MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c
SHA3-384 hash: 168730ce4a1c853c8689bb3632af74eeeee47550f66d7704ee39d46b47ab3318524d2f91072740d9603494ba1698dbbb
SHA1 hash: 8b08571cbd468cc8fd696197da85f950e26cc2d0
MD5 hash: 8463a60187494d4fdc5a27dcd93aa224
humanhash: lake-london-paris-kentucky
File name:DW019203084PO020192003928.pdf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:1'652'224 bytes
First seen:2021-01-18 09:24:20 UTC
Last seen:2021-01-18 10:42:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d6e1d32178a919c6a73fe0d0ad7b1d48 (1 x BitRAT)
ssdeep 24576:sLjqvGv36lKOO7OkLPC0WyxqM7aZtOWsCD/QadM5HMuTu+O1/ZvGzBk3JaUhC1Np:qqorjC1YCXSTu+O1/ZeClMnjBf
Threatray 78 similar samples on MalwareBazaar
TLSH 9375232236B2C079C05E627890E2FB65DFBEB61325BD26C33F64143A5F102E3597A716
Reporter abuse_ch
Tags:BitRAT exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rdns0.pk-karsaz.com
Sending IP: 89.223.124.108
From: HAIRUL AZHAR <u17094677@gmail.com>
Subject: Request for Quotation - Ref001902039459
Attachment: DW019203084PO020192003928.pdf.rar (contains "DW019203084PO020192003928.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DW019203084PO020192003928.pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-18 09:33:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/435a4fc8-625e-4631-9205-09df36a0afaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/112531/
Detection(s):
SecuriteInfo.com.Artemis8463A6018749.25584.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Creating a window
DNS request
Setting a global event handler
Sending a custom TCP request
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/583619
Signature
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-18 09:25:08 UTC
AV detection:
15 of 46 (32.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=542dniizrzrmzoii2nnt32tm73ixifhs4wnlmjuge56zpd27246a._file
Verdict:
malicious
Similar samples:
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
BitRAT
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
3cf331e46b6f16ef2a591637b64865d81b19e016ad3f4f3280aa1a872f1261ab
BitRAT
50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c
BitRAT
80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
9ffa16b91dc10936865d1d9849940c9d27276fd6acd6ab947d31e7f80322eea2
BitRAT
b8d2de495b9ec7f42b0f25b1fc532915a4378b683daafb1ecb5171624ea7a83c
BitRAT
f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91
BitRAT
+ 68 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/210118-1gbemdm2ae/
Behaviour
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
Unpacked files
SH256 hash:
ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c
MD5 hash:
8463a60187494d4fdc5a27dcd93aa224
SHA1 hash:
8b08571cbd468cc8fd696197da85f950e26cc2d0
Link:
https://www.unpac.me/results/995379df-5d43-4abf-87c0-c908ce15363c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar a55c7c43e05cf6003d991770b3d82cacf1365ecdbce0634c0400a5f7f4c558a8

BitRAT

Executable exe ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c

(this sample)

  
Dropped by
MD5 f1b4609876542681013a8c83c5046f18
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112531/
  
Dropped by
SHA256 a55c7c43e05cf6003d991770b3d82cacf1365ecdbce0634c0400a5f7f4c558a8

Comments