MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee48194ee12b493625d6cbb63bf1258f30f82147cd93056557aec24c4f4b6ae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee48194ee12b493625d6cbb63bf1258f30f82147cd93056557aec24c4f4b6ae8
SHA3-384 hash: e984adf24802d3dbcbd0b4b13b0063268fe1add968eb34d2706dd923f60f10a464c6a2f01a549a35c4f3f346a9b179ad
SHA1 hash: b0b026a8f6faced1be0ba4119c0bc3a0393ea934
MD5 hash: a91b6a4314c11bcaced790536a3d06ee
humanhash: fillet-video-mockingbird-washington
File name:Tzcyxxestkakhuvtmvfdserywturrfjrye.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:849'408 bytes
First seen:2021-08-03 06:56:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5b47eb09e8baa121d107e1f6d362c6d7 (2 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:YKwkfdbXTsOUkxyDdUk3LJZSsSKrcaOr3hif/fC07FL6j0swZtwTaNX2mZbDd1CE:31bXmUkbXv9rcdRifH3MgT
Threatray 284 similar samples on MalwareBazaar
TLSH T1E4057EE6ED437633CC310D388C6B95B996FAAE3C2F3C1C4565E0ED685E3F20168625A5
dhash icon 1130767864760841 (6 x RemcosRAT, 2 x Formbook, 1 x NetWire)
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
194.5.98.72:2405

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
194.5.98.72:2405 https://threatfox.abuse.ch/ioc/165497/

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Tzcyxxestkakhuvtmvfdserywturrfjrye.exe
Verdict:
Malicious activity
Analysis date:
2021-08-03 06:59:40 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/f0bae41c-df7e-4f16-a2d6-9d5a8768d44f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175944/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Sending a UDP request
Setting a global event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e3032fa-e7b8-4ab4-ba54-08123b15d68a
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/825917
Signature
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee48194ee12b493625d6cbb63bf1258f30f82147cd93056557aec24c4f4b6ae8/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-08-03 06:57:06 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5zebstxbfnetmjowzo3dx4jfr4ypqikhzwjqkzkxv3beyt2lnlua._file
Verdict:
unknown
Similar samples:
1c33eed32ee64e2abbc1b66486b46f93b5ca61d42e384d3dd49810c73f48147f
BitRAT
3368d82a927186d857ce56ab31dc79abc952c0958cc855203a6c6e1509578d56
BitRAT
9619dd90b103cea6ed31462e70f2419900b0f943295a7b773a0a77504ade15ce
BitRAT
a643135974d54161165848843bdaddd082f25635e1fb8f6d4b45f8451042ba93
BitRAT
c0dbfce6d1904f32b39ef57d1f59595099171f5e038ad1003a9fc5f9c3ec92d2
BitRAT
e805423ef1971ad60f2cf93dd0845f3bc13fb5bce5dc3b3b3e39f56c4f9142e7
BitRAT
fd866b4e18b49ef0232eda27280a0d56a9e408792bba4cddded1961fe64e7bf3
BitRAT
+ 274 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata
Link:
https://tria.ge/reports/210803-bxbbf3ge8s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Unpacked files
SH256 hash:
c873bd224bbf6f82aa169f079016ebdf7690b40a7db5dd8cfefd26404a9d50ca
MD5 hash:
d328f4ade4dd3cd77b3c055c6a7a7937
SHA1 hash:
5d2437502c20efaadd44d27bd5f2f748bdb48512
Link:
https://www.unpac.me/results/d5e2f884-d272-418f-8518-c3554a29f244/
SH256 hash:
ee48194ee12b493625d6cbb63bf1258f30f82147cd93056557aec24c4f4b6ae8
MD5 hash:
a91b6a4314c11bcaced790536a3d06ee
SHA1 hash:
b0b026a8f6faced1be0ba4119c0bc3a0393ea934
Link:
https://www.unpac.me/results/d5e2f884-d272-418f-8518-c3554a29f244/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee48194ee12b493625d6cbb63bf1258f30f82147cd93056557aec24c4f4b6ae8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EnvVarScheduledTasks
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC (ab)using Environment Variables in Scheduled Tasks
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175944/

Comments