaa07-0cd8-4546-b789-c2adc8e7d098/
SH256 hash:
edb2077ae4bfdc5b987c2191fe2afad2746453533a5f300df530a26014f45298
MD5 hash:
51c5b90e39a471b71750df24ebc69155
SHA1 hash:
141a78b848889b3d832940a484533977a725e2ad
Link:
https://www.unpac.me/results/46afaa07-0cd8-4546-b789-c2adc8e7d098/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/edb2077ae4bfdc5b987c2191fe2afad2746453533a5f300df530a26014f45298

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168505/

Comments