MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 09ba1d1497c0886120a435a4990aba55b9ee83c96b294ff66c6fac4295c8b8a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 09ba1d1497c0886120a435a4990aba55b9ee83c96b294ff66c6fac4295c8b8a1
SHA3-384 hash: 2c397fe9125b48356d4aa7d160da6e996a7af3cbdd7d40cc7e7aaf8f503b30b8d76fef6a753ed077f652eef86b0ddc80
SHA1 hash: d97eaedc6b09268a8451c6e5de6acf283bbe0f79
MD5 hash: fcf8030e2adf516ca9fde494f4fdb6ea
humanhash: alpha-jersey-undress-oven
File name:09ba1d1497c0886120a435a4990aba55b9ee83c96b294ff66c6fac4295c8b8a1
Download: download sample
Signature njrat
Create hunting rule
File size:3'608'064 bytes
First seen:2021-02-28 07:12:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:uviz/27qWGq/TzuqCDl2Ptao7jmH2aIqHNm:uviq75/TzufhXdNm
Threatray 72 similar samples on MalwareBazaar
TLSH 44F53347B9CD053BC57003B028FD23D31AA9BC7223599742B0CF758A19AA4B177B6F96
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
134
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
09ba1d1497c0886120a435a4990aba55b9ee83c96b294ff66c6fac4295c8b8a1
Verdict:
Malicious activity
Analysis date:
2021-02-28 07:48:56 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/ff1f91ab-9cf2-4695-8453-27dce1c3708e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119841/
Detection(s):
Win.Malware.Generic-6895514-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Delayed reading of the file
Searching for the window
Deleting a recently created file
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621061
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Contains functionality to spread to USB devices (.Net source)
Drops PE files to the document folder of the user
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359524 Sample: Krtw4Kl87V Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 53 4.tcp.ngrok.io 2->53 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Antivirus detection for dropped file 2->65 67 8 other signatures 2->67 11 Krtw4Kl87V.exe 1 13 2->11         started        14 rundll32.exe 2->14         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\Temp\...\CDS.exe, PE32 11->45 dropped 47 C:\Users\user\AppData\Local\...\lua51.dll, PE32 11->47 dropped 49 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 11->49 dropped 16 CDS.exe 1 3 11->16         started        process6 dnsIp7 51 192.168.2.1 unknown unknown 16->51 33 C:\Users\user\AppData\Local\...\crypted.exe, PE32 16->33 dropped 20 crypted.exe 10 16->20         started        file8 process9 file10 35 C:\Users\user\AppData\Local\...\Server.exe, PE32 20->35 dropped 69 Machine Learning detection for dropped file 20->69 24 Server.exe 1 11 20->24         started        signatures11 process12 dnsIp13 55 3.129.187.220, 11428, 49740, 49741 AMAZON-02US United States 24->55 57 3.131.147.49, 11428, 49747, 49756 AMAZON-02US United States 24->57 59 2 other IPs or domains 24->59 37 C:\Windows\SysWOW64xplower.exe, PE32 24->37 dropped 39 C:\Users\user\Favoritesxplower.exe, PE32 24->39 dropped 41 C:\Users\user\Documentsxplower.exe, PE32 24->41 dropped 43 2 other malicious files 24->43 dropped 71 Antivirus detection for dropped file 24->71 73 Multi AV Scanner detection for dropped file 24->73 75 Drops PE files to the document folder of the user 24->75 77 Machine Learning detection for dropped file 24->77 29 netsh.exe 1 3 24->29         started        file14 signatures15 process16 process17 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/09ba1d1497c0886120a435a4990aba55b9ee83c96b294ff66c6fac4295c8b8a1/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 13:58:12 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bg5b2fexycegcifegwsjscv2kw465a6jnmuu75tmn6weffoixcqq._file
Verdict:
malicious
Similar samples:
044863910e84822872c6a9d134f18db1e04b17f2641f0baa7c3aca4f5f587fbb
njrat
0d22efcba5ba1b7d3f159b2d75da6c08a81c734c9d16ea8b8e0db48602dab58b
njrat
1f02d06a14d5e83c297271a24f9dad9f28d25e387bc65784077ddc27165290b5
njrat
2432f01cd92be89d208d067815c2bd8c04c11736a3ab8fb8dbc464d1a0930a58
njrat
4671dbc33d55c1b28df97a2af222a558362ed68f24bc5a3bf433069f6d7673cb
njrat
88d7d88b3c0ededd4c99459a4231c3c4a0af8184e5e2492fce16992908f2547d
njrat
a80220c129dabdfc9a8159b120994e4e8a21b8c7a4709b8c6df717401d7b3924
njrat
ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6
njrat
b0fedb5fc4232c07ff1161ddcc830cf11596ba2653cc7cea1d5666b4bab1f276
njrat
be3acd23cffe0baa73da9501728b70240077320fe57f729e46111e06ef67f2ef
njrat
+ 62 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence
Link:
https://tria.ge/reports/210228-ggbll8m1gx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
xmrig
Unpacked files
SH256 hash:
9ab4ca47d4e5922b2a146be5e80a2e93117bdfca333715cf847b142fb95ccf29
MD5 hash:
462e87143d5518da2e093a1079c4f2b7
SHA1 hash:
67b41b6ee627b985f9bae4afb189e858fef12ddc
Link:
https://www.unpac.me/results/12a29801-23a7-4270-b310-b032046bc823/
SH256 hash:
1fdc710a1416e94f43713e87c24439f4d8fb95e1ab61b2821057cc8048a5342e
MD5 hash:
ab32b07528ab61b704feaf7d3a778558
SHA1 hash:
69be4009877497d1a9f8bc08d6762d1fa6f9153f
Link:
https://www.unpac.me/results/12a29801-23a7-4270-b310-b032046bc823/
SH256 hash:
0cde6653d56c9f893ac8e1936cfecb38d02ae8adf73c9b887915284384ee4f4c
MD5 hash:
8278977dba95985c4d98b726c55269c4
SHA1 hash:
1db3fc476bdd05a8d34c3f63e9e3c7e6a89aeffc
Link:
https://www.unpac.me/results/12a29801-23a7-4270-b310-b032046bc823/
SH256 hash:
09ba1d1497c0886120a435a4990aba55b9ee83c96b294ff66c6fac4295c8b8a1
MD5 hash:
fcf8030e2adf516ca9fde494f4fdb6ea
SHA1 hash:
d97eaedc6b09268a8451c6e5de6acf283bbe0f79
Link:
https://www.unpac.me/results/12a29801-23a7-4270-b310-b032046bc823/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/09ba1d1497c0886120a435a4990aba55b9ee83c96b294ff66c6fac4295c8b8a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119841/

Comments