MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 115609d14f4a464dac37711d8569fbfa88fbb9c4e42632306b43596446517f8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 115609d14f4a464dac37711d8569fbfa88fbb9c4e42632306b43596446517f8f
SHA3-384 hash: 35fa6b2a44c78dd2ebaf8e691d209904f963c4baf21d752262e05a0d906c8f5dd3a7b353679753c95761fb3a64573a60
SHA1 hash: f1fb265ddcada6ebe95d79caab7ee11784d4136c
MD5 hash: 2a6702324aee36338cd1139cc7c34ce8
humanhash: monkey-bravo-solar-west
File name:4567234.exe
Download: download sample
Signature njrat
Create hunting rule
File size:495'104 bytes
First seen:2021-08-18 05:25:48 UTC
Last seen:2021-08-18 05:51:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:mveQYcED6U9d1+qKE+tm+mTM9eGTv788EGXaieuxoL9qj6UNzTOVrtw:/DGd
Threatray 82 similar samples on MalwareBazaar
TLSH T1A8B4099C361076EFC967C872CAA82C64EA2074BB930BD603A05715EDDA0DA97DF145F3
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
79.134.225.117:2227

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.117:2227 https://threatfox.abuse.ch/ioc/191600/

Intelligence

File Origin
# of uploads :
2
# of downloads :
170
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4567234.exe
Verdict:
Malicious activity
Analysis date:
2021-08-18 05:27:06 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/a02ca731-1fbe-4027-b865-eb4a485ba620

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/180197/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.5927.9644.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the Windows subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8b0c558c-e3fd-4c2f-aad9-b5d220579ddb
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
n/a
Score:
22 / 100
Link:
https://www.joesandbox.com/analysis/834877
Signature
Machine Learning detection for sample
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/115609d14f4a464dac37711d8569fbfa88fbb9c4e42632306b43596446517f8f/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-08-18 04:59:55 UTC
AV detection:
17 of 46 (36.96%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cflatukpjjde3lbxoeoyk2p37kepxooe4qtdemdlinmwirsrp6hq._file
Verdict:
suspicious
Similar samples:
0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712
njrat
418b71760c6de41ed293744610e252c7474decd221371ffa449411dde751be46
njrat
766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
njrat
831d7b676bb75c44df50f40798fe739cb07d4c0b1ee217a7e8fea443f7b00346
njrat
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
njrat
bd6b76890564812dd399d1a15f8af070d44b7467ada40da9f94975e4ecf4e1e7
njrat
bedceb6fcbd83a80d95fb370f0655fc65ff2a476a97f48e8c646555e01505e78
njrat
d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c
njrat
e61195d0d4b897536f0cc090d36140099db443b5b913894d13cd76f7abee36b6
njrat
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
njrat
+ 72 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210818-1esv3fm5m6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
cb25a029842669da24a7342d102c4def01035245c3e8f5ee6de27cc0459e0c50
MD5 hash:
72c5a14cf5c43facfdf91defc9903f97
SHA1 hash:
bb20498c9da9fab92533f5e46155cdf3729d20eb
Link:
https://www.unpac.me/results/999ca72a-cd81-4c81-8597-ab194470852a/
SH256 hash:
d5b2af0573aecd2429db82970ae9d9615561e4c7d927438f0f46caf48607d97f
MD5 hash:
ea27e9f063486028ce36f7b62a9d8be4
SHA1 hash:
81a9e27d780a1e289ac1b8b4076dfc31e0584d86
Link:
https://www.unpac.me/results/999ca72a-cd81-4c81-8597-ab194470852a/
SH256 hash:
425722f8b07a0330890a59c7f95ddd1f2a991a373b01b8caffcd0a99c198132c
MD5 hash:
4108fc7bc1aa34f6301e4817510eb389
SHA1 hash:
c1540bc1b40bc96723a61161838ea3515f5b7c88
Link:
https://www.unpac.me/results/999ca72a-cd81-4c81-8597-ab194470852a/
SH256 hash:
ff26a689572c7a638f305ffff070acae89d91a9edf51d4f9c5a9bab7418367d4
MD5 hash:
becbc9fb75f56d24a0741bdc51a79e51
SHA1 hash:
71c249b5bff344ad1eb39d1831ecf2e088b1e969
Link:
https://www.unpac.me/results/999ca72a-cd81-4c81-8597-ab194470852a/
SH256 hash:
2f0110f8cd12772ac64df1d712bd58055ab62d431e1e3635da6989a8299ec316
MD5 hash:
1c8ed582b7a54eab2eef3d6d32c97226
SHA1 hash:
072b975d64a1e8475f414c4c3ed5c296f110862e
Link:
https://www.unpac.me/results/999ca72a-cd81-4c81-8597-ab194470852a/
SH256 hash:
115609d14f4a464dac37711d8569fbfa88fbb9c4e42632306b43596446517f8f
MD5 hash:
2a6702324aee36338cd1139cc7c34ce8
SHA1 hash:
f1fb265ddcada6ebe95d79caab7ee11784d4136c
Link:
https://www.unpac.me/results/999ca72a-cd81-4c81-8597-ab194470852a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/115609d14f4a464dac37711d8569fbfa88fbb9c4e42632306b43596446517f8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180197/

Comments