MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02e942f8c34ceff45b57b50cd0790d3139c4903c6aec68d434e97e9c334dc76c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02e942f8c34ceff45b57b50cd0790d3139c4903c6aec68d434e97e9c334dc76c
SHA3-384 hash: 11da4cfb3f414d3b6c734d3da12d04903f5c990f07dfcc9e88dc0d79e341914caa651db8d96fb7b352bb24a047218ef4
SHA1 hash: 7927739474fa15d9257a88aed3e6ff4b7f71d35f
MD5 hash: 3872b7d9cef4d1df04866406566dc610
humanhash: sierra-cardinal-johnny-vegan
File name:02e942f8c34ceff45b57b50cd0790d3139c4903c6aec68d434e97e9c334dc76c
Download: download sample
Signature njrat
Create hunting rule
File size:3'616'892 bytes
First seen:2021-09-21 08:26:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:JRe6L2b92pKOwFsPcv1sRgbecY3kusDZR+dgP/:ua292pKOwFOX0bdR+2n
Threatray 461 similar samples on MalwareBazaar
TLSH T122F53312FDD120B3D6B55C715934A6A2673E7E100F66C9DBE3A82E1EE8340C0A7357A7
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
02e942f8c34ceff45b57b50cd0790d3139c4903c6aec68d434e97e9c334dc76c
Verdict:
Malicious activity
Analysis date:
2021-09-21 10:29:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7016282a-49be-4bd4-8210-48209896d7a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189724/
Detection(s):
Win.Packed.Bladabindi-9840992-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9409f334-4323-4dbd-bb06-00e9115f2e2c
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855039
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autorun.inf (USB autostart)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487468 Sample: lf4X1KFIQM Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for dropped file 2->79 81 10 other signatures 2->81 12 lf4X1KFIQM.exe 9 2->12         started        process3 file4 55 C:\Users\user\...\Server_protected.sfx.exe, PE32 12->55 dropped 57 C:\Users\...\ks4.021.3.10.391ru_25000.exe, PE32 12->57 dropped 15 Server_protected.sfx.exe 8 12->15         started        process5 file6 59 C:\Users\user\...\Server_protected.exe, PE32 15->59 dropped 69 Multi AV Scanner detection for dropped file 15->69 71 Machine Learning detection for dropped file 15->71 19 Server_protected.exe 7 15->19         started        signatures7 process8 signatures9 83 Antivirus detection for dropped file 19->83 85 Multi AV Scanner detection for dropped file 19->85 87 Detected unpacking (changes PE section rights) 19->87 89 4 other signatures 19->89 22 server.exe 2 16 19->22         started        process10 file11 49 C:\system.exe, PE32 22->49 dropped 51 C:\Umbrella.flv.exe, PE32 22->51 dropped 53 C:\autorun.inf, Microsoft 22->53 dropped 93 Antivirus detection for dropped file 22->93 95 Multi AV Scanner detection for dropped file 22->95 97 Creates autorun.inf (USB autostart) 22->97 99 8 other signatures 22->99 26 svchost.exe 5 22->26         started        29 netsh.exe 1 3 22->29         started        signatures12 process13 signatures14 101 Antivirus detection for dropped file 26->101 103 Multi AV Scanner detection for dropped file 26->103 105 Detected unpacking (changes PE section rights) 26->105 107 4 other signatures 26->107 31 server.exe 13 26->31         started        35 conhost.exe 29->35         started        process15 file16 61 C:\Windows\SysWOW64xplower.exe, PE32 31->61 dropped 63 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 31->63 dropped 65 b8a1b8495df77c2fba...8Windows Update.exe, PE32 31->65 dropped 67 2 other malicious files 31->67 dropped 73 Hides threads from debuggers 31->73 37 svchost.exe 31->37         started        41 netsh.exe 31->41         started        signatures17 process18 file19 47 C:\Users\user\AppData\Roaming\server.exe, PE32 37->47 dropped 91 Hides threads from debuggers 37->91 43 server.exe 37->43         started        45 conhost.exe 41->45         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02e942f8c34ceff45b57b50cd0790d3139c4903c6aec68d434e97e9c334dc76c/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 02:25:43 UTC
AV detection:
21 of 45 (46.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aluuf6gdjtx7iw2xwugna6inge44jeb4nlwgrvbu5f7jym2ny5wa._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0998d0b25a6e836a7fc4c37b0b58c50cf3d3b7512c1f053eba8a0be514eeaa81
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
583d46b7751755744e80dd76654a05d021a187d7f9da495b4a75529d9e03f3c0
njrat
64730c6f60dd679aea8d9e2f7e9d7ee6c8a3983afc347a9e00fcf32caeeaab9d
njrat
7fb40d2c4011f9aa66d25183702ac6872fff070ff9c7433fab6d3785ebc95f4c
njrat
da6e9bd269fbd3904c007d8c19272f372211b3930567d21b977d34716317143a
njrat
ebddd962e95f62c6113e46507d5c259a2f067b58829bc239ef045ae3cc4e494a
njrat
fbe0c5aab0d98f9b21b4a71dee73f37df653919ad7490966f5180eaf968780ae
njrat
+ 451 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/210921-kceynagha3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Modifies Windows Firewall
xmrig
Unpacked files
SH256 hash:
3cba60c97530f67948ba0d533c014e75edb5dd7e71eecaa8bb195cb938650ec2
MD5 hash:
e3f81cabbd5b3130ff0c8daa7173ce12
SHA1 hash:
2e338483fe53f993e343005bc8f7be80c822e69c
Link:
https://www.unpac.me/results/f6451503-458c-4df3-a0a1-9f94fcb8e3ab/
SH256 hash:
02e942f8c34ceff45b57b50cd0790d3139c4903c6aec68d434e97e9c334dc76c
MD5 hash:
3872b7d9cef4d1df04866406566dc610
SHA1 hash:
7927739474fa15d9257a88aed3e6ff4b7f71d35f
Link:
https://www.unpac.me/results/f6451503-458c-4df3-a0a1-9f94fcb8e3ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02e942f8c34ceff45b57b50cd0790d3139c4903c6aec68d434e97e9c334dc76c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189724/

Comments