MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 001c279ebd22809a7826920d19767d2c01b0b96c519e136ba70b0f95746ecf7e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 001c279ebd22809a7826920d19767d2c01b0b96c519e136ba70b0f95746ecf7e
SHA3-384 hash: 0b26dea87331bee55706fc34dc41a41af44d7475a10edbc6ddf63b027570167d9dfd5ffc171423e53f5ddfe47ac131a5
SHA1 hash: 09fff8e6ee469a5fe7ff2440e936e49c5f84c0e3
MD5 hash: b4400b0af4c39f3794eb4bc0abd0159b
humanhash: cardinal-zulu-stairway-nitrogen
File name:b4400b0af4c39f3794eb4bc0abd0159b.exe
Download: download sample
Signature njrat
Create hunting rule
File size:387'584 bytes
First seen:2022-04-20 14:41:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'250 x SnakeKeylogger)
ssdeep 6144:eGfixZh7X7ZUUbSNPTc9+qwtV8Ix8EPstJK3mUfiE6fevFB5Nmrq4aXvAIwiXIb:eGmh7r6NQ9oVNNstJq6EZnPTxfXg
Threatray 536 similar samples on MalwareBazaar
TLSH T17484238BC69C4B1DE04D99380CA8468056CA2821E59F9E3FD99CD7769EB1FF04FA5433
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
93.112.143.90:1194

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.112.143.90:1194 https://threatfox.abuse.ch/ioc/521958/

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/265168/
Detection(s):
SecuriteInfo.com.BackDoor.Bladabindi.1311.3554.4324.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Enabling the 'hidden' option for analyzed file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Enabling the 'hidden' option for files in the %temp% directory
Enabling the 'hidden' option for recently created files
Creating a window
Sending a custom TCP request
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62601bbd482f2f41cad9c94b/reports/30e7a9ef-85d2-4914-ab76-8a0602cf427d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ranos
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/713de6b1-09b1-4a48-8afe-33c7ef18d735
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/979705
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autorun.inf (USB autostart)
Detected unpacking (overwrites its own PE header)
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops fake system file at system root drive
Sigma detected: File Created with System Process Name
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/001c279ebd22809a7826920d19767d2c01b0b96c519e136ba70b0f95746ecf7e/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-04-16 22:12:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
454
AV detection:
33 of 42 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aaocphv5ekaju6bgsigrs5t5fqa3bolmkgpbg25hbmhzk5doz57a._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
03c797996da1b603758c6875b0dc86c8c1cf2f4f1939d25aa3874cb0fe2bf08a
njrat
5320400539e21be4eee7c8adc75f045b957d5696007adb23c0f390bcfdfea9cc
njrat
5ccee64d7cda44cac1e1ebe9be61d2888c2d28dfa0c8cf0e255fe8b153cad342
njrat
b2f0bc2708ed09126d4dcd9196b3c560622df056cd60475af82d8e998d5d45e6
njrat
cf0f62c6105ceec3db23af296678feed3ea95d14ff032223d5397c7351cfc9e0
njrat
dbc86d106d7e6993024eca3c621bd7dd84ea578903fd11a62ed3af896ef78470
njrat
e1c6d4fa79af1e7487d0238e04b466a1bd697f4250cd9e6dfbb449636a360634
njrat
+ 526 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion suricata
Link:
https://tria.ge/reports/220420-r2z4fsadan/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Checks computer location settings
Executes dropped EXE
Modifies Windows Firewall
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
Unpacked files
SH256 hash:
907c11a0522795779e64d7ed595308d69b1a44d1e313bc1b849b399bd9a7d661
MD5 hash:
03abbb567fc565769121c5a1e44e7855
SHA1 hash:
e46098127cf2703058bdf8079e00307063c70942
Detections:
win_njrat_g1
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/4eacde6b-46b8-4e96-b213-3cb820091375/
SH256 hash:
001c279ebd22809a7826920d19767d2c01b0b96c519e136ba70b0f95746ecf7e
MD5 hash:
b4400b0af4c39f3794eb4bc0abd0159b
SHA1 hash:
09fff8e6ee469a5fe7ff2440e936e49c5f84c0e3
Link:
https://www.unpac.me/results/4eacde6b-46b8-4e96-b213-3cb820091375/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/001c279ebd22809a7826920d19767d2c01b0b96c519e136ba70b0f95746ecf7e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/265168/

Comments