MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0998d0b25a6e836a7fc4c37b0b58c50cf3d3b7512c1f053eba8a0be514eeaa81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0998d0b25a6e836a7fc4c37b0b58c50cf3d3b7512c1f053eba8a0be514eeaa81
SHA3-384 hash: 81ac7ca807d12ec95c160dd1db66f243ae29f7f3467f4e3d5a95eccc80f6e6b98736b94c37072c488f6a2d5bb82ce1ca
SHA1 hash: de0571c954fba38c94c0f029e9bcba9f8e81bb25
MD5 hash: 62d1e40d03fff66fb9f6037e2a728461
humanhash: cup-network-solar-avocado
File name:0998d0b25a6e836a7fc4c37b0b58c50cf3d3b7512c1f053eba8a0be514eeaa81
Download: download sample
Signature njrat
Create hunting rule
File size:964'608 bytes
First seen:2021-09-21 08:37:37 UTC
Last seen:2021-09-21 10:17:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 113 x njrat, 80 x RedLineStealer)
ssdeep 24576:9iNnImnMPdyWif7nbLnJDojth739XdDFBOOLn:9iNBMaFkXDFL
Threatray 117 similar samples on MalwareBazaar
TLSH T1462523D3E92D352FDF279073CF26985159D2E864A8ECA3FC816309D5A11FE3E8AD0442
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
380
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7fb40d2c4011f9aa66d25183702ac6872fff070ff9c7433fab6d3785ebc95f4c
Verdict:
Suspicious activity
Analysis date:
2021-09-21 09:12:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c5112576-1c3d-40ba-bcd3-ae086d772b27

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/189772/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a7115ca2-2f79-4493-95ea-970275e74a9a
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/854714
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 487146 Sample: 6xobYgIePB Startdate: 21/09/2021 Architecture: WINDOWS Score: 100 72 Malicious sample detected (through community Yara rule) 2->72 74 Antivirus detection for dropped file 2->74 76 Antivirus / Scanner detection for submitted sample 2->76 78 10 other signatures 2->78 12 6xobYgIePB.exe 7 2->12         started        process3 file4 60 C:\Users\user\AppData\...\6xobYgIePB.exe.log, ASCII 12->60 dropped 92 Detected unpacking (changes PE section rights) 12->92 94 Detected unpacking (overwrites its own PE header) 12->94 96 Tries to evade analysis by execution special instruction which cause usermode exception 12->96 98 Hides threads from debuggers 12->98 16 server.exe 2 17 12->16         started        signatures5 process6 file7 46 C:\system.exe, PE32 16->46 dropped 48 C:\Umbrella.flv.exe, PE32 16->48 dropped 50 C:\autorun.inf, Microsoft 16->50 dropped 64 Antivirus detection for dropped file 16->64 66 Multi AV Scanner detection for dropped file 16->66 68 Creates autorun.inf (USB autostart) 16->68 70 8 other signatures 16->70 20 svchost.exe 5 16->20         started        23 netsh.exe 1 3 16->23         started        signatures8 process9 signatures10 80 Antivirus detection for dropped file 20->80 82 Multi AV Scanner detection for dropped file 20->82 84 Detected unpacking (changes PE section rights) 20->84 86 4 other signatures 20->86 25 server.exe 12 20->25         started        28 conhost.exe 23->28         started        process11 signatures12 90 Hides threads from debuggers 25->90 30 svchost.exe 4 25->30         started        34 netsh.exe 3 25->34         started        process13 file14 62 C:\Users\user\AppData\Roaming\server.exe, PE32 30->62 dropped 100 Hides threads from debuggers 30->100 36 server.exe 30->36         started        40 conhost.exe 34->40         started        signatures15 process16 file17 52 C:\Windows\SysWOW64xplower.exe, PE32 36->52 dropped 54 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 36->54 dropped 56 b8a1b8495df77c2fba...8Windows Update.exe, PE32 36->56 dropped 58 2 other malicious files 36->58 dropped 88 Hides threads from debuggers 36->88 42 netsh.exe 36->42         started        signatures18 process19 process20 44 conhost.exe 42->44         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0998d0b25a6e836a7fc4c37b0b58c50cf3d3b7512c1f053eba8a0be514eeaa81/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-19 02:21:55 UTC
AV detection:
29 of 45 (64.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bgmnbms2n2bwu76eyn5qwwgfbtz5hn2rfqpqkpv2rif6kfhovkaq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
27f7e212954191d2fc10676ad69942421e904a5719cb2001149de2bb38c0610f
njrat
2f09f4d2b8e06f116dd784829712dcd3bb9528e580ccf6313e4c99fbb89a7792
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
55b8b84b624767c78a3ba733e577c4bdcd41fe9efa691725376a74077314e436
njrat
7320b34e6abd124a78fbccbd688dec328c267ae7ed74c9abe2716c564074e289
njrat
aa0e55ffefa1ff8605cba0b5b6594229dfd5cd54f6354a436199a64dfc2965f0
njrat
d162aea95889e147b96c2ab4da7cf27ec2538abd149a08f96d993fb7a41b002f
njrat
e49aba40963f90a51ab8d0194a3afd9559ef5ea01939f6d73e69ca3d463dbd95
njrat
+ 107 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/210921-kjqnqsbehl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Modifies Windows Firewall
xmrig
Unpacked files
SH256 hash:
0998d0b25a6e836a7fc4c37b0b58c50cf3d3b7512c1f053eba8a0be514eeaa81
MD5 hash:
62d1e40d03fff66fb9f6037e2a728461
SHA1 hash:
de0571c954fba38c94c0f029e9bcba9f8e81bb25
Link:
https://www.unpac.me/results/27ba1bc4-a5eb-4037-ba33-2bf143199ec2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0998d0b25a6e836a7fc4c37b0b58c50cf3d3b7512c1f053eba8a0be514eeaa81

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189772/

Comments