MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38
SHA3-384 hash: 9a94454b3e1490fb133d5f30e947e4acab51e70535717a1e6fa03ffb8495c00049fd030dac63bdf6b0dce81d09512dc7
SHA1 hash: f694ad1cb07a98e3ede5dcd26d54f1e4d29dc3b8
MD5 hash: 8d949fe494a783d96dc2bd003de89a41
humanhash: idaho-alpha-delaware-bravo
File name:27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38
Download: download sample
Signature njrat
Create hunting rule
File size:8'332'288 bytes
First seen:2020-11-14 18:22:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5d9d937853db8b666bd4b525813d7bd (40 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep 196608:b7P/9NcSdKX8VEwb3y+9Is3/K2CBHpR1FtSeFo38U9cJ81+:XP/9GnerKQCHzCb+P
TLSH 9A8633ACA49B3CF1EA14E83183615F06AF1B36B4CE7799A864463554F39FB701BE1243
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Creating a process with a hidden window
DNS request
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat DarkComet
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535342
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Yara detected DarkComet
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 316770 Sample: 4leF4Lh53y Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 50 Tubexe-23569.portmap.host 2->50 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 15 other signatures 2->62 10 4leF4Lh53y.exe 10 2->10         started        13 svchost.exe 2->13         started        16 svchost.exe 9 1 2->16         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 42 C:\Users\user\AppData\Roaming\DarkComet.exe, PE32 10->42 dropped 44 C:\Users\user\...\CheatWarface(v.9.0).exe, PE32 10->44 dropped 21 CheatWarface(v.9.0).exe 1 5 10->21         started        25 DarkComet.exe 10->25         started        72 Changes security center settings (notifications, updates, antivirus, firewall) 13->72 27 MpCmdRun.exe 13->27         started        48 127.0.0.1 unknown unknown 16->48 file6 signatures7 process8 file9 40 C:\Users\user\AppData\Local\...\svchost.exe, PE32 21->40 dropped 64 Antivirus detection for dropped file 21->64 66 Multi AV Scanner detection for dropped file 21->66 68 Machine Learning detection for dropped file 21->68 70 Drops PE files with benign system names 21->70 29 svchost.exe 2 5 21->29         started        34 conhost.exe 27->34         started        signatures10 process11 dnsIp12 52 Tubexe-23569.portmap.host 193.161.193.99, 23569, 49724, 49728 BITREE-ASRU Russian Federation 29->52 54 192.168.2.1 unknown unknown 29->54 46 C:\...\5dda555e7b363aad632b4f83175c5892.exe, PE32 29->46 dropped 74 Antivirus detection for dropped file 29->74 76 System process connects to network (likely due to code injection or exploit) 29->76 78 Multi AV Scanner detection for dropped file 29->78 80 4 other signatures 29->80 36 netsh.exe 1 3 29->36         started        file13 signatures14 process15 process16 38 conhost.exe 36->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:25:26 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e7nvd4aqzwph7a626r2luhlyaiwpmfye7yiukuvjrvdewcbyhm4a._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201114-1xhjbqevtj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies service
Adds Run key to start application
Drops startup file
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38
MD5 hash:
8d949fe494a783d96dc2bd003de89a41
SHA1 hash:
f694ad1cb07a98e3ede5dcd26d54f1e4d29dc3b8
Link:
https://www.unpac.me/results/376b641f-c38d-4847-b759-7648b3cb5225/
SH256 hash:
9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2
MD5 hash:
34960f869aa933675a70c0c7c17addfe
SHA1 hash:
b01ec370b3571d70a2d111f35d5514cc7a18d422
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/376b641f-c38d-4847-b759-7648b3cb5225/
Parent samples :
55788187a18d12723bbba31b170c83008999a405625ea9f5525d6f655ad2d565
27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38
9343339fadfe0f62d6fd46c6131ed9fdf01978d817192984e69a8bbecfb406d2
8df919d13e79c80c26053c7aa529fc3a0b49c0db77f957b38c49e80e9ffb53a4
SH256 hash:
f323c647565a6ac6762379e35c499ecebe17fde2530a2ad5159310ffccbf95c9
MD5 hash:
84d4f5709947e90acdd25f594eda9509
SHA1 hash:
6bd75b358edd1275efad4664c926763b5780de5b
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/376b641f-c38d-4847-b759-7648b3cb5225/
SH256 hash:
4d5b0bb924898acc5937d9e5c373c11b19f0933e96e3d9a182fe64c683dfa5e5
MD5 hash:
e39e0912ed8f4111b85e7fa8c04cacbc
SHA1 hash:
1f89c439c4c00df08967535e6c52835d3f98cffc
Link:
https://www.unpac.me/results/376b641f-c38d-4847-b759-7648b3cb5225/
SH256 hash:
561c24f9d8f8c667558a33ecef1f39cfae88f163f2618496aba96334afc3e9c5
MD5 hash:
caced8edc397df7d4fc63b6f9dc5f2e2
SHA1 hash:
b1ece378faa4f9ee8f384ca53302a0ec5c3d6073
Link:
https://www.unpac.me/results/376b641f-c38d-4847-b759-7648b3cb5225/
SH256 hash:
9726b5338ad442af484457875b53125949be30443c32ae30aaa7dca745ebcb35
MD5 hash:
baae76330a8ff174be812a43455ae9e4
SHA1 hash:
240d7d440ef530009fa47489f16a2a28e8404f93
Link:
https://www.unpac.me/results/376b641f-c38d-4847-b759-7648b3cb5225/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DarkComet
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27db51f010cd9e7f83daf474ba1d78022cf61704fe114552a98d464b08383b38

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments