MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
SHA3-384 hash: 09f5e63437a07a6daf718401ff4459c848d2d5cef2e3a64bfd985e763d3b6593c1899ba8c3d1523b589cf63bc40c83dc
SHA1 hash: 5b11f45da868784d005d60b585aa0ddf866d8eb9
MD5 hash: f7c29666fbacd445134f86ebe8645968
humanhash: louisiana-fix-rugby-alabama
File name:img-NK435201008DL.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:4'070'328 bytes
First seen:2020-10-10 07:00:38 UTC
Last seen:2020-10-10 08:04:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:jubLOB8gzUDE/YZkMQ5wOw6Aj1sBr1KFiKvKLhdpF:sGUDE2kMQ5Fw6AO4ij
Threatray 3 similar samples on MalwareBazaar
TLSH 161601A8B8570F15E47D62B5EE7A3981C2F034C72D63C294BDCA65D793887988712EF0
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
Malspam distributing BitRAT:

HELO: sdp-si.com
Sending IP: 62.210.151.26
From: Indranie Sookhai <isookhai@sdp-si.com>
Subject: RE: PO#101253
Attachment: img-NK435201008DL.img (contains "img-NK435201008DL.exe")

BitRAT C2:
89.238.176.6:51046

Intelligence

File Origin
# of uploads :
2
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69711/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Creating a window
Setting a global event handler
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487431
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296159 Sample: img-NK435201008DL.exe Startdate: 10/10/2020 Architecture: WINDOWS Score: 100 60 Antivirus detection for dropped file 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 7 other signatures 2->66 7 img-NK435201008DL.exe 3 4 2->7         started        11 img-NK435201008DL.exe 2->11         started        13 img-NK435201008DL.exe 2 2->13         started        15 3 other processes 2->15 process3 file4 52 C:\Users\user\...\img-NK435201008DL.exe, PE32 7->52 dropped 54 C:\...\img-NK435201008DL.exe:Zone.Identifier, ASCII 7->54 dropped 72 Creates an undocumented autostart registry key 7->72 74 Drops PE files to the startup folder 7->74 76 Tries to detect virtualization through RDTSC time measurements 7->76 78 Contains functionality to hide a thread from the debugger 7->78 17 img-NK435201008DL.exe 1 1 7->17         started        22 timeout.exe 1 7->22         started        34 2 other processes 7->34 80 Creates autostart registry keys with suspicious names 11->80 82 Creates multiple autostart registry keys 11->82 84 Hides threads from debuggers 11->84 24 timeout.exe 11->24         started        86 Injects a PE file into a foreign processes 13->86 26 img-NK435201008DL.exe 13->26         started        28 timeout.exe 1 13->28         started        30 WerFault.exe 13->30         started        32 timeout.exe 15->32         started        36 2 other processes 15->36 signatures5 process6 dnsIp7 56 89.238.176.6, 51046 M247GB United Kingdom 17->56 50 C:\Users\user\AppData\Local:10-10-2020, HTML 17->50 dropped 68 Creates files in alternative data streams (ADS) 17->68 70 Hides threads from debuggers 17->70 38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 28->42         started        58 192.168.2.1 unknown unknown 30->58 44 conhost.exe 32->44         started        46 conhost.exe 36->46         started        48 conhost.exe 36->48         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4/
Threat name:
ByteCode-MSIL.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-10 01:05:59 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=55t3gc324h6swj5bp4pac4uvjejmpdcud56lcyx7aa5jwqxrfdca._file
Verdict:
unknown
Similar samples:
4a09bedcd448deaaaff205dabbc19a34f5b47a9714ac85a5a827c0aabeb2db7f
BitRAT
52f5e7a9a44771795325822713ff8c37f4efa674bbbb375523c3982ab79a52dd
BitRAT
ba318072fe85e168c5fd55a30760ac306f75fa76c2d5ec40533b0505cda1c26d
BitRAT
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/201010-twtw7eegtx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4
MD5 hash:
f7c29666fbacd445134f86ebe8645968
SHA1 hash:
5b11f45da868784d005d60b585aa0ddf866d8eb9
Link:
https://www.unpac.me/results/523314ee-8487-48e0-b6ff-16d3d640f606/
SH256 hash:
baddf74d507d47889c10958fc00f0fc0cc0d1b28cdf70de5f565d09d4833d0c1
MD5 hash:
8f8e49f4a0d0f6cd8243ab5bbf2abd26
SHA1 hash:
cb68f8f1a4f69f97d64678d72564f0ce5db10f65
Link:
https://www.unpac.me/results/523314ee-8487-48e0-b6ff-16d3d640f606/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_bit_rat_w0
Create hunting rule
Author:KrabsOnSecurity
Description:String-based rule for detecting BitRAT malware payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

img 3634cf02629083c538b6bddfe8edc54456e671c4e144173983a0bbd77c52bee7

BitRAT

Executable exe ef67b30b7ae1fd2b27a17f1e0172954912c78c541f7cb162ff003a9b42f128c4

(this sample)

  
Dropped by
MD5 f749acc36b70f8979044a1227e42eb5a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/69711/
  
Dropped by
SHA256 3634cf02629083c538b6bddfe8edc54456e671c4e144173983a0bbd77c52bee7

Comments