MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0740ff92adebf32666b8be1b03ca66d0b99c8c9b2ce332480b26b202c54efb72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0740ff92adebf32666b8be1b03ca66d0b99c8c9b2ce332480b26b202c54efb72
SHA3-384 hash: 89cbab99293f7460dbaffb6546471d4b66237f554490117312f5d711690d5f54cba276a045ca7bb910e00aa84b0968e0
SHA1 hash: 62ecfa73330d1e0a98c538818dffeece611f2e8c
MD5 hash: 6ee5fc59a1d7c232aecfbbaf4287a35e
humanhash: river-alpha-may-november
File name:0740ff92adebf32666b8be1b03ca66d0b99c8c9b2ce332480b26b202c54efb72
Download: download sample
Signature njrat
Create hunting rule
File size:437'864 bytes
First seen:2020-11-14 17:54:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fc6683d30d9f25244a50fd5357825e79 (92 x Formbook, 52 x AgentTesla, 23 x SnakeKeylogger)
ssdeep 12288:aYV6MorX7qzuC3QHO9FQVHPF51jgcNkeRG9FG:JBXu9HGaVHNkG+G
Threatray 1'724 similar samples on MalwareBazaar
TLSH 779412D17FED9619E0F21BB1ED3AA0605822BCA2DE38D74D2154BA5D6D35F90CC62332
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Malware.Autoit-6968584-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Enabling the 'hidden' option for recently created files
Launching a process
Creating a process with a hidden window
DNS request
Launching the process to change the firewall settings
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536283
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 317240 Sample: SmS7V2sHc3 Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 32 ginam2525.kro.kr 2->32 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 9 other signatures 2->42 9 SmS7V2sHc3.exe 4 2->9         started        13 wscript.exe 1 2->13         started        signatures3 process4 file5 30 C:\Users\user\archiveint\wifitask.exe, PE32 9->30 dropped 52 Binary is likely a compiled AutoIt script file 9->52 54 Contains functionality to inject code into remote processes 9->54 56 Writes to foreign memory regions 9->56 58 2 other signatures 9->58 15 RegSvcs.exe 3 4 9->15         started        18 wifitask.exe 13->18         started        signatures6 process7 dnsIp8 34 ginam2525.kro.kr 15->34 22 netsh.exe 1 3 15->22         started        28 C:\Users\user\...\AppVDllSurrogate.url, MS 18->28 dropped 44 Antivirus detection for dropped file 18->44 46 Writes to foreign memory regions 18->46 48 Allocates memory in foreign processes 18->48 50 Injects a PE file into a foreign processes 18->50 24 RegSvcs.exe 3 18->24         started        file9 signatures10 process11 process12 26 conhost.exe 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0740ff92adebf32666b8be1b03ca66d0b99c8c9b2ce332480b26b202c54efb72/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 17:55:11 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a5ap7evn5pzsmzvyxynqhstg2c4zzde3ftrtesale2zafrko7nza._file
Verdict:
malicious
Similar samples:
01358d994a9b8492098755032c39464908e6559899314a3bbee6bf1aa530c9ce
njrat
4e841bebe76a59f454a911753d8d7fd9bfb082722ccd4dbf69316ceacf1363e9
njrat
592860b73161414eaddbde6679f9ad1771bff2e432a598d6cae471a6564fc0af
njrat
828ed2a9805c6b100ffc5317bb3b3de97e49fd20589ab0335da29d042d705b08
njrat
87902fd490b189d4ceb81a430fd47d852bf503f373c6ff3caa70a80a9c7d56c6
njrat
a6523723ed424d8f2f640f374f145af0839f1d114cc9788d902f5a64a3ccb3a5
njrat
d0efa3ab13db442fa9d9958083f1bb9891ea29d8055f193e38cf0f4ec80498c4
njrat
d594da22a71e20db228fa34aaf397bcde745cf987612a70473aee642ad38729c
njrat
e3deba276ca79cf6617fe6ba8f2c414d5fd078a82c87f3e6a62c7316095430c2
njrat
fe4ac58f37f9a49960cdd331a74ceabc5a504e6e87669d668b20d14ffae27ce9
njrat
+ 1'714 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan upx
Link:
https://tria.ge/reports/201114-yfnwfa4wp2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Drops startup file
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
0740ff92adebf32666b8be1b03ca66d0b99c8c9b2ce332480b26b202c54efb72
MD5 hash:
6ee5fc59a1d7c232aecfbbaf4287a35e
SHA1 hash:
62ecfa73330d1e0a98c538818dffeece611f2e8c
Link:
https://www.unpac.me/results/f5b6c3de-0c0b-48c3-93da-49269d076b89/
SH256 hash:
e11352e17e436df02ca9727b4bfe0b35c84f5312994ba82e317168dc563c732c
MD5 hash:
6666fd5b54368156fa30a8dbeeed1fc2
SHA1 hash:
ee7b86a9418117b4d7bfe77d6d0b3e28260897f5
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/f5b6c3de-0c0b-48c3-93da-49269d076b89/
Parent samples :
fe4ac58f37f9a49960cdd331a74ceabc5a504e6e87669d668b20d14ffae27ce9
0740ff92adebf32666b8be1b03ca66d0b99c8c9b2ce332480b26b202c54efb72
SH256 hash:
67a117d7605af7afe46f4486d9fa02e80860eb88b28f83ae167fd0ccbdfd5209
MD5 hash:
a075acb3feb69e54e8d1dd4eb73b1eeb
SHA1 hash:
0ecb2980d2257bc24cb17edfd371f0702b74a163
Link:
https://www.unpac.me/results/f5b6c3de-0c0b-48c3-93da-49269d076b89/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0740ff92adebf32666b8be1b03ca66d0b99c8c9b2ce332480b26b202c54efb72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments