MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d
SHA3-384 hash: 0254db3c4610e572bcc963fc44e630f50a9cea191423dc05ef119f5ba65465bd7eafb6d2d30b1ce3fb3ab4164c086082
SHA1 hash: a7d717d5e7be930f4aa5aec929ddc18d95fb9630
MD5 hash: 6b13104c9c912fd7e5d6ec8673d18c7e
humanhash: lima-lithium-white-fifteen
File name:6B13104C9C912FD7E5D6EC8673D18C7E.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'432'612 bytes
First seen:2021-06-07 05:41:24 UTC
Last seen:2021-06-07 07:18:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (864 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 49152:C3dPqvXlLvd3svgDvlmy+0EIaDXdTwmegOWMjglO4+xkxkVaX6v1eTExERELZa9:Cdm1h33l1+BdXdTwXWM4A4kVaX6dtxbO
Threatray 324 similar samples on MalwareBazaar
TLSH 94B523037AC689B2D5321934A5396731693D3C111F24DFAFA3D4A65EFA311E09B32B63
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
193.161.193.99:45642

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.161.193.99:45642 https://threatfox.abuse.ch/ioc/72131/

Intelligence

File Origin
# of uploads :
2
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6B13104C9C912FD7E5D6EC8673D18C7E.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-07 05:48:05 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2020f861-9c9b-4d4e-a102-c6a9655fc74b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/164834/
Detection(s):
SecuriteInfo.com.Trojan.Siggen13.7431.14637.26724.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
DNS request
Moving a recently created file
Setting a global event handler
Deleting a recently created file
Replacing files
Sending an HTTP GET request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797905
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Creates files in alternative data streams (ADS)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430304 Sample: VHFD8erGNr.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected BitRAT 2->53 55 Yara detected Xmrig cryptocurrency miner 2->55 57 2 other signatures 2->57 7 VHFD8erGNr.exe 1 10 2->7         started        10 svchost.exe 2->10         started        13 svchost.exe 2->13         started        15 9 other processes 2->15 process3 dnsIp4 37 C:\Users\user\AppData\Local\Temp\...\run.exe, PE32 7->37 dropped 39 C:\Users\user\AppData\Local\...\dllhost.exe, PE32 7->39 dropped 18 run.exe 2 18 7->18         started        23 dllhost.exe 1 14 7->23         started        67 Changes security center settings (notifications, updates, antivirus, firewall) 10->67 25 MpCmdRun.exe 10->25         started        69 Hides threads from debuggers 13->69 47 92.122.144.200 AKAMAI-ASUS European Union 15->47 49 127.0.0.1 unknown unknown 15->49 file5 signatures6 process7 dnsIp8 41 173.198.210.94 TURNKEY-INTERNETUS United States 18->41 43 149.154.167.220 TELEGRAMRU United Kingdom 18->43 45 3 other IPs or domains 18->45 31 C:\Users\user\AppData\Local:07-06-2021, HTML 18->31 dropped 59 Antivirus detection for dropped file 18->59 61 Multi AV Scanner detection for dropped file 18->61 63 Creates files in alternative data streams (ADS) 18->63 65 4 other signatures 18->65 33 C:\Users\user\AppData\Local\Temp\...\out.exe, PE32+ 23->33 dropped 35 C:\Users\user\AppData\Local\Temp\...\out.dll, PE32 23->35 dropped 27 out.exe 23->27         started        29 conhost.exe 25->29         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d/
Threat name:
Win32.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-06-04 02:50:47 UTC
AV detection:
27 of 47 (57.45%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vhu6nh7d4mucshbffwrfyn236xd53hsjs75gwvagccqpv6ngz6q._file
Verdict:
malicious
Similar samples:
162eb9bee8e0c7d40689403a725a41c1ae21846e6055ce5f46d6d40cdb1fbea9
BitRAT
19f17d84c67985de677ea0f746955f709106d8833311d3b8c9b67491d0498ff0
BitRAT
2efad23e5eb0e9a7ba2cbe0cc79d97e242047ec89baefe08568c447d17fe8bb1
BitRAT
43490b0471bb7e28b432a908893b2e7df5036f3ee939c930c45fe158e66f5e33
BitRAT
74bb85a9b72b29c47dd7a1424d4080de88c283f09126e721131b3d5ac0721ec9
BitRAT
7c86292bf74e67542dd8bd096c34e0ba11d0134b68ea385d7c118125e04a8d5e
BitRAT
ac84f24af4ee7638d9ee6c5d4b080130a7e1055e5f9bfbc1991dc889a03f664c
BitRAT
bb1104d813d5535fa0ea3e5600ddeda75f50c17a0cc50adb0cad068fb23a0710
BitRAT
cab2c0c7d8cb30d77bcd469e52357f584077fbd35517f7c6a6886f42e729cc47
BitRAT
fd10d12ae0088461e070fcc033fa0e28e5bd00cc4434e767b30b73d0560bae8d
BitRAT
+ 314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210607-bbh9tcalzj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
44390430ef06d4c526cb24433728cae0a9d72897d5740b17f6adfb1f1178ddb8
MD5 hash:
fa0ed279049035b9019eb20e1d0804e1
SHA1 hash:
f8323bf5d5e5c63a26f65067954ba6fdbdb13f60
Link:
https://www.unpac.me/results/f5c7d140-5df2-43f7-83a8-50828c8634de/
SH256 hash:
f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d
MD5 hash:
6b13104c9c912fd7e5d6ec8673d18c7e
SHA1 hash:
a7d717d5e7be930f4aa5aec929ddc18d95fb9630
Link:
https://www.unpac.me/results/f5c7d140-5df2-43f7-83a8-50828c8634de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164834/

Comments