MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f902d7a9a985e2488fc770e265cec8fcaffb1848c4cd506a67e03b2f20484281. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f902d7a9a985e2488fc770e265cec8fcaffb1848c4cd506a67e03b2f20484281
SHA3-384 hash: f21917e585fa8a64b0c5a8dbade7147dfca94d3f62003d851aeee6e4b6ace59dff32e8ab66c8ba0dabdf2f6fe5dadd1d
SHA1 hash: 41ce4948ad75958453125572de98db3b9c428e35
MD5 hash: 4b7f92157252f9d39120960ce353537e
humanhash: alaska-finch-earth-east
File name:Remittance FormDoc.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:4'411'970 bytes
First seen:2021-04-17 06:25:24 UTC
Last seen:2021-04-17 06:54:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ea4e67a31ace1a72683a99b80cf37830 (70 x Formbook, 63 x GuLoader, 54 x Loki)
ssdeep 98304:5VgJsIYfGpBmGVWkmmFw4wgi5m3+Vjm7rmLi:5kdYOpLtmmFw4liosjmPmm
Threatray 145 similar samples on MalwareBazaar
TLSH 1F16335B3A0CE47FD153973C6AB049112DBE3E9190E05799BA64736D67FA3838C38E42
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
23.19.227.243:8887

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.19.227.243:8887 https://threatfox.abuse.ch/ioc/8834/

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Remittance FormDoc.exe
Verdict:
Malicious activity
Analysis date:
2021-04-17 06:25:53 UTC
Tags:
trojan bitrat rat stealer
Link:
https://app.any.run/tasks/c0b8bca3-7d6d-4a66-a932-b14be44c8c10

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/136778/
Detection(s):
SecuriteInfo.com.Artemis4B7F92157252.2457.17868.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Sending a UDP request
Unauthorized injection to a recently created process
Setting a global event handler
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Setting a global event handler for the keyboard
Blocking the Windows Defender launch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/682973
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to prevent local Windows debugging
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses cmd line tools excessively to alter registry or file data
Yara detected BitRAT
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 390440 Sample: Remittance FormDoc.exe Startdate: 17/04/2021 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for dropped file 2->58 60 Multi AV Scanner detection for submitted file 2->60 62 Detected unpacking (changes PE section rights) 2->62 64 8 other signatures 2->64 11 Remittance FormDoc.exe 19 2->11         started        process3 file4 50 C:\Users\user\AppData\Local\...\ggsu5j8.dll, PE32 11->50 dropped 70 Maps a DLL or memory area into another process 11->70 15 Remittance FormDoc.exe 3 3 11->15         started        signatures5 process6 dnsIp7 54 23.19.227.243, 49711, 49712, 49716 LEASEWEB-USA-NYC-11US United States 15->54 56 Hides threads from debuggers 15->56 19 fodhelper.exe 1 15 15->19         started        signatures8 process9 process10 21 Remittance FormDoc.exe 17 19->21         started        dnsIp11 52 192.168.2.1 unknown unknown 21->52 48 C:\Users\user\AppData\Local\...\ggsu5j8.dll, PE32 21->48 dropped 66 Maps a DLL or memory area into another process 21->66 26 Remittance FormDoc.exe 21->26         started        file12 signatures13 process14 signatures15 68 Uses cmd line tools excessively to alter registry or file data 26->68 29 reg.exe 1 1 26->29         started        32 reg.exe 1 1 26->32         started        34 reg.exe 1 1 26->34         started        36 4 other processes 26->36 process16 signatures17 72 Disables Windows Defender (deletes autostart) 29->72 38 conhost.exe 29->38         started        74 Disable Windows Defender real time protection (registry) 32->74 40 conhost.exe 34->40         started        42 conhost.exe 36->42         started        44 conhost.exe 36->44         started        46 conhost.exe 36->46         started        process18
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f902d7a9a985e2488fc770e265cec8fcaffb1848c4cd506a67e03b2f20484281/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ebnpknjqxrerd6hodrgltwi7sx7wgciytgva2th4a5s6iciikaq._file
Verdict:
malicious
Similar samples:
083d5efb4da09432a206cb7fba5cef2c82dd6cc080015fe69c2b36e71bca6c89
BitRAT
086292a6bfd70867d0186a92add0deca164c0588fc37c30c4401e249c2b59257
BitRAT
3936db5f71715f5ef3c4807c9fe0913943ae3b0aa3f000f40ec95558789a2450
BitRAT
3c433cb1c5fbe7966fc5545c22a795866484b7bab4600598629939ed4a542b01
BitRAT
98f10643b82275794bc9708dbffdb248e5f715a7207e1c4a4a453cd7cfa7a059
BitRAT
ba4fa1c41cdaa863e62325903f001594055a3e7419413ab50868577a46cf5d81
BitRAT
be06f303ae133e36f87ef001dc369f0212f76b26ad53ec171fd2dcdde9463cea
BitRAT
ce626c7e042469928600430d504181b8bc8d4e93d61ab4f89c3eb054acc78f78
BitRAT
ede0c83fc3c75766a73b4f0c2a8b262ad12363e5160eadff4c2abbcc7115462d
BitRAT
fe0a8d4538509b238f96d42c57d73ffb49d1967c4b6dc8b397a4684446a04460
BitRAT
+ 135 additional samples on MalwareBazaar
Result
Malware family:
xenarmor
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:xenarmor evasion password recovery spyware stealer trojan upx
Link:
https://tria.ge/reports/210417-bbzj2e23cs/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
ACProtect 1.3x - 1.4x DLL software
BitRAT
BitRAT Payload
Modifies Windows Defender Real-time Protection settings
XenArmor Suite
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:MALWARE_Win_BitRAT
Create hunting rule
Author:ditekSHen
Description:Detects BitRAT RAT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/136778/

Comments