MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75bc87dafaa424cba64308b349fc324d263e2a3e267c59962a79da9005caafb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75bc87dafaa424cba64308b349fc324d263e2a3e267c59962a79da9005caafb4
SHA3-384 hash: 7de135a971780e2e7c7591581873b04dcbf672563529dbdb8e30bf7070663e8dbae4ff013f21d65b1cd70ef04aed2dc2
SHA1 hash: 9a07368700c515cf1060a4c83826099ea99e118c
MD5 hash: 80b49164d05519f4b0ab83c4cf4d4aa5
humanhash: charlie-mountain-network-sodium
File name:75bc87dafaa424cba64308b349fc324d263e2a3e267c59962a79da9005caafb4
Download: download sample
Signature njrat
Create hunting rule
File size:14'618'659 bytes
First seen:2020-11-11 11:33:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b41dd3d4e1dbc3e69775db36ed00fe8d (4 x njrat)
ssdeep 393216:GyC5dfFZ8R3oEAeVc4i7Ht7H7J8fa12xZrZlwg7Z:G/rb8R3oEs4QABbbrZ
TLSH 82E6226137D6803BE17F1B30196DD29A95B9B9607FB3889B63C81B3D1E708924531EB3
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/532387
Signature
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Creates autostart registry keys with suspicious names
Creates files in alternative data streams (ADS)
Drops PE files with benign system names
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315295 Sample: sBjagOXL7r Startdate: 12/11/2020 Architecture: WINDOWS Score: 60 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 Yara detected Njrat 2->100 102 10 other signatures 2->102 8 setup.exe 2 7 2->8         started        13 HS8Setup32.exe 2->13         started        15 sBjagOXL7r.exe 28 2->15         started        17 9 other processes 2->17 process3 dnsIp4 92 192.168.2.1 unknown unknown 8->92 70 C:\ProgramData\svchost.exe, PE32 8->70 dropped 72 HyperSnap 8.15 (X8...-4E00-630051004E00}, ASCII 8->72 dropped 112 Creates files in alternative data streams (ADS) 8->112 19 svchost.exe 4 4 8->19         started        74 C:\Users\user\AppData\Local\...\msvcr120.dll, PE32+ 13->74 dropped 76 C:\Users\user\AppData\Local\...\msvcp120.dll, PE32+ 13->76 dropped 78 C:\Users\user\AppData\Local\...\mfc120u.dll, PE32+ 13->78 dropped 84 28 other files (none is malicious) 13->84 dropped 23 setup.exe 13->23         started        80 C:\Users\user\AppData\Local\...\shi3D43.tmp, PE32 15->80 dropped 82 C:\Users\user\AppData\Local\...\MSI3DFF.tmp, PE32 15->82 dropped 26 msiexec.exe 10 15->26         started        28 cmd.exe 15->28         started        30 cmd.exe 15->30         started        94 127.0.0.1 unknown unknown 17->94 file5 signatures6 process7 dnsIp8 90 arrab.publicvm.com 82.199.217.75, 1177 ASIACELLIQ Iraq 19->90 104 System process connects to network (likely due to code injection or exploit) 19->104 106 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->108 110 2 other signatures 19->110 32 netsh.exe 19->32         started        54 C:\Program Files (x86)\...\msvcr120.dll, PE32+ 23->54 dropped 56 C:\Program Files (x86)\...\msvcp120.dll, PE32+ 23->56 dropped 58 C:\Program Files (x86)\...\mfc120u.dll, PE32+ 23->58 dropped 66 27 other files (none is malicious) 23->66 dropped 34 iexplore.exe 23->34         started        37 regsvr32.exe 23->37         started        39 HprSnap8.exe 23->39         started        60 C:\Users\user\AppData\Local\...\MSI49BA.tmp, PE32 26->60 dropped 62 C:\Users\user\AppData\Local\...\MSI48BF.tmp, PE32 26->62 dropped 64 C:\Users\user\AppData\Local\...\MSI488F.tmp, PE32 26->64 dropped 68 2 other files (none is malicious) 26->68 dropped 41 conhost.exe 28->41         started        43 attrib.exe 28->43         started        45 conhost.exe 30->45         started        file9 signatures10 process11 dnsIp12 47 conhost.exe 32->47         started        88 www.hyperionics.com 34->88 49 iexplore.exe 34->49         started        52 regsvr32.exe 37->52         started        process13 dnsIp14 86 www.hyperionics.com 207.198.108.61, 49750, 49751, 49752 COGECO-PEER1CA Canada 49->86
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/75bc87dafaa424cba64308b349fc324d263e2a3e267c59962a79da9005caafb4/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-11-11 11:37:23 UTC
AV detection:
26 of 48 (54.17%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ow6ipwx2uqsmxjsdbczut7bsjutd4kr6ez6ftfrkphnjabokv62a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/201111-1xapl9r4ta/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
JavaScript code in executable
Loads dropped DLL
Unpacked files
SH256 hash:
75bc87dafaa424cba64308b349fc324d263e2a3e267c59962a79da9005caafb4
MD5 hash:
80b49164d05519f4b0ab83c4cf4d4aa5
SHA1 hash:
9a07368700c515cf1060a4c83826099ea99e118c
Link:
https://www.unpac.me/results/f7924454-bcd8-4726-a416-e05cc401a0a9/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments