MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2ff73ab9c4381b09334cc5a279c5254d10fcd9b1edb5e39e1dd47ac60d85ad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2ff73ab9c4381b09334cc5a279c5254d10fcd9b1edb5e39e1dd47ac60d85ad6
SHA3-384 hash: e58f28c73ab6ef0e66a4400ee3e75d57ce3ee113c16087f4dd7e1f2868be045715c19ba5a420dd316eecc4b34e3eb1a1
SHA1 hash: 24eed37239f0016c288bca7771bdadc660fe3bdd
MD5 hash: 9ac32c96874cab80b25220d335dc15ce
humanhash: eight-mirror-colorado-twenty
File name:9ac32c96874cab80b25220d335dc15ce.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:541'696 bytes
First seen:2021-07-15 13:57:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 013a60ab1248e2b43a2c84244ec5f60f (3 x RemcosRAT, 2 x AveMariaRAT, 1 x BitRAT)
ssdeep 12288:8cfO13yo3bFglRkdJTo7ZaNakIqOeAh8:8iOTbFcIP
Threatray 296 similar samples on MalwareBazaar
TLSH T1E2B49D32A6E19433D1731E389D6B365BDD26BE103E79588A6BE5184C1F39BC13C29393
Reporter abuse_ch
Tags:BitRAT exe RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ac32c96874cab80b25220d335dc15ce.exe
Verdict:
Malicious activity
Analysis date:
2021-07-15 14:01:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3c0676ee-ea16-4c24-a37a-6023cd5aafb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172011/
Detection(s):
PUA.Win.Packer.Pequake-4
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.W32.AIDetect.malware1.20355.18848.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/83b49898-bb57-40d9-84f5-4d292ee840e0
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/816958
Signature
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Execution from Suspicious Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 449367 Sample: NgmQnkRqAm.exe Startdate: 15/07/2021 Architecture: WINDOWS Score: 72 47 arsaxa.ac.ug 2->47 57 Multi AV Scanner detection for submitted file 2->57 59 Sigma detected: Execution from Suspicious Folder 2->59 9 NgmQnkRqAm.exe 1 24 2->9         started        14 Rtzvmiu.exe 13 2->14         started        16 Rtzvmiu.exe 13 2->16         started        signatures3 process4 dnsIp5 53 cdn.discordapp.com 162.159.135.233, 443, 49710, 49711 CLOUDFLARENETUS United States 9->53 45 C:\Users\Public\Libraries\...\Rtzvmiu.exe, PE32 9->45 dropped 65 Injects a PE file into a foreign processes 9->65 18 NgmQnkRqAm.exe 1 1 9->18         started        23 cmd.exe 1 9->23         started        25 cmd.exe 1 9->25         started        55 162.159.133.233, 443, 49726, 49732 CLOUDFLARENETUS United States 14->55 67 Multi AV Scanner detection for dropped file 14->67 27 Rtzvmiu.exe 14->27         started        29 Rtzvmiu.exe 16->29         started        file6 signatures7 process8 dnsIp9 49 arsaxa.ac.ug 79.134.225.25, 49725, 49727, 49728 FINK-TELECOM-SERVICESCH Switzerland 18->49 51 192.168.2.1 unknown unknown 18->51 43 C:\Users\user\AppData\Local:15-07-2021, HTML 18->43 dropped 61 Creates files in alternative data streams (ADS) 18->61 63 Hides threads from debuggers 18->63 31 reg.exe 1 23->31         started        33 conhost.exe 23->33         started        35 cmd.exe 1 25->35         started        37 conhost.exe 25->37         started        file10 signatures11 process12 process13 39 conhost.exe 31->39         started        41 conhost.exe 35->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2ff73ab9c4381b09334cc5a279c5254d10fcd9b1edb5e39e1dd47ac60d85ad6/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-07-15 12:39:52 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6l7xhk44ioa3bezuzrncphcsktiq7tm3d3nv4opb3vd2yygyllla._file
Verdict:
malicious
Similar samples:
047ca53bf616a52ba6946c0a6cf6676a3030b0baf6d987b6268203caebd87b74
BitRAT
0789e8d80d058cc3283d3041953b057ccf252b882630982b85786081a5cd5df0
BitRAT
16f26624a8c348f7497a5bb568b329f64d531ff41cb6a3fd3b5fb4ce9ae0133b
BitRAT
413c4d1e7f91baf3ea5e77ed4ce25fc092d6167dabe1076ddca27a377d6a8197
BitRAT
418cf2d183b0ad4239752ae06861e629bf3e8f5ffec607c3eb4fae2ce130a5ff
BitRAT
4757d64431cbf911d9a6cc5b1cd96ee7f733dd0eb05c41f1fa100ba3d354d4a5
BitRAT
92fee75dbfa7cb48d837b580cc3544832cf116d9991ac9cd0135cef22e535510
BitRAT
9d109cc4f855ab857f7bc081a7bd0e2be2a46d59282970f1a189a019b4467173
BitRAT
bb988ff7e440eb871321f3d5ee94c7d241d4929e57b0e687e3ee61466b6880f6
BitRAT
f353dc700a77a88665e2d6cb4f73396ba3b4437cc3ee9a6a7e095de5f77277c5
BitRAT
+ 286 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210715-fcl9y67yze/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
928bf48bb5ae9fd769a9ddf1c8e240a00ef82d626562fede1e64a829784f1d41
MD5 hash:
900d087e111246c79dbcff5325f595d4
SHA1 hash:
f66e2a967edab432194ada6705becbc71baca136
Link:
https://www.unpac.me/results/aa8a00f5-d40e-4e73-b66b-8f29c145b627/
SH256 hash:
f2ff73ab9c4381b09334cc5a279c5254d10fcd9b1edb5e39e1dd47ac60d85ad6
MD5 hash:
9ac32c96874cab80b25220d335dc15ce
SHA1 hash:
24eed37239f0016c288bca7771bdadc660fe3bdd
Link:
https://www.unpac.me/results/aa8a00f5-d40e-4e73-b66b-8f29c145b627/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2ff73ab9c4381b09334cc5a279c5254d10fcd9b1edb5e39e1dd47ac60d85ad6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe f2ff73ab9c4381b09334cc5a279c5254d10fcd9b1edb5e39e1dd47ac60d85ad6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1453069/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/948788/
Cape
Cape
https://www.capesandbox.com/analysis/172011/

Comments