MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fcb2107f5b1fe383bdd0f8ec5d085a1ed2be421ce2c1616a767b597c6b7003f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fcb2107f5b1fe383bdd0f8ec5d085a1ed2be421ce2c1616a767b597c6b7003f7
SHA3-384 hash: 81ea82f740c46e9c80580be83a43b5e011fc7e3d4bddf8402f1ae732acbd512291f89d3beb97bafa522cdd3fdfed33ca
SHA1 hash: 3d882d6c41b868ee920fc8a14393aa164d408f4b
MD5 hash: f3013d2d1cf8e1eb094f9d477f26b9e4
humanhash: angel-item-bravo-sink
File name:evgNsAfH28WjMUf.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:2'281'984 bytes
First seen:2021-01-26 09:49:06 UTC
Last seen:2021-01-26 12:10:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 49152:wDGZnHofwUC4c0GUGI2eDT8Nae8JQrvvPx2bLaE9xboXcX:oIUCHUMeWakjP2asiXc
Threatray 239 similar samples on MalwareBazaar
TLSH 50B5122417A09E10C2BC57768864D33967F46C259A16E75CEDC9ACDB3F33A61EE0F10A
Reporter Anonymous
Tags:BitRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
evgNsAfH28WjMUf.exe
Verdict:
Malicious activity
Analysis date:
2021-01-26 09:49:30 UTC
Tags:
trojan bitrat rat
Link:
https://app.any.run/tasks/2ec24d83-3812-4186-93ac-3b4517948937

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/113848/
Detection(s):
SecuriteInfo.com.ArtemisF3013D2D1CF8.32166.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Setting a global event handler
Sending a custom TCP request
Creating a window
Setting a global event handler for the keyboard
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/590463
Signature
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fcb2107f5b1fe383bdd0f8ec5d085a1ed2be421ce2c1616a767b597c6b7003f7/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-26 09:09:33 UTC
AV detection:
2 of 46 (4.35%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7szba723d7ryhpoq7dwf2cc2d3jl4qq44lawc2twpnmxy23qap3q._file
Verdict:
malicious
Similar samples:
22c86ceaed13287d9bdcc4bb9e7ee4c383c5c1422eee3f75a10f7fd0ffe3b589
BitRAT
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
BitRAT
2ddd796e9b53ab3d7eaf4093529077f637f182a934a851af24da8c8f189aeed3
BitRAT
50e2c6aac34de9ed4e1b3fcfcd5aaa34892696f2681aa5e8c45a5dbe0915a43c
BitRAT
56d0c7b288fe323703e31519f296d7a1ed4811bc8eb7cf87c56082499aaff297
BitRAT
76e5467f267a4bca00af800094c3a92f6bd51de54737f07c533d091e2f219b40
BitRAT
80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
BitRAT
b8d2de495b9ec7f42b0f25b1fc532915a4378b683daafb1ecb5171624ea7a83c
BitRAT
ef3436a1198e62ccb908d35b3dea6cfed17414f2e59ab62686277d978f5fd73c
BitRAT
f1080a2b8c64a3c7b9ba733360e7e70947859b250f4ed760a35f7104a70d6d91
BitRAT
+ 229 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/210126-da6lh4zgka/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
c329cc71854521fbd075ea0aa863e2d45709c53b1e63601a87248c3002371309
MD5 hash:
a4beaf7fb397941a55d2ffc04d105467
SHA1 hash:
6a96ffea17222ef27bf3be4267885b75b04101f5
Link:
https://www.unpac.me/results/6ac19150-80ee-4bb5-9836-9128e4694737/
SH256 hash:
321a00830544cd9e677c91f48c120d46e9af041dc15c2bb42da549b965aa9d07
MD5 hash:
cc38e1edb3f379260452c09eecc74a18
SHA1 hash:
9fbc5476196ae2f17e932f327c7b46452b0752cc
Link:
https://www.unpac.me/results/6ac19150-80ee-4bb5-9836-9128e4694737/
SH256 hash:
e38d734f36257ee6f8d1b5e3bd8a460a957c749b61b02f7af7178fdade72e851
MD5 hash:
0cd7e74ce1ff42c005c532f366cb36a6
SHA1 hash:
3a9a8a1545da709e6065a5bdb662e7e36e330f2d
Link:
https://www.unpac.me/results/6ac19150-80ee-4bb5-9836-9128e4694737/
SH256 hash:
fcb2107f5b1fe383bdd0f8ec5d085a1ed2be421ce2c1616a767b597c6b7003f7
MD5 hash:
f3013d2d1cf8e1eb094f9d477f26b9e4
SHA1 hash:
3d882d6c41b868ee920fc8a14393aa164d408f4b
Link:
https://www.unpac.me/results/6ac19150-80ee-4bb5-9836-9128e4694737/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fcb2107f5b1fe383bdd0f8ec5d085a1ed2be421ce2c1616a767b597c6b7003f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113848/

Comments