MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0edb9b65eac66a632e3e44c385ee861d360ee50e84e314c855bcf01aa9933c50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0edb9b65eac66a632e3e44c385ee861d360ee50e84e314c855bcf01aa9933c50
SHA3-384 hash: 1780e5d2b29e9ec97fecd06cca1f385f2a6ee8422bb927e86a22d4929f7d39e13d42da7de48336b90e0eda29428158a9
SHA1 hash: 313425e540b020cec7efdaa16a869a86a0f1c525
MD5 hash: 91b9a23f8fb2ae2f0424ee0e1ba96c06
humanhash: autumn-island-item-golf
File name:0edb9b65eac66a632e3e44c385ee861d360ee50e84e314c855bcf01aa9933c50
Download: download sample
Signature njrat
Create hunting rule
File size:457'969 bytes
First seen:2020-11-12 14:32:05 UTC
Last seen:2024-07-24 11:14:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 6144:FKka54spSyQU6ywm/53RSIT+t7UUHZIoh/ipIiGK1qftoPWc9:EkPspSyQkdlT+t7DH+DpIiGKjPWc9
Threatray 424 similar samples on MalwareBazaar
TLSH 2EA4E002FAD185F2E5220936462E9B50B53D7D381F75CEABF3D82E5DD8311A0A634B63
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Emotet-9790742-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Connection attempt
Creating a window
Searching for the window
Creating a file
Running batch commands
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Creating a process with a hidden window
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/533742
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Creates autorun.inf (USB autostart)
Detected njRat
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315974 Sample: bxpNJZgC3L Startdate: 13/11/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 9 other signatures 2->55 11 bxpNJZgC3L.exe 4 2->11         started        process3 file4 39 C:\Charmy.sfx.exe, PE32 11->39 dropped 14 cmd.exe 1 11->14         started        process5 process6 16 Charmy.sfx.exe 3 14->16         started        20 conhost.exe 14->20         started        file7 35 C:\Charmy.exe, PE32 16->35 dropped 47 Multi AV Scanner detection for dropped file 16->47 22 Charmy.exe 1 5 16->22         started        signatures8 process9 file10 37 C:\Users\user\AppData\Roaming\server.exe, PE32 22->37 dropped 57 Antivirus detection for dropped file 22->57 59 Multi AV Scanner detection for dropped file 22->59 61 Machine Learning detection for dropped file 22->61 26 server.exe 8 22->26         started        signatures11 process12 dnsIp13 45 192.168.1.4, 5552 unknown unknown 26->45 41 C:\svchost.exe, PE32 26->41 dropped 43 C:\autorun.inf, Microsoft 26->43 dropped 63 Antivirus detection for dropped file 26->63 65 Multi AV Scanner detection for dropped file 26->65 67 Creates autorun.inf (USB autostart) 26->67 69 2 other signatures 26->69 31 netsh.exe 1 3 26->31         started        file14 signatures15 process16 process17 33 conhost.exe 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0edb9b65eac66a632e3e44c385ee861d360ee50e84e314c855bcf01aa9933c50/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-12 14:35:29 UTC
File Type:
PE (Exe)
Extracted files:
32
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3nzwzpkyzvgglr6itbyl3ugdu3a5zioqtrrjscvxtybvkmthria._file
Verdict:
malicious
Similar samples:
1292e5a45426d40909dc8199da5fc6346a4b8a652baff6bacee9e64bb253f16c
njrat
22624e441ebb33943e4c72b4f4c3b625b0f7ec3d8b2afada33a92771144b0373
njrat
2a22805bbe73a869fc9240d722d6cfb22c582683918103bda90f3a321756c44d
njrat
2d6a60fa56688f81b3b1ecebf2eb1ae9b44f41a9e070916c93e3f85dd841d174
njrat
329c2259d6015d98464322b873b783d18da6ac1a13d7ec40d1de9f143659b1bb
njrat
6cb0c6c55411375878184fba0feeee93c99c7f184818449e548ef875486ec38a
njrat
8b2c5362887dbc350aae004bee2ea50b83aee63bdb1d88c2559672e9ca5b91d5
njrat
a43c0d39f01808746f82c041edad38edbb89334c098311331d3e2733824f6259
njrat
ed34d4eba0bc7d434f32bb9bca0147632592656ddf0c2aa892fbee54b0850ff1
njrat
ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439
njrat
+ 414 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201112-4g27f7qvss/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops autorun.inf file
Modifies service
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
0edb9b65eac66a632e3e44c385ee861d360ee50e84e314c855bcf01aa9933c50
MD5 hash:
91b9a23f8fb2ae2f0424ee0e1ba96c06
SHA1 hash:
313425e540b020cec7efdaa16a869a86a0f1c525
Link:
https://www.unpac.me/results/a56403ee-a42a-4cea-93d8-edec00b181a9/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments