MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BitRAT

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7
SHA3-384 hash:	32eef1e81b331f4bfe6bce6baeaac96ee4a39c8810918a397283e035093d460390d13ba210482c4c3da998606ea3f2fb
SHA1 hash:	ed319d7a0ff6d0f37b92be41c3e42cf651f0b8a1
MD5 hash:	bf795e35ae38b7703d53ecd51299b0c2
humanhash:	high-neptune-mississippi-stairway
File name:	PO# 5604 & Price List SF#163188104021 WinTide Brand Ltd.exe
Download:	download sample
Signature	BitRAT Create hunting rule
File size:	2'470'400 bytes
First seen:	2020-10-27 12:59:50 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	49152:4A+wsFBQAGQ58Bw7aSIgZ1YGI7cCKlZJYPE6/vz:AVFBQDtwnjzbFYPBvz
Threatray	702 similar samples on MalwareBazaar
TLSH	8EB5CF523A909951F16A323BC26AC20847F59F502693D337E8FF33AB0D27B7A79045D6
Reporter	abuse_ch
Tags:	BitRAT exe nVpn RAT

abuse_ch

Malspam distributing BitRAT:

HELO: slot0.85xainji.com
Sending IP: 45.145.185.142
From: Sebralla Regina <office@85xainji.com>
Subject: AW: goods - update
Attachment: PO706257.rar (contains "PO# 5604 & Price List SF#163188104021 WinTide Brand Ltd.exe")

BitRAT C2:
servr.superbanifabused1.xyz:6513 (79.134.225.39)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/79927/

Detection(s):

SecuriteInfo.com.ArtemisBF795E35AE38.3828.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

BitRAT

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/513654

Signature

Contains functionality to hide a thread from the debugger

Contains functionality to inject code into remote processes

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AntiVM_3

Yara detected BitRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-27 08:20:55 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6zy3d5yw6alw3oxml2t4uasmwmxwl7s45tvptguazyeacmxmtxlq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/201027-kdccsbglc6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

rar 91647cba6daf86ccd1363bf35d4b1fbec8a892ff9cb6d69d2d2295bcbedad474

BitRAT

exe f671b1f716f0176dbaec5ea7ca024cb32f65fe5ceceaf99a80ce080132ec9dd7

(this sample)

Dropped by

MD5 30e562349e9b6b92149240b350affabb

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 91647cba6daf86ccd1363bf35d4b1fbec8a892ff9cb6d69d2d2295bcbedad474

Cape

https://www.capesandbox.com/analysis/79927/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample