MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3475e4fc7c4307bc41e68f95ed31b88f5b24fb37efb3078d6732341761d96df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3475e4fc7c4307bc41e68f95ed31b88f5b24fb37efb3078d6732341761d96df
SHA3-384 hash: ce57be9d4dc676431d3b3d73cb65a97777e9abedc04fdacafef15b259eaad86de0f4c5f35d36ce172b146b4f0200926e
SHA1 hash: 212cb20306a5bce4f0b1b9f4abbbddb7935896e2
MD5 hash: c80bdbf66c72906c62d0025c486e10dd
humanhash: victor-golf-lamp-uncle
File name:HP_NEW ORDER17.12.20.scr
Download: download sample
Signature BitRAT
Create hunting rule
File size:77'824 bytes
First seen:2020-12-18 09:33:16 UTC
Last seen:2020-12-18 11:35:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:BbdBxNNpo0PAGMPKpru5MONCnbGaWtN/a4lbGflvx/FIwJGunKcXf:xdBBpzP1ruPcb9WtN/ae
Threatray 18 similar samples on MalwareBazaar
TLSH 017375D1BEF80A97C0EEF7380D953C31BE3578F626358A5B116271A3A9D23451DDA80E
Reporter abuse_ch
Tags:BitRAT scr


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: ws3.yourdomain.it
Sending IP: 144.76.11.102
From: Base Group sp. Z oo<contact@base.pl>
Reply-To: commercial.rlavel@gmail.com
Subject: New Order enquiry
Attachment: HP-SCAN_NEW ORDER17.12.20.pdf.jpg.img (contains "HP_NEW ORDER17.12.20.scr")

Intelligence

File Origin
# of uploads :
2
# of downloads :
118
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
HP_NEW ORDER17.12.20.scr
Verdict:
Malicious activity
Analysis date:
2020-12-18 10:13:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3a6c0f3e-4f2c-4f07-b1e4-46874dbd7030

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108366/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.106.8728.25286.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Sending a TCP request to an infection source
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/566146
Signature
Connects to a pastebin service (likely for C&C)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332154 Sample: HP_NEW ORDER17.12.20.scr Startdate: 18/12/2020 Architecture: WINDOWS Score: 52 20 Machine Learning detection for sample 2->20 22 Initial sample is a PE file and has a suspicious name 2->22 24 Connects to a pastebin service (likely for C&C) 2->24 7 HP_NEW ORDER17.12.20.exe 15 3 2->7         started        process3 dnsIp4 18 hastebin.com 172.67.143.180, 443, 49710 CLOUDFLARENETUS United States 7->18 10 cmd.exe 1 7->10         started        12 WerFault.exe 23 9 7->12         started        process5 process6 14 conhost.exe 10->14         started        16 timeout.exe 1 10->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3475e4fc7c4307bc41e68f95ed31b88f5b24fb37efb3078d6732341761d96df/
Threat name:
ByteCode-MSIL.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 09:34:05 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ndv4t6hyqyhxra6nd4v5uy3rd23et5tp35ta6gwomruc5q5s3pq._file
Verdict:
unknown
Similar samples:
0c6dbb5a8b9e0e7189b201b4387c4d23f2eec78a1b8c66834fc51a10b9f992f9
BitRAT
1af16016b5773b6d22f0d0e5f93392e909d3505d22ef1cefb8127798de67760f
BitRAT
29eb1cc47e1691ce931b66a745b10f88dff84fbdd8b8ec7b407137c362a9154f
BitRAT
320592aa53514c7fd425f4c691e4be802ca964955d5a6fdd960a8725c36737b4
BitRAT
460a8a0cd9f84fc66efee342cbca339d6d2791a3bcf1ccd4ac0e1974b12dad97
BitRAT
8bb625e15877474a379c52910cf7741a3b356416f89c019456d740aae69aea33
BitRAT
9cef44491d14577c5041187e34b13b784c7f26ab95ead4db16081e8c3d9c8a1d
BitRAT
cb866da199696cea1ffe6bd8498c1d2bcf3dd75772291e0d454c4e82c6a51272
BitRAT
e3c342be37ab6f49260bc36cec49561b08479b1a577ec2df7b634caffd585d96
BitRAT
fb25872744b711f6c9290d7ce2d3cf371e89c9919c8d77786ab528e47034d0e3
BitRAT
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/201218-y8zz3rpe86/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
f3475e4fc7c4307bc41e68f95ed31b88f5b24fb37efb3078d6732341761d96df
MD5 hash:
c80bdbf66c72906c62d0025c486e10dd
SHA1 hash:
212cb20306a5bce4f0b1b9f4abbbddb7935896e2
Link:
https://www.unpac.me/results/4f11b1cc-575d-489f-893c-9b51dc72fe4c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.69
Link:
https://yomi.yoroi.company/submissions/f3475e4fc7c4307bc41e68f95ed31b88f5b24fb37efb3078d6732341761d96df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

img 1b6596b0cddef344b022a0e82145a5284119582d08bcaf411f82bc44db031882

BitRAT

Executable exe f3475e4fc7c4307bc41e68f95ed31b88f5b24fb37efb3078d6732341761d96df

(this sample)

  
Dropped by
MD5 f07e61f5dc5cee2aab4f6c54107223e3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1b6596b0cddef344b022a0e82145a5284119582d08bcaf411f82bc44db031882
Cape
Cape
https://www.capesandbox.com/analysis/108366/

Comments