MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 101bfb7953ee39065a917a37670cc43836cf5c0a938082f4038515efebddcc04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 101bfb7953ee39065a917a37670cc43836cf5c0a938082f4038515efebddcc04
SHA3-384 hash: 306997253beca4b9a909bed3a9a3cc8a2619f0df8fe66c817f09b77fb35c39baea446b6fbc73a798a1430247381eef31
SHA1 hash: 7eece547746df4e0bf108350a21af5ed68b29515
MD5 hash: b435d3782a898407600abf7d6995cc66
humanhash: asparagus-bakerloo-skylark-mango
File name:SecuriteInfo.com.Trojan.Packed2.42783.20578.22181
Download: download sample
Signature njrat
Create hunting rule
File size:666'624 bytes
First seen:2021-01-31 12:07:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:iT5Zn0lH55fOUxVcMpYiJdC9XtKdtQX5k/gndogQLH:iT5ZnwHfNbxppcgtO6gVY
Threatray 1'535 similar samples on MalwareBazaar
TLSH 5AE402022A8A8F91C978F0F61272E62D8B45F0C7BA17C339BFD83B3199129C11DDD55A
Reporter SecuriteInfoCom
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
234
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
INWARD-OUTWARD ANALYSIS.xlsx
Verdict:
Malicious activity
Analysis date:
2021-01-31 11:25:41 UTC
Tags:
encrypted opendir exploit CVE-2017-11882 loader trojan rat remcos njrat bladabindi
Link:
https://app.any.run/tasks/d47f471b-bb69-4eee-8443-08e06e187576

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/114934/
Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Sending a custom TCP request
Creating a window
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Setting a keyboard event handler
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Using the Windows Management Instrumentation requests
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun
Enabling autorun by creating a file
Enabling a "Do not show hidden files" option
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Remcos njRat LimeRAT
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/594769
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture and log keystrokes
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Detected njRat
Detected Remcos RAT
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM_3
Yara detected LimeRAT
Yara detected Njrat
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 346422 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 31/01/2021 Architecture: WINDOWS Score: 100 80 ministeredelasantnj.sytes.net 2->80 102 Multi AV Scanner detection for domain / URL 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus detection for dropped file 2->106 108 25 other signatures 2->108 10 SecuriteInfo.com.Trojan.Packed2.42783.20578.exe 15 7 2->10         started        14 svchost.exe 2->14         started        17 svchost.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 dnsIp5 66 C:\Users\user\AppData\...\notepadnote.exe, PE32 10->66 dropped 68 C:\Users\...\notepadnote.exe:Zone.Identifier, ASCII 10->68 dropped 70 SecuriteInfo.com.T...42783.20578.exe.log, ASCII 10->70 dropped 126 Drops PE files to the startup folder 10->126 128 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->128 21 cmd.exe 1 10->21         started        23 notepadnote.exe 14 8 10->23         started        92 ControllerFinallineballinglove33.webredirect.org 14->92 72 C:\Users\user\Documents\ZIPXYXWIOY\Worm.exe, PE32 14->72 dropped 74 C:\Users\user\Documents\ZGGKNSUKOP\Worm.exe, PE32 14->74 dropped 76 C:\Users\user\Documents\SNIPGPPREP\Worm.exe, PE32 14->76 dropped 78 26 other files (21 malicious) 14->78 dropped 130 System process connects to network (likely due to code injection or exploit) 14->130 132 Changes security center settings (notifications, updates, antivirus, firewall) 17->132 28 MpCmdRun.exe 17->28         started        94 ControllerFinallineballinglove33.webredirect.org 19->94 96 ControllerFinallineballinglove33.webredirect.org 19->96 98 127.0.0.1 unknown unknown 19->98 file6 signatures7 process8 dnsIp9 30 conhost.exe 21->30         started        32 reg.exe 1 1 21->32         started        90 192.168.2.1 unknown unknown 23->90 58 ControllerFinallin...e33.webredirect.exe, PE32 23->58 dropped 60 C:\...\centourismeadddynamicoptional001.exe, PE32 23->60 dropped 62 C:\Users\user\...62ew-Client 1LLUV51.exe, PE32 23->62 dropped 64 C:\Users\user\...\notepadmapDSKJLKDF.exe, PE32 23->64 dropped 122 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->122 124 Injects a PE file into a foreign processes 23->124 35 conhost.exe 28->35         started        file10 signatures11 process12 signatures13 37 ControllerFinallineballinglove33.webredirect.exe 30->37         started        42 New-Client 1LLUV51.exe 18 4 30->42         started        44 centourismeadddynamicoptional001.exe 30->44         started        46 4 other processes 30->46 100 Creates an undocumented autostart registry key 32->100 process14 dnsIp15 82 ControllerFinallineballinglove33.webredirect.org 37->82 52 C:\Windows\Microsoft\svchost.exe, PE32 37->52 dropped 54 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 37->54 dropped 110 Antivirus detection for dropped file 37->110 112 Multi AV Scanner detection for dropped file 37->112 114 Creates autorun.inf (USB autostart) 37->114 120 6 other signatures 37->120 84 pastebin.com 104.23.98.190, 443, 49748 CLOUDFLARENETUS United States 42->84 56 C:\Users\user\AppData\Roaming\...\IconLib.dll, PE32 42->56 dropped 116 Protects its processes via BreakOnTermination flag 42->116 86 centourismeadddynamicoptional001.loseyourip.com 46.173.211.171, 2404, 49741, 49742 GARANT-PARK-INTERNETRU Russian Federation 44->86 118 Installs a global keyboard hook 44->118 88 ministeredelasantnj.sytes.net 194.5.98.8, 49751, 49752, 49754 DANILENKODE Netherlands 46->88 48 notepadmapDSKJLKDF.exe 46->48         started        50 notepadmapDSKJLKDF.exe 46->50         started        file16 signatures17 process18
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/101bfb7953ee39065a917a37670cc43836cf5c0a938082f4038515efebddcc04/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-01-29 12:10:37 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=can7w6kt5y4qmwurpi3wodgeha3m6xaksoaif5adquk67265zqca._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
Similar samples:
50a672f57c59c6c3658e484c1c271f358ef2a92596242c77eb8aba6b46465e97
njrat
556d51d04082d28fef125193130f91f8fa94a0e42d038310a9f631b852286f16
njrat
753883fa972dda966abb3adad3cfc94f0a82ca128d1908df58bac3ba93e60bd3
njrat
89313534a5c4579b6a00425281ef0473246cfb2340653bd3cf41b584bfa40578
njrat
8ce18c13ef4b598bba697a559c451fdfd1708e2039ec0e7c3303033b2c787fb6
njrat
9128e156ef2c0ed95d615729316ff82615354d6509e30a2e931913cb574dd4dc
njrat
abd4e6ee8152822c0545bd27a4f4c5114728873873e227044dfb48ecf1ecb37f
njrat
b34cc5e5e3b43c045bdd3a8c0966258cab4a6c602d9a9621140eeca567220acb
njrat
ca7a5346affad6a16ff2f1922db1b240a17c052c7fa1094934ca94fa0ab6883e
njrat
fba79edaa01a2f2e1175412044ac38291573e2fa5681ac8083824f285be58ea6
njrat
+ 1'525 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos persistence ransomware rat
Link:
https://tria.ge/reports/210131-1xhht1zlp6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops autorun.inf file
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon for persistence
Remcos
Malware Config
C2 Extraction:
centourismeadddynamicoptional001.loseyourip.com:2404
Unpacked files
SH256 hash:
101bfb7953ee39065a917a37670cc43836cf5c0a938082f4038515efebddcc04
MD5 hash:
b435d3782a898407600abf7d6995cc66
SHA1 hash:
7eece547746df4e0bf108350a21af5ed68b29515
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
e2b5646e959fcf2f6ed994780262e65c16cecbc9d3421ada3239f26130ebe8d1
MD5 hash:
7a13d5b7628956f87cb4f24b3e66ff5d
SHA1 hash:
5a2a3e4a70a7ef67180b6dea2273c9c3ae162f9c
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
2d0dc6216f613ac7551a7e70a798c22aee8eb9819428b1357e2b8c73bef905ad
MD5 hash:
0e362e7005823d0bec3719b902ed6d62
SHA1 hash:
590d860b909804349e0cdc2f1662b37bd62f7463
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
c06d4e3d0205d9bdd4a4b40b8da710d698b3a5d73a1626c9ca058c10b2c6d00c
MD5 hash:
7f67414b3fd29299f2d29ad7c2afb995
SHA1 hash:
2ec40d57c08c47433a6d044d271d74005dddae8d
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
d8ef0c521b65e95cb2924368a5dde964b2fea6ebdb84266a0dd804054e3f3bbc
MD5 hash:
f6d32b05fc46af18ac5fadc86df144e8
SHA1 hash:
2357eeca256fad9225f9c4bbed4d9216332a1877
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
89af1496d2745f4961722ecad648e33857e41f5f8e3d7372f99a6ae296f7c9e6
MD5 hash:
26b568f00cb23402964834526e0115c9
SHA1 hash:
e4815dfd1613a71cb07e14986d28a2ba5d686bac
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
b2befa16b0dd02f8e8607be33879057250a5368fd1af9c4ee07c03902407686b
MD5 hash:
aa7166013f0d20631d8ffa54b82ca2c2
SHA1 hash:
b7aa89ce56d6c5800b499b2b760284a34ee17c91
Detections:
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
a60900adc31e8e28ff541b91a55de5d9719c0d1ddc3022eb6f6fb5ac19cc9e4f
MD5 hash:
831fb0609b3509b4fb31ac662ac69217
SHA1 hash:
985c33fa2b01e305995e2ea166b961b01f0f6335
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
4694b430073ec9b81e3bd5e4d6a64b4d87af21212f95a36148b216bacfc93a87
MD5 hash:
144371e2847ce5ca3678a84942c17b0d
SHA1 hash:
8d2b9f9697cc9dbffa564c6c19dc67cc8f817f28
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
SH256 hash:
4f81e273da20c5b9835ce6ca57cc061d77764f9e3927bdb1505cb791bf50b046
MD5 hash:
29e19b5dce96140a8b90152b16bd44af
SHA1 hash:
4f3dc6eb876bb58f53966980a9c451a04ec17d8a
Link:
https://www.unpac.me/results/769467d5-ca5b-45a3-b4ac-29d6182ae8d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/101bfb7953ee39065a917a37670cc43836cf5c0a938082f4038515efebddcc04

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:MAL_Winnti_Sample_May18_1
Create hunting rule
Author:Florian Roth
Description:Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Reference:https://401trg.pw/burning-umbrella/
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 101bfb7953ee39065a917a37670cc43836cf5c0a938082f4038515efebddcc04

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/985051/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/114934/

Comments