MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 111c25bd4cd2f4771e7fec9e564c623218e06eb1b9d839cf58a9f117b4979ac0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 111c25bd4cd2f4771e7fec9e564c623218e06eb1b9d839cf58a9f117b4979ac0
SHA3-384 hash: 6b632a8f603db97c768ecf7d7328501255ba13f0ce62fdceae39e8fdf19f8d2b5fd3bc0639312b38d2d1663ae7ccf7d3
SHA1 hash: e425aa7a2907c44446f3c9f5213b10ab4774579a
MD5 hash: 7e41b02d2dc1786d5c008c127d38041f
humanhash: mexico-happy-pizza-jupiter
File name:productinfo.exe
Download: download sample
Signature njrat
Create hunting rule
File size:691'200 bytes
First seen:2023-06-05 07:58:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:zrgDZYg3dHlWxMzIHREJVk/bq4izoW/m7R8IJJz5FJuGjNKdnzP8NWQ:zMWSdHlWxMiQW/O4ue7RjDjIAN
Threatray 2'196 similar samples on MalwareBazaar
TLSH T1A0E4F10822BADB19D47E7FFC0490A47083F4925A7556E78A0ED378DE5E74F428F0299B
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon e08c0f2322073bc0 (10 x AgentTesla, 6 x Formbook, 3 x SnakeKeylogger)
Reporter lowmal3
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
380
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
productinfo.exe
Verdict:
Malicious activity
Analysis date:
2023-06-05 08:01:06 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/5a76f2b3-44e4-4039-8b84-02f7ccf8e5aa

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/395725/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.14751.230.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Creating a process with a hidden window
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/647d95c630936ccfb245b145/reports/90a0543c-75ca-4f14-9ce1-6d464fe6fbc8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/111c25bd4cd2f4771e7fec9e564c623218e06eb1b9d839cf58a9f117b4979ac0
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b23cd23d-73fe-432e-8105-a3498568de81
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1248619
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 881638 Sample: productinfo.exe Startdate: 05/06/2023 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 5 other signatures 2->46 7 productinfo.exe 7 2->7         started        11 yrTsDFAlAEWX.exe 5 2->11         started        process3 file4 30 C:\Users\user\AppData\...\yrTsDFAlAEWX.exe, PE32 7->30 dropped 32 C:\Users\...\yrTsDFAlAEWX.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmpC56B.tmp, XML 7->34 dropped 36 C:\Users\user\AppData\...\productinfo.exe.log, ASCII 7->36 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Adds a directory exclusion to Windows Defender 7->50 52 Injects a PE file into a foreign processes 7->52 13 productinfo.exe 2 5 7->13         started        16 powershell.exe 21 7->16         started        18 schtasks.exe 1 7->18         started        54 Machine Learning detection for dropped file 11->54 20 schtasks.exe 1 11->20         started        22 yrTsDFAlAEWX.exe 1 11->22         started        signatures5 process6 dnsIp7 38 194.55.224.37, 49693, 7777 LVLT-10753US Germany 13->38 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/111c25bd4cd2f4771e7fec9e564c623218e06eb1b9d839cf58a9f117b4979ac0/
Threat name:
Win32.Trojan.OutBreak
Create hunting rule
Status:
Malicious
First seen:
2023-06-05 07:59:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ceoclpkm2l2hoht75spfmtdcgimoa3vrxhmdtt2yvhyrpnextlaa._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
202494911805344069ceb189e70db6f89e17f55febe24dc4f42b3736c5b457a4
njrat
3b3d92018cb4be5a3223c8b556bb8a1c817e0cbc2188b6500cbc2d4dd6d13658
njrat
43e9db6b9ba0f48665e26a37880216e9b9135177bbb280b1b0143d2295b9a53d
njrat
72c2552dacff5e958ac6ba324ad741bd87449ef251b001b17d604112466809e0
njrat
905491ddc53af3036d1c6a61dd010ab242b5ac40d093a77eb5c3b9f1be83333a
njrat
9f9ef502a14f6985947ff8aed129252f4db71d4ab29bb2cd11b533ce1fbf3102
njrat
a5e39f16cb3dec0b3e2b6fe876bbfa1805f2266011289cf24864b3b85d9e5561
njrat
e9439e30548f1ed8c32d7670ce4f9936ad5e802d488b931577e37c6741d27dce
njrat
f8cbcb1465a47d18cd2c770f5b2dc7ffe152c51a618149c079ec5ff8a322dfdb
njrat
f94d390deeb6e7c8738fc693de22e0a49e4d57681759dde58102ebeea443463c
njrat
+ 2'186 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked trojan
Link:
https://tria.ge/reports/230605-jvdmwafh9x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
njRAT/Bladabindi
Malware Config
C2 Extraction:
194.55.224.37:7777
Unpacked files
SH256 hash:
2f13f4db3405dfac3dd2945be3de440607b6e8479951c2630823009700083953
MD5 hash:
084fd7e237ece48508277cdfd578e47d
SHA1 hash:
f152839ca9518552e41320c8b3bab96d01a911e5
Link:
https://www.unpac.me/results/f12140ca-9c9d-48c6-8deb-996f64adca6d/
SH256 hash:
c440617e04a50ced73c8ab992cbe8d8954a3e41f21f046ee9d1f2a41ea9b416d
MD5 hash:
9390df6c9a6111978dee5414bc42eda6
SHA1 hash:
d3cb1c366b9e466afa93eb369838a04d30777795
Link:
https://www.unpac.me/results/f12140ca-9c9d-48c6-8deb-996f64adca6d/
SH256 hash:
d093ace4392ccfde0d8f56c4f92fae34ab8cb4dbff28884c453486d3201bdcca
MD5 hash:
6e567538131e7f59e85ca344b7086605
SHA1 hash:
8033687cbc39a8c2bb8a1dcd5eb622a3551e30f0
Link:
https://www.unpac.me/results/f12140ca-9c9d-48c6-8deb-996f64adca6d/
SH256 hash:
f3f8f83f0bd2212ee5056a72033ee62ab8b9ee0570da4213d0da5fb60bd84768
MD5 hash:
1c05d45b0b34f200a169bb5a8b6a4f9c
SHA1 hash:
66787bdde883b3892b85dce1a3344f8c5c59cfc2
Link:
https://www.unpac.me/results/f12140ca-9c9d-48c6-8deb-996f64adca6d/
SH256 hash:
3a12493f94353613cfe02b4f2929dee19f1b17e9cf73b3f0741110f2f395e7b7
MD5 hash:
3bd541a1fcfb4bb3a707d216ecdfaa4f
SHA1 hash:
0e3481f4628489b1c6b687412ac0dae8b10c80d1
Link:
https://www.unpac.me/results/f12140ca-9c9d-48c6-8deb-996f64adca6d/
SH256 hash:
111c25bd4cd2f4771e7fec9e564c623218e06eb1b9d839cf58a9f117b4979ac0
MD5 hash:
7e41b02d2dc1786d5c008c127d38041f
SHA1 hash:
e425aa7a2907c44446f3c9f5213b10ab4774579a
Link:
https://www.unpac.me/results/f12140ca-9c9d-48c6-8deb-996f64adca6d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/111c25bd4cd2f4771e7fec9e564c623218e06eb1b9d839cf58a9f117b4979ac0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Executable exe 111c25bd4cd2f4771e7fec9e564c623218e06eb1b9d839cf58a9f117b4979ac0

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/395725/

Comments