MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0986ce159690c6411d191607700d668ba4bd9364320d5ef2e118eac83c700a00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 1 File information Comments

SHA256 hash:	0986ce159690c6411d191607700d668ba4bd9364320d5ef2e118eac83c700a00
SHA3-384 hash:	3920aad250d4c8af47cdbdeff13b315085e59bf999fac18fd2988df56a1a7a5c661167725709b8ce79e301bf31689848
SHA1 hash:	f51c69f0c3ee1801bee6db8bcdf6468232453aa8
MD5 hash:	a4bf5a5d8c2f3fe0aa055b8bf1f6ecab
humanhash:	stream-maryland-louisiana-nitrogen
File name:	a4bf5a5d8c2f3fe0aa055b8bf1f6ecab.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	765'440 bytes
First seen:	2021-04-02 22:50:36 UTC
Last seen:	2021-04-02 23:40:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	3072:XpYP/lpZD4adhbUdeW6a0bzw6pEOhzVDZqaVZuWBGgXEVxbdK6wYkqfBn88qcf5A:YHxFHhpoavBGgXwxyYkG53behyvHLz7
Threatray	9 similar samples on MalwareBazaar
TLSH	73F43FA96F4812B4E96633FFD493E23430D94C4A56C125069F773EB5393126BED8A0CE
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
23.105.131.228:5355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
23.105.131.228:5355	https://threatfox.abuse.ch/ioc/6587/

Intelligence

File Origin

# of uploads :

# of downloads :

273

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a4bf5a5d8c2f3fe0aa055b8bf1f6ecab.exe

Verdict:

Malicious activity

Analysis date:

2021-04-02 22:52:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cadca866-a410-40dc-ad7c-3742f156614e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/131887/

Detection(s):

SecuriteInfo.com.Trojan.Siggen12.64293.2794.13970.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a process with a hidden window

DNS request

Connection attempt

Launching the process to change the firewall settings

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3174b37e-21a3-47d1-99d9-d8d0da575a44

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/663992

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Uses netsh to modify the Windows network and firewall settings

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/0986ce159690c6411d191607700d668ba4bd9364320d5ef2e118eac83c700a00/

Threat name:

ByteCode-MSIL.Downloader.Starpast

Status:

Malicious

First seen:

2021-04-01 16:42:08 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 29 (62.07%)

Threat level:

3/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bgdm4fmwsddechizcydxadlgrosl3e3egigv54xbddvmqpdqbiaa._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

njrat

3764a8690d829b849cc82babfb6dc75a3b6f812e46d3d9535c380c187534094e

njrat

5c883c457a3dc0ddd6ae66380087c57fb714bdf90ff79185ae0cac329677fe26

njrat

66b8f85747edc77fbfabe6b383e11e5284b185dab2257b7c2a127fbfda839edc

njrat

7297affe06d6f843e71152ada6b71cda08574fbaa99fd1a7ed1677ef9063af51

njrat

982740e7a2356681590bcd8cecc21a1d9e4e3df4590cf78a05f11bf105dc5423

njrat

9f9592b365cc2cad5047e0392aa4dc778d1b48e2e6f25856966aa6a11b814d2a

njrat

aa6048f1b4c756dd7ecf4d78af9a5ea07cc7d2d43817c1bae77c38a5391cded9

njrat

eddd51c800bcea950c5ecb68356c2031f0903a5a070b108ac87a9eb1289588eb

njrat

Result

Malware family:

n/a

Score:

8/10

Tags:

evasion

Link:

https://tria.ge/reports/210402-mv77612gje/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Drops startup file

Modifies Windows Firewall

Unpacked files

SH256 hash:

870a3bad9ea66e746b8812d8a4c033b004de2c06fcad3b8aa35d78f708c667bd

MD5 hash:

01d50ec797b41b4e921788bb4719aa83

SHA1 hash:

7186a4692962d18b8856f79fc13e9ebbcea6595a

Detections:

win_njrat_w1

win_njrat_g1

Link:

https://www.unpac.me/results/d51f47e9-9a31-47fa-a58c-7f5798e6671e/

SH256 hash:

0986ce159690c6411d191607700d668ba4bd9364320d5ef2e118eac83c700a00

MD5 hash:

a4bf5a5d8c2f3fe0aa055b8bf1f6ecab

SHA1 hash:

f51c69f0c3ee1801bee6db8bcdf6468232453aa8

Link:

https://www.unpac.me/results/d51f47e9-9a31-47fa-a58c-7f5798e6671e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.49

Link:

https://yomi.yoroi.company/submissions/0986ce159690c6411d191607700d668ba4bd9364320d5ef2e118eac83c700a00

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/131887/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample