MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f
SHA3-384 hash: 24f66b1ecc3c8fe3a2d392f83f8f34cc18eb19584624e11b30796e0b0d20a5d22be712cca34fabe0206b9aa64c34ff3f
SHA1 hash: fada8b49ca5b898c9e31bc87f2b37a267599d406
MD5 hash: 0648873dd8d00b2eca5eaa5680f7a5b6
humanhash: seventeen-single-coffee-purple
File name:0648873dd8d00b2eca5eaa5680f7a5b6.exe
Download: download sample
Signature njrat
Create hunting rule
File size:5'181'952 bytes
First seen:2022-07-06 22:25:25 UTC
Last seen:2022-07-06 22:32:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 43801be8f5954e7259ebb6bc7f6dfe40 (3 x CoinMiner, 2 x RedLineStealer, 1 x njrat)
ssdeep 98304:QiXLKPiXdvhAgGrA0nYH930RLXGNhNWaR0UcekJo/5YdEy+BwNxpURGfQghXry4p:iivhAhTLRL2Bb0Uc6mpTURQQgBuAv
Threatray 953 similar samples on MalwareBazaar
TLSH T1E336336C01E84EDCE153D37B630FC139B9B6BD6E0B46506E8F5C12D18BBE9A6A50D530
TrID 40.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
16.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
12.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
11.0% (.EXE) Win32 Executable (generic) (4505/5/1)
5.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
51.89.91.139:5050

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
51.89.91.139:5050 https://threatfox.abuse.ch/ioc/808311/

Intelligence

File Origin
# of uploads :
2
# of downloads :
344
Origin country :
n/a
Vendor Threat Intelligence
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285263/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.18804.16984.32569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Creating a file
Sending an HTTP GET request
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Creating a window
Searching for synchronization primitives
Sending a custom TCP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24195/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c60bfe76fa5a599448db11/reports/e23d64c2-413e-46d6-8a19-5f826afeae2c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9ca7339f-0056-4690-ac07-b4e72f7b6530
Result
Threat name:
njRat, Xmrig
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1025968
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates a thread in another existing process (thread injection)
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Creates files in the system32 config directory
Detected njRat
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Drops PE files with benign system names
Encrypted powershell cmdline option found
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Potential dropper URLs found in powershell memory
Powershell drops PE file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Drops fake system file at system root drive
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Njrat
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 658463 Sample: khUdPwVWhy.exe Startdate: 07/07/2022 Architecture: WINDOWS Score: 100 103 Snort IDS alert for network traffic 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 Antivirus detection for dropped file 2->107 109 17 other signatures 2->109 9 khUdPwVWhy.exe 2 2->9         started        13 powershell.exe 2->13         started        15 GoogleChromer.exe 2->15         started        17 2 other processes 2->17 process3 file4 81 C:\Users\user\AppData\Local\Temp\driver.exe, PE32+ 9->81 dropped 83 C:\Users\user\AppData\Local\Temp\Server.exe, PE32 9->83 dropped 131 Adds a directory exclusion to Windows Defender 9->131 19 cmd.exe 1 9->19         started        21 cmd.exe 1 9->21         started        23 cmd.exe 1 9->23         started        26 cmd.exe 1 9->26         started        133 Creates files in the system32 config directory 13->133 28 updater.exe 13->28         started        30 conhost.exe 13->30         started        signatures5 process6 signatures7 32 Server.exe 1 5 19->32         started        36 conhost.exe 19->36         started        38 driver.exe 4 21->38         started        40 conhost.exe 21->40         started        121 Adds a directory exclusion to Windows Defender 23->121 42 powershell.exe 15 23->42         started        44 conhost.exe 23->44         started        46 powershell.exe 24 26->46         started        50 2 other processes 26->50 123 Query firmware table information (likely to detect VMs) 28->123 125 Creates files in the system32 config directory 28->125 127 Writes to foreign memory regions 28->127 129 3 other signatures 28->129 48 conhost.exe 28->48         started        process8 file9 71 C:\Users\user\AppData\...behaviorgraphoogleChromer.exe, PE32 32->71 dropped 87 Antivirus detection for dropped file 32->87 89 Machine Learning detection for dropped file 32->89 52 GoogleChromer.exe 32->52         started        91 Detected unpacking (changes PE section rights) 38->91 93 Query firmware table information (likely to detect VMs) 38->93 95 Very long command line found 38->95 101 2 other signatures 38->101 57 powershell.exe 38->57         started        59 cmd.exe 38->59         started        97 Uses netsh to modify the Windows network and firewall settings 42->97 99 Modifies the windows firewall 42->99 61 netsh.exe 42->61         started        signatures10 process11 dnsIp12 85 51.89.91.139, 49769, 5050 OVHFR France 52->85 73 C:\svchost.exe, PE32 52->73 dropped 75 C:\...\5db0afc818875fbd9be3e842f2d3f24b.exe, PE32 52->75 dropped 77 C:\autorun.inf, Microsoft 52->77 dropped 111 Antivirus detection for dropped file 52->111 113 Protects its processes via BreakOnTermination flag 52->113 115 Creates autorun.inf (USB autostart) 52->115 119 4 other signatures 52->119 79 C:\Program Filesbehaviorgraphoogle\Chrome\updater.exe, PE32+ 57->79 dropped 117 Powershell drops PE file 57->117 63 conhost.exe 57->63         started        65 conhost.exe 59->65         started        67 choice.exe 59->67         started        69 conhost.exe 61->69         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-07-02 18:50:31 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b5qijywzby2ctm2mykkqziy73yb77thlbmkhbe26reiw3hwqjypq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0087b8cfcb8eeeb038ccf007e78e78c18001c79b440891853893851887e88738
njrat
1292e5a45426d40909dc8199da5fc6346a4b8a652baff6bacee9e64bb253f16c
njrat
22624e441ebb33943e4c72b4f4c3b625b0f7ec3d8b2afada33a92771144b0373
njrat
2a22805bbe73a869fc9240d722d6cfb22c582683918103bda90f3a321756c44d
njrat
329c2259d6015d98464322b873b783d18da6ac1a13d7ec40d1de9f143659b1bb
njrat
6cb0c6c55411375878184fba0feeee93c99c7f184818449e548ef875486ec38a
njrat
7cc4f1580d6f425b3025bdb83a4782bea363f6d8c1c7fa6374e159aa06327ca2
njrat
a43c0d39f01808746f82c041edad38edbb89334c098311331d3e2733824f6259
njrat
ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439
njrat
+ 943 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion persistence suricata trojan
Link:
https://tria.ge/reports/220706-2cg7fscae8/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
51.89.91.139:5050
Unpacked files
SH256 hash:
4d62a9ab6abeeafd08fc299581c0910c36ccf64178c16fc06b4a57a48858e1d4
MD5 hash:
333baef68bf06e2bff8c785f9120559d
SHA1 hash:
b605cc35ec178240b1150a81d73e58d1d9417bac
Detections:
win_njrat_g1
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/dfc6e70c-37ac-41d7-bd43-d08ac266a461/
SH256 hash:
0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f
MD5 hash:
0648873dd8d00b2eca5eaa5680f7a5b6
SHA1 hash:
fada8b49ca5b898c9e31bc87f2b37a267599d406
Link:
https://www.unpac.me/results/dfc6e70c-37ac-41d7-bd43-d08ac266a461/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0f6084e2d90e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f6084e2d90e3429b34cc2950ca31fde03ffcceb0b1470935e89116d9ed04e1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/285263/

Comments