MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3d07e674b3ddbf25cefc72a2ec2e2bf08d450074e285dc89ef304903b6dbbce6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3d07e674b3ddbf25cefc72a2ec2e2bf08d450074e285dc89ef304903b6dbbce6
SHA3-384 hash: 72ab8c4766747c1a336e6bdb89d4c2e2d8a0275b751eb23389a5fae727e6e3ed79ea82bb40323e5b25369c87d6a1bbd2
SHA1 hash: 8789ca947f8c51d5b2418558f9b0cecd055a9cb1
MD5 hash: bb91095a05a72d1c0557e6c73a40cd5c
humanhash: helium-xray-missouri-ohio
File name:BB91095A05A72D1C0557E6C73A40CD5C.exe
Download: download sample
Signature njrat
Create hunting rule
File size:3'877'376 bytes
First seen:2021-04-29 18:10:49 UTC
Last seen:2021-04-29 19:04:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 98304:bjkKv4t12HK70h8fhJ4coyAAyTm9x2Kd:N22Hr8fhJfoyaTi2q
Threatray 2 similar samples on MalwareBazaar
TLSH 400623F8CFF8A920F77C633AF4062C1D64DAA89C9D025666B5DB60C130583C9D2E7697
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
165.227.31.192:22484

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
165.227.31.192:22484 https://threatfox.abuse.ch/ioc/25064/

Intelligence

File Origin
# of uploads :
2
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/146802/
Detection(s):
Win.Packed.Hpbladabi-6860330-0
Create hunting rule

PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/702902
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 400379 Sample: zOCCW1aIEO.exe Startdate: 29/04/2021 Architecture: WINDOWS Score: 100 59 clientconfig.passport.net 2->59 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 2 other signatures 2->73 11 zOCCW1aIEO.exe 5 2->11         started        15 svchost.exe 4 2->15         started        17 svchost.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 55 C:\Users\user\AppData\...\zOCCW1aIEO.exe.log, ASCII 11->55 dropped 83 Drops PE files with benign system names 11->83 85 Injects a PE file into a foreign processes 11->85 22 zOCCW1aIEO.exe 1 4 11->22         started        25 zOCCW1aIEO.exe 11->25         started        27 svchost.exe 15->27         started        29 svchost.exe 15->29         started        87 Changes security center settings (notifications, updates, antivirus, firewall) 17->87 31 MpCmdRun.exe 17->31         started        61 127.0.0.1 unknown unknown 19->61 63 192.168.2.1 unknown unknown 19->63 33 svchost.exe 19->33         started        35 svchost.exe 19->35         started        file6 signatures7 process8 file9 53 C:\Users\user\AppData\Local\...\svchost.exe, PE32 22->53 dropped 37 svchost.exe 5 22->37         started        40 conhost.exe 31->40         started        process10 signatures11 75 Multi AV Scanner detection for dropped file 37->75 77 Machine Learning detection for dropped file 37->77 79 Drops PE files to the startup folder 37->79 81 3 other signatures 37->81 42 svchost.exe 4 5 37->42         started        47 svchost.exe 37->47         started        process12 dnsIp13 65 165.227.31.192, 22484, 49741, 49753 DIGITALOCEAN-ASNUS United States 42->65 57 C:\...\29480c86201e17c0a563fe1e01e3966f.exe, PE32 42->57 dropped 89 System process connects to network (likely due to code injection or exploit) 42->89 91 Protects its processes via BreakOnTermination flag 42->91 93 Creates autostart registry keys with suspicious names 42->93 49 netsh.exe 1 3 42->49         started        file14 signatures15 process16 process17 51 conhost.exe 49->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3d07e674b3ddbf25cefc72a2ec2e2bf08d450074e285dc89ef304903b6dbbce6/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-04-20 04:12:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hud6m5ft3w7sltx4okroylrl6cgukadu4kc5zcppgbeqhnw3xtta._file
Verdict:
suspicious
Similar samples:
765b482b453872d5c03a3919057fac267ca22f85ff3b7fa3b2ea44c31b3a2604
njrat
e4aae9a8a9103086b7232aa674f4ba296e140a4baaa01eb86b0cd79305a5fd13
njrat
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/210429-mrpkpvgnlx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
0e5046147c4115e976c984a8cb7ef9241f29b8c3486b2fad8b4aff0a1fa6da79
MD5 hash:
69b4e4115302a65531963f0415043d4f
SHA1 hash:
831e82057f55e3c6d044b1e1c1342f16e8d41260
Link:
https://www.unpac.me/results/652d08da-fa5f-43b1-bbc0-1f14834f6489/
SH256 hash:
3d07e674b3ddbf25cefc72a2ec2e2bf08d450074e285dc89ef304903b6dbbce6
MD5 hash:
bb91095a05a72d1c0557e6c73a40cd5c
SHA1 hash:
8789ca947f8c51d5b2418558f9b0cecd055a9cb1
Link:
https://www.unpac.me/results/652d08da-fa5f-43b1-bbc0-1f14834f6489/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3d07e674b3ddbf25cefc72a2ec2e2bf08d450074e285dc89ef304903b6dbbce6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/146802/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-29 19:06:54 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
1) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
2) [F0001.009] Anti-Behavioral Analysis::Confuser
3) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data
4) [C0026.002] Data Micro-objective::XOR::Encode Data