MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 7 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c
SHA3-384 hash: fe17cd581a114c33806aa74ffd1681a79cb63817ce4b45b1afb9284598153d0f05066e0156a722a1137e9fd0ec9372f0
SHA1 hash: 9b3e345ce2ead3d5964988a809df109551c1fdbb
MD5 hash: 3233acad69df2c322f902829a18a25ef
humanhash: friend-magnesium-nevada-alabama
File name:06ABA312B446BF01180D633C94686C5AB2D102D40156B.exe
Download: download sample
Signature njrat
Create hunting rule
File size:6'108'776 bytes
First seen:2021-05-06 23:47:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 98304:H5M4o1SCcMwvc4vZ4aAyfIX5dZiIp1gkm1Lvk5HEZ1jMEQ3egjOXBvdaP+vDv:HmvwvNGmfg5gkWL1QPjgdaPEDv
Threatray 9 similar samples on MalwareBazaar
TLSH A9563342FAE288B3EB17173141A9FB53CBBF75200F11E7BB63D50E94A8724D25624627
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.134.39.220:16794

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.134.39.220:16794 https://threatfox.abuse.ch/ioc/31076/

Intelligence

File Origin
# of uploads :
1
# of downloads :
200
Origin country :
n/a
Vendor Threat Intelligence
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/152239/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/715083
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 406474 Sample: 06ABA312B446BF01180D633C946... Startdate: 07/05/2021 Architecture: WINDOWS Score: 100 42 0.tcp.ngrok.io 2->42 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 10 other signatures 2->56 9 06ABA312B446BF01180D633C94686C5AB2D102D40156B.exe 8 2->9         started        12 Windows Security Health Host.exe 1 2->12         started        15 Windows Security Health Host.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 36 C:\Users\user\AppData\...\SanInjector.sfx.exe, PE32 9->36 dropped 38 C:\Users\...\ks4.021.2.16.590abru_25000.exe, PE32 9->38 dropped 19 SanInjector.sfx.exe 7 9->19         started        68 Hides threads from debuggers 12->68 signatures6 process7 file8 32 C:\Users\user\AppData\...\STInjector.exe, PE32 19->32 dropped 58 Multi AV Scanner detection for dropped file 19->58 23 STInjector.exe 1 3 19->23         started        signatures9 process10 file11 34 C:\Users\...\Windows Security Health Host.exe, PE32 23->34 dropped 60 Antivirus detection for dropped file 23->60 62 Multi AV Scanner detection for dropped file 23->62 64 Detected unpacking (changes PE section rights) 23->64 66 3 other signatures 23->66 27 Windows Security Health Host.exe 3 3 23->27         started        signatures12 process13 dnsIp14 44 0.tcp.ngrok.io 3.13.191.225, 16794, 49707, 49709 AMAZON-02US United States 27->44 46 3.134.125.175, 16794, 49708, 49710 AMAZON-02US United States 27->46 48 2 other IPs or domains 27->48 40 C:\Users\user\AppData\...\Java update.exe, PE32 27->40 dropped 70 Hides threads from debuggers 27->70 file15 signatures16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-02-20 05:41:52 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2v2gevui27qcganmm6ji2dmlkzncawuafllltm2sjk4y36vw2oa._file
Verdict:
malicious
Similar samples:
206daa7d62850c579968f14560f06ba362ded251da3a8faeb9a331dd862b970f
njrat
4824693d37ee0c444b89e21a2ae1cba396927f299e88751759635b2795c1bc96
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
798eab01e5d7f1c78e3f7db514f3611ae85e468405af144245f55c8f2657c6d9
njrat
88e03236b248d004923161c7928a1546cdffd0b6e8c30a22b1d49b05dca9b2da
njrat
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
njrat
b83c0954a3138f4c18e4f6a5182768b5a1efbb13c69dcf01d63eb81f63456eda
njrat
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
njrat
dc8ddcd4db035fa647001a01cab6a2866d092fcaad18279835751ee0396da041
njrat
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210506-sp7mbhaa36/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
73da23ac34a91a0ef4309a00b3f8c6e33ad016a723ea2f0eabb0a427a583a2ce
MD5 hash:
1cc760ebd0a78a1a1cdc9a478ed60dd7
SHA1 hash:
d9488ee83722fbab631122cdda8ff19422a9d4f0
Link:
https://www.unpac.me/results/4338b15f-52dc-431c-9f77-e251155da215/
SH256 hash:
06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c
MD5 hash:
3233acad69df2c322f902829a18a25ef
SHA1 hash:
9b3e345ce2ead3d5964988a809df109551c1fdbb
Link:
https://www.unpac.me/results/4338b15f-52dc-431c-9f77-e251155da215/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/152239/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-07 00:00:58 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
1) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
2) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
3) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
4) [C0032.001] Data Micro-objective::CRC32::Checksum
5) [C0026.002] Data Micro-objective::XOR::Encode Data
6) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
7) [F0004.007] Defense Evasion::Bypass Windows File Protection
9) [C0046] File System Micro-objective::Create Directory
10) [C0048] File System Micro-objective::Delete Directory
11) [C0047] File System Micro-objective::Delete File
12) [C0049] File System Micro-objective::Get File Attributes
13) [C0051] File System Micro-objective::Read File
14) [C0050] File System Micro-objective::Set File Attributes
15) [C0052] File System Micro-objective::Writes File
16) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
17) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
18) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
19) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
20) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
21) [C0040] Process Micro-objective::Allocate Thread Local Storage
22) [C0017] Process Micro-objective::Create Process
23) [C0038] Process Micro-objective::Create Thread
24) [C0041] Process Micro-objective::Set Thread Local Storage Value
25) [C0018] Process Micro-objective::Terminate Process