MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff28079581ca00e790039ab9d81ab6330df81a2ab58e1836f3dcf60011696823. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BitRAT


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff28079581ca00e790039ab9d81ab6330df81a2ab58e1836f3dcf60011696823
SHA3-384 hash: e1a7eae0e2f6d1a427c02c5fa209203a0c3fa761f9773ef77ee5f42082038c3ae44a42b8bbb5baf6a15dd9a0a0ee3ac4
SHA1 hash: 3d8687cd7bdee5b3042006b42f0302710067c97d
MD5 hash: c2e214a664c86f020cf01a65753f2279
humanhash: utah-winter-spaghetti-vegan
File name:UAEHBADS.EXE
Download: download sample
Signature BitRAT
Create hunting rule
File size:870'912 bytes
First seen:2021-09-19 16:55:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 96d68413d52ee291c9b444b7006f0bce (4 x RemcosRAT, 1 x BitRAT)
ssdeep 12288:mmnGyuE9fz9VBCY4Alz2MjbjBQHhazE2mdvnk6LHC7WWnMvwfHVBPggseBnDz5ZE:mmnZbz9e0z12HLBngseBDz5ZE
Threatray 738 similar samples on MalwareBazaar
TLSH T1E2058E16B3844CF5F931193A8EDAB7913929BDF028A95D4F6DF03E1429647A2393C48F
dhash icon 8ccc0c37e3969a68 (8 x RemcosRAT, 2 x NetWire, 1 x BitRAT)
Reporter cocaman
Tags:BitRAT DHL exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
243
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
UAEHBADS.EXE
Verdict:
Malicious activity
Analysis date:
2021-09-19 16:59:39 UTC
Tags:
installer
Link:
https://app.any.run/tasks/3708f143-e354-44e5-a8cd-f95e151f2af0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BitRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189137/
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

SecuriteInfo.com.UDS.Backdoor.Win32.Remcos.gen.30130.2328.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Connection attempt
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Malware family:
BitRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3a87b6d8-dda3-4388-99b0-c18fad67d1d2
Result
Threat name:
BitRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/853576
Signature
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected BitRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 486006 Sample: UAEHBADS.EXE Startdate: 19/09/2021 Architecture: WINDOWS Score: 96 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected BitRAT 2->55 57 C2 URLs / IPs found in malware configuration 2->57 8 Uaehbad.exe 13 2->8         started        12 UAEHBADS.EXE 1 22 2->12         started        15 Uaehbad.exe 14 2->15         started        process3 dnsIp4 45 162.159.130.233, 443, 49747, 49749 CLOUDFLARENETUS United States 8->45 47 192.168.2.1 unknown unknown 8->47 61 Multi AV Scanner detection for dropped file 8->61 63 Machine Learning detection for dropped file 8->63 65 Writes to foreign memory regions 8->65 17 secinit.exe 8->17         started        49 cdn.discordapp.com 162.159.135.233, 443, 49741, 49742 CLOUDFLARENETUS United States 12->49 41 C:\Users\Public\Libraries\...\Uaehbad.exe, PE32 12->41 dropped 67 Creates a thread in another existing process (thread injection) 12->67 69 Injects a PE file into a foreign processes 12->69 21 mshta.exe 1 12->21         started        23 cmd.exe 1 12->23         started        25 cmd.exe 1 12->25         started        27 mshta.exe 15->27         started        file5 signatures6 process7 dnsIp8 43 zopp.nerdpol.ovh 20.106.72.179, 2222, 49748, 49750 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 21->43 59 Hides threads from debuggers 21->59 29 reg.exe 1 23->29         started        31 conhost.exe 23->31         started        33 cmd.exe 1 25->33         started        35 conhost.exe 25->35         started        signatures9 process10 process11 37 conhost.exe 29->37         started        39 conhost.exe 33->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff28079581ca00e790039ab9d81ab6330df81a2ab58e1836f3dcf60011696823/
Threat name:
Win32.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 16:56:11 UTC
AV detection:
25 of 45 (55.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=74uapfmbziaopeadtk45qgvwgmg7qgrkwwhbqnxt3t3aaeljnarq._file
Verdict:
malicious
Similar samples:
0840ac6a8ee445eed007f29220dad3dd03e59cf161524623c831596673c7e8d0
BitRAT
174d091dcf5a5b2c4af35b5df2e4094ddf31bc589208f7b79ff5fc0db2dde514
BitRAT
1d4f1e01cbbd896a55a83dd107e381fe0a572bd2c9327cbb82a9510eb4832e99
BitRAT
1f715d5b757b50e756c70424d15902f064ad12df112413e518b78c22a7372e9a
BitRAT
2cc63ed4b98c0457f975339ddb58fc82f9dac01a15fd096804ee3ce16c968dcc
BitRAT
6b637314dc7b63dfce69d3efe9b792d8fb2fbb0d9f19ea70aa0ff83ae8dbd495
BitRAT
8f4dcda8ef498f0d5f7dbbf978a3e9588bef94f5ee91a3659349d60b1f2447ec
BitRAT
b31cde99f0850f6f1e87ff1cb15014a26d87a22aed1e63c2bcfe423bc377dfd7
BitRAT
d79ba47a55b5dcb4cf6e76ac13bd3179e1523d5904483232d9ce9d39915dbc69
BitRAT
f2d4e21c9c01ada5d8aeaf91a05f344ba07965268c9ae9febf552d6234bcc09a
BitRAT
+ 728 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence trojan upx
Link:
https://tria.ge/reports/210919-vfpblsehdp/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
UPX packed file
BitRAT
BitRAT Payload
Unpacked files
SH256 hash:
519197f521aa39b7a7ab34b4500a304a7329d967115c2e48fe1b6eb201e39af1
MD5 hash:
3da921c9355d01d335cf03159a950030
SHA1 hash:
3be3f4ea8f289a123dcd1f6ac97c6f34a503c9cf
Link:
https://www.unpac.me/results/34116150-b134-43aa-be08-853152622119/
SH256 hash:
ff28079581ca00e790039ab9d81ab6330df81a2ab58e1836f3dcf60011696823
MD5 hash:
c2e214a664c86f020cf01a65753f2279
SHA1 hash:
3d8687cd7bdee5b3042006b42f0302710067c97d
Link:
https://www.unpac.me/results/34116150-b134-43aa-be08-853152622119/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.50
Link:
https://yomi.yoroi.company/submissions/ff28079581ca00e790039ab9d81ab6330df81a2ab58e1836f3dcf60011696823

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BitRAT

img 27a51755658dffa009dc5e26be2f3df865a56ed4e2f3d2f0a6f726ad2a3d7b7a

BitRAT

Executable exe ff28079581ca00e790039ab9d81ab6330df81a2ab58e1836f3dcf60011696823

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 27a51755658dffa009dc5e26be2f3df865a56ed4e2f3d2f0a6f726ad2a3d7b7a
Cape
Cape
https://www.capesandbox.com/analysis/189137/

Comments