MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5d02bf8a1a6612e21e2165e2008c66347e60436a43b3bf7cae2edc323f50d44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5d02bf8a1a6612e21e2165e2008c66347e60436a43b3bf7cae2edc323f50d44
SHA3-384 hash: 520989e117a71ac2209130d15a6d4004f01933e020e949195aa5733d5e0d87fdc21aa6811272fa0b9d3ac55d24b6d5c8
SHA1 hash: 23e8a1e9736c8c788d2b0450c011ea5ae8a8a274
MD5 hash: 949f4223f86d23ec243d1e23dd0a28c9
humanhash: sad-apart-saturn-network
File name:SecuriteInfo.com.Trojan.Siggen11.57077.29929.29062
Download: download sample
Signature BitRAT
Create hunting rule
File size:6'382'080 bytes
First seen:2021-01-02 20:50:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae28306bf70f5963ea0555dfe529913b (3 x BitRAT)
ssdeep 196608:UtDvqfSippSz2gl2obELcGhk4wegtNyiEa:uwKz2E/b6k7XNn
Threatray 234 similar samples on MalwareBazaar
TLSH 315623773364218DC4D5D83D8627FDD532F923BB8B80A5B4A9DA3AC62E224D1D703D92
Reporter SecuriteInfoCom
Tags:BitRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IPTV Link & Info.docx
Verdict:
Malicious activity
Analysis date:
2021-01-02 14:52:44 UTC
Tags:
generated-doc trojan loader stealer
Link:
https://app.any.run/tasks/73fc7745-00d6-4ad3-839a-0b615a9143c0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110323/
Detection(s):
SecuriteInfo.com.Trojan.Siggen11.57077.29929.29062.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Setting a global event handler
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Sending a UDP request
Setting a global event handler for the keyboard
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/572977
Signature
Detected VMProtect packer
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Found Tor onion address
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 335551 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 02/01/2021 Architecture: WINDOWS Score: 92 42 cdn.onenote.net 2->42 44 prda.aadg.msidentity.com 2->44 46 kabuto.tk 2->46 56 Multi AV Scanner detection for submitted file 2->56 58 Detected VMProtect packer 2->58 60 Machine Learning detection for sample 2->60 62 2 other signatures 2->62 10 SecuriteInfo.com.Trojan.Siggen11.57077.29929.exe 3 4 2->10         started        signatures3 process4 dnsIp5 48 kabuto.tk 45.15.143.195, 49707, 49714, 49723 DEDIPATH-LLCUS Latvia 10->48 50 192.168.2.1 unknown unknown 10->50 68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->68 70 Tries to detect virtualization through RDTSC time measurements 10->70 72 Hides threads from debuggers 10->72 74 Injects a PE file into a foreign processes 10->74 14 fodhelper.exe 12 10->14         started        signatures6 process7 process8 16 SecuriteInfo.com.Trojan.Siggen11.57077.29929.exe 14->16         started        signatures9 52 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->52 54 Uses cmd line tools excessively to alter registry or file data 16->54 19 reg.exe 1 1 16->19         started        22 reg.exe 1 1 16->22         started        24 reg.exe 1 1 16->24         started        26 6 other processes 16->26 process10 signatures11 64 Disables Windows Defender (deletes autostart) 19->64 28 conhost.exe 19->28         started        66 Disable Windows Defender real time protection (registry) 22->66 30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        36 conhost.exe 26->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5d02bf8a1a6612e21e2165e2008c66347e60436a43b3bf7cae2edc323f50d44/
Threat name:
Win32.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2021-01-02 01:29:08 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6xicx6fbuzqs4ipcczpcacggmnd6mbbwuq5tx56k4lw4gi7vbvca._file
Verdict:
suspicious
Similar samples:
0724bc0b4abf5e1ae32a9fb01f6a9e18b6d5f086f8b19c3d41cd172fbf57e6bc
BitRAT
092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298
BitRAT
286c2eb8755215619d8cb48cc884091251729d5925b74444fe3b62c2c1a5acb5
BitRAT
2dae80e04d518be8a6e1659d53afd6aea2eecc35086db46b4dd0a701a4b6f812
BitRAT
522de9741550dc1f29b224a934ad3bd4c8454975a3e8aa3a1215cfe884eb0aff
BitRAT
69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c
BitRAT
99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413
BitRAT
9dc88dec4a1a8fab1526dd1a856542e011b7ad5a62ec049c07d0eca58843a9f0
BitRAT
b31fb3832c2f366796fcc9165c60c58da5c866973377ab0d43f71586c461b8fb
BitRAT
f09dc0b3275b4c1e3a616911805011c2871af1407599493dc980b6987cb313eb
BitRAT
+ 224 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware trojan upx vmprotect
Link:
https://tria.ge/reports/210102-kfb4haznpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
f5d02bf8a1a6612e21e2165e2008c66347e60436a43b3bf7cae2edc323f50d44
MD5 hash:
949f4223f86d23ec243d1e23dd0a28c9
SHA1 hash:
23e8a1e9736c8c788d2b0450c011ea5ae8a8a274
Link:
https://www.unpac.me/results/2a069fcb-3329-4391-ac7a-0e2937d5a81a/
SH256 hash:
0b3849b7d21d985ab3b63ffe6a03b2ca63b254d6d824c73871f52dbf47967904
MD5 hash:
81e85c0089c54e9266084eb2ed80f7e0
SHA1 hash:
7f9cb37253347eb0137426e91c2e8627aff7642f
Link:
https://www.unpac.me/results/2a069fcb-3329-4391-ac7a-0e2937d5a81a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f5d02bf8a1a6612e21e2165e2008c66347e60436a43b3bf7cae2edc323f50d44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe f5d02bf8a1a6612e21e2165e2008c66347e60436a43b3bf7cae2edc323f50d44

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/947608/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/110323/

Comments