MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e4cb5b794577345c50a2012ee0ece2301012527d17646d984a253781bcd39c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e4cb5b794577345c50a2012ee0ece2301012527d17646d984a253781bcd39c9
SHA3-384 hash: e3e101b3c70bd7a6bab11765ba8ba5507772835118bcc24e7b84a146b3c56fcf0a93197eb85322b07d83628d21b9e1c5
SHA1 hash: 6a800c4d1204aa920ce44acb9524d5578b25f44c
MD5 hash: c548d655fda3dc3d0bf721483ecd4bd0
humanhash: uncle-virginia-edward-comet
File name:5e4cb5b794577345c50a2012ee0ece2301012527d17646d984a253781bcd39c9
Download: download sample
Signature njrat
Create hunting rule
File size:1'579'077 bytes
First seen:2020-06-29 07:11:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:IAOcZwXYBD0nECFi8dTTcSjEb9ez7T3ebxhSbrbqA5LtZVdT1RuDvLNFpuRAINS:mpEMzdMSgezv3ebvSbSAfdT107Sg
Threatray 252 similar samples on MalwareBazaar
TLSH 0C752201BAC2C5F2D8721935593897217E7D7C206E24C9AFB3E45E6FEB705819234BB2
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15491/
Detection(s):
SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e4cb5b794577345c50a2012ee0ece2301012527d17646d984a253781bcd39c9/
Threat name:
ByteCode-MSIL.Backdoor.SpyGate
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 08:18:42 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzglln4uk5zulrikeajo4dwoemaqcjjh2f3enwmeujjxqg6nhheq._file
Verdict:
malicious
Similar samples:
1678611ad4996f718c0a8998ce194dfe117bf47529c4ccad51a6816ecf4f1bb4
njrat
1acf4f64dbce46e70553494cf02959634528477066cc736e3f49df3bb6253923
njrat
28d1ce2d141fcfc52b6b8a81f5424920ba2818a14e8ac201446697ff977082de
njrat
2df93867afcfa816f19559f8afdc82701ff580a9c72906d2fb34b9ad9e6fb9ea
njrat
4d13350ebf3d38475a0a4a8c223fe6c06e00af3585eb499f60e29639b3944d3f
njrat
7cb987616a272b3f90faa060b9671d72cdb3c2fecd398b9c50fac1449379282b
njrat
9cd4df25010125f2ef3eeef44503b3c2b58435af758fe7213d053a60f018f3d8
njrat
9d1f32d9806bafd63451a59e1768502f31cf9dc746c9e92f62b978c1ed259497
njrat
e34ce3660cbabe945aadb571016cbd7e73ca4a7baa6e9cd64a3615b6474ccdc8
njrat
e571cd3a4c0744cb3c5443b868577adced331a7545fcb6e2ed0efbe7506a2f9b
njrat
+ 242 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion
Link:
https://tria.ge/reports/200629-hrdkbgbx42/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Drops autorun.inf file
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run entry to start application
Drops startup file
Loads dropped DLL
Modifies Windows Firewall
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/15491/

Comments