MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fec73f9e948fb30fe01a715018c44268d64baead13d519e8e0065a844584f920. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fec73f9e948fb30fe01a715018c44268d64baead13d519e8e0065a844584f920
SHA3-384 hash: 757cd0d8ff75e3fb51ea9fc54a2610801e980b7a8dbed8f9f4a59e8409ae6ff1940129847156d787de1c870ebf14171f
SHA1 hash: 211010769c5c94ffac83a13838b0d49d6a624aaf
MD5 hash: f8b6181da93f514b6693f805dbfed63f
humanhash: enemy-crazy-oven-cardinal
File name:f8b6181da93f514b6693f805dbfed63f.exe
Download: download sample
Signature BitRAT
Create hunting rule
File size:4'543'488 bytes
First seen:2021-01-06 07:02:51 UTC
Last seen:2021-01-06 08:34:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 98304:KZDsGL1En0Fsl4MyvU2ToVyoHZg+01M3dwBUUf5/:KZwEEnUFEzHZfqM3dwBFf5/
Threatray 71 similar samples on MalwareBazaar
TLSH 6126235173932F99F03C6BBA88AD5144A3F1E44AC36ADBBF7DE650CA0458E508AF1931
Reporter abuse_ch
Tags:BitRAT exe RAT


Avatar
abuse_ch
BitRAT C2:
45.15.143.234:5366

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f8b6181da93f514b6693f805dbfed63f.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 07:05:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1da06541-9da6-4fde-969f-d45ae6919407

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/110661/
Detection(s):
SecuriteInfo.com.Generic.mg.f8b6181da93f514b.15387.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574821
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Contains functionality to inject code into remote processes
Contains functionality to steal e-mail passwords
DLL side loading technique detected
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 336467 Sample: X8yhUJB4xd.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 72 www.xenarmor.com 2->72 74 xenarmor.com 2->74 76 kabuto.tk 2->76 92 Antivirus detection for dropped file 2->92 94 Multi AV Scanner detection for dropped file 2->94 96 Sigma detected: Scheduled temp file as task from temp location 2->96 98 6 other signatures 2->98 10 X8yhUJB4xd.exe 7 2->10         started        signatures3 process4 file5 58 C:\Users\user\AppData\...\uqEKxgRzmWu.exe, PE32 10->58 dropped 60 C:\Users\...\uqEKxgRzmWu.exe:Zone.Identifier, ASCII 10->60 dropped 62 C:\Users\user\AppData\Local\...\tmp1F0E.tmp, XML 10->62 dropped 64 C:\Users\user\AppData\...\X8yhUJB4xd.exe.log, ASCII 10->64 dropped 104 Writes to foreign memory regions 10->104 106 Sample uses process hollowing technique 10->106 108 Injects a PE file into a foreign processes 10->108 14 vbc.exe 3 4 10->14         started        18 schtasks.exe 1 10->18         started        signatures6 process7 dnsIp8 78 kabuto.tk 45.15.143.234, 49725, 49727, 49729 DEDIPATH-LLCUS Latvia 14->78 80 192.168.2.1 unknown unknown 14->80 110 Tries to steal Mail credentials (via file registry) 14->110 112 Contains functionality to steal e-mail passwords 14->112 114 Contains functionality to inject code into remote processes 14->114 116 3 other signatures 14->116 20 vbc.exe 14->20         started        23 vbc.exe 24 14->23         started        25 vbc.exe 14->25         started        30 3 other processes 14->30 28 conhost.exe 18->28         started        signatures9 process10 file11 100 Injects a PE file into a foreign processes 20->100 32 vbc.exe 20->32         started        36 vbc.exe 5 23->36         started        50 C:\Windows\Microsoft.NET\...\Unknown.dll, PE32 25->50 dropped 52 C:\Windows\Microsoft.NET\...\vcruntime140.dll, PE32 25->52 dropped 54 C:\Windows\Microsoft.NET\...\softokn3.dll, PE32 25->54 dropped 56 17 other files (none is malicious) 25->56 dropped 102 Sample uses process hollowing technique 25->102 38 vbc.exe 1 30->38         started        40 vbc.exe 30->40         started        signatures12 process13 dnsIp14 66 www.xenarmor.com 32->66 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->82 84 Tries to steal Instant Messenger accounts or passwords 32->84 86 Tries to steal Mail credentials (via file access) 32->86 90 2 other signatures 32->90 42 conhost.exe 32->42         started        68 www.xenarmor.com 36->68 70 xenarmor.com 69.64.94.128 CODERO-DFWUS United States 36->70 88 DLL side loading technique detected 36->88 44 conhost.exe 36->44         started        46 conhost.exe 38->46         started        48 conhost.exe 40->48         started        signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fec73f9e948fb30fe01a715018c44268d64baead13d519e8e0065a844584f920/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 07:03:05 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=73dt7huur6zq7ya2ofibrrccndlexlvncpkrt2haazniirme7eqa._file
Verdict:
malicious
Similar samples:
10a2b667b6294c999ff6db8e6b89ac9272aaebb1c4fa526125c646ac5c7b6b28
BitRAT
1c1b2595e6838a1ee24e806ff60b80a40ad7166caaaaf65080deda57c7292c53
BitRAT
22dbe6172d32b9b90d66036688e440a9026524f8c4c61b1c05f45dbd63919483
BitRAT
243e8ba43bcdb6634c77835df678964743893a30f4d2abe9596f2add2882e074
BitRAT
3cf331e46b6f16ef2a591637b64865d81b19e016ad3f4f3280aa1a872f1261ab
BitRAT
3f5f718eea347bd327c4e7b525d0fc1ce91d54d4b1e4da1e78e18a35f19756e3
BitRAT
446a57da424b148321083f32681f6394b8a8bf8cfe750054697922c091f30624
BitRAT
7911f1a67c2580f0390dd9eea76d879801c77cb2e114a307e28cb3d31b23f340
BitRAT
80104e0ad490b44a632a15e5875e7626db7f35fa94d7aadf19c45a621d75c7e0
BitRAT
8fdc007dd13e7c0c5bbe426da723499db81518697eb84d2fd2a0181996d276fa
BitRAT
+ 61 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210106-d5yy88setx/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Uses the VBS compiler for execution
Unpacked files
SH256 hash:
fec73f9e948fb30fe01a715018c44268d64baead13d519e8e0065a844584f920
MD5 hash:
f8b6181da93f514b6693f805dbfed63f
SHA1 hash:
211010769c5c94ffac83a13838b0d49d6a624aaf
Link:
https://www.unpac.me/results/d5bfe2ca-030b-44d9-975f-75b269e92324/
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/d5bfe2ca-030b-44d9-975f-75b269e92324/
SH256 hash:
8d3357b45ea57b4258b234e1999fe93db7f740459abda0c462d83397ba6559ea
MD5 hash:
922dd9348acc0255dd0b501386e8940b
SHA1 hash:
9002d6dd6de9b81ab46eabd02b9409ac463dbcf0
Link:
https://www.unpac.me/results/d5bfe2ca-030b-44d9-975f-75b269e92324/
SH256 hash:
3ed9eae04f65ddbb3e3c62951031ec8db8e84af0308cdaa7ecd2760454b8878d
MD5 hash:
8c6d6dbadb6b79fbb96c5b7209f171f9
SHA1 hash:
c3b6f02bc2c0f518fa784ad00d29005f34352274
Link:
https://www.unpac.me/results/d5bfe2ca-030b-44d9-975f-75b269e92324/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fec73f9e948fb30fe01a715018c44268d64baead13d519e8e0065a844584f920

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BitRAT

Executable exe fec73f9e948fb30fe01a715018c44268d64baead13d519e8e0065a844584f920

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/110661/
  
URLhaus
https://urlhaus.abuse.ch/url/947608/
  
Delivery method
Distributed via web download

Comments