MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11e4fe567e9f09e81d87a199b3ed94dffaf1a099a2e2c3ae3949bfdb9851655e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11e4fe567e9f09e81d87a199b3ed94dffaf1a099a2e2c3ae3949bfdb9851655e
SHA3-384 hash: 142c34b2df046841073deda7c6ca09cc7a241c0d5a7f2a8aa707627a163e383d1054defa69e9710beeedc0c4dc4f8ca3
SHA1 hash: c4ccc9f15a777ecb0611f27f2abc6f40cadf8daf
MD5 hash: 5fa8e60c26591356b8974ab975dce5ff
humanhash: high-quiet-carbon-undress
File name:11E4FE567E9F09E81D87A199B3ED94DFFAF1A099A2E2C.exe
Download: download sample
Signature njrat
Create hunting rule
File size:480'862 bytes
First seen:2021-06-02 17:26:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:mAimdYNHquiwwiXNctNy+1Oi/mPjb8y9Vcd+74S/o1Xrch0N+LDgiIxwQW5nY3Gv:m1NjHLXNkQ+cLwld4h6N+vgi7Znoip
Threatray 7 similar samples on MalwareBazaar
TLSH 79A4121217DCCA63C668C6BEE0A226E503B2AD63C202F76B2DC47CC77D757958583A53
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
93.190.143.118:443

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
93.190.143.118:443 https://threatfox.abuse.ch/ioc/69461/

Intelligence

File Origin
# of uploads :
1
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
11E4FE567E9F09E81D87A199B3ED94DFFAF1A099A2E2C.exe
Verdict:
No threats detected
Analysis date:
2021-06-02 19:00:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0b8c536f-4cdd-4aab-bfca-1d498a827ce0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164142/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/796110
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Patcher
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 428506 Sample: 11E4FE567E9F09E81D87A199B3E... Startdate: 02/06/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 13 other signatures 2->49 8 11E4FE567E9F09E81D87A199B3ED94DFFAF1A099A2E2C.exe 6 2->8         started        12 lsass.exe 2 2->12         started        14 lsass.exe 2 2->14         started        16 lsass.exe 3 2->16         started        process3 file4 35 C:\Users\user\AppData\Local\Temp\lsass.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\1.Patch.exe, PE32 8->37 dropped 39 11E4FE567E9F09E81D...F1A099A2E2C.exe.log, ASCII 8->39 dropped 61 Drops PE files with benign system names 8->61 18 lsass.exe 5 3 8->18         started        23 1.Patch.exe 3 8->23         started        signatures5 process6 dnsIp7 41 93.190.143.118, 443, 49736 WORLDSTREAMNL Netherlands 18->41 29 C:\...\72561e90f92655fd4d9a94fd55a753fc.exe, PE32 18->29 dropped 51 Antivirus detection for dropped file 18->51 53 Multi AV Scanner detection for dropped file 18->53 55 Protects its processes via BreakOnTermination flag 18->55 59 4 other signatures 18->59 25 netsh.exe 3 18->25         started        31 C:\Users\user\AppData\...\dup2patcher.dll, PE32 23->31 dropped 33 C:\...\C5E3399ED9A072FE864748D49BA96094.dll, PE32 23->33 dropped 57 Machine Learning detection for dropped file 23->57 file8 signatures9 process10 process11 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/11e4fe567e9f09e81d87a199b3ed94dffaf1a099a2e2c3ae3949bfdb9851655e/
Threat name:
ByteCode-MSIL.Ransomware.Enciphered
Create hunting rule
Status:
Malicious
First seen:
2021-04-30 02:43:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=chsp4vt6t4e6qhmhugm3h3mu375pdiezulrmhlrzjg75xgcrmvpa._file
Verdict:
unknown
Similar samples:
086292a6bfd70867d0186a92add0deca164c0588fc37c30c4401e249c2b59257
njrat
092223938bed5fec479602f4bf2cb0fd28dd628e8754714047b0b7939cd2e298
njrat
522de9741550dc1f29b224a934ad3bd4c8454975a3e8aa3a1215cfe884eb0aff
njrat
99a6c8e156dba4fda6e2b6ca0802cc08d49556b489e97618e565768329521413
njrat
9dc88dec4a1a8fab1526dd1a856542e011b7ad5a62ec049c07d0eca58843a9f0
njrat
b31fb3832c2f366796fcc9165c60c58da5c866973377ab0d43f71586c461b8fb
njrat
fac551f8ff156743a7f41bf36684691e87dfb123c027ea0541b962b3162e4c46
njrat
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan upx
Link:
https://tria.ge/reports/210602-jepedskt7s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
ACProtect 1.3x - 1.4x DLL software
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/11e4fe567e9f09e81d87a199b3ed94dffaf1a099a2e2c3ae3949bfdb9851655e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164142/

Comments