MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 16


Intelligence 16 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491
SHA3-384 hash: b3e5480fb0f37bd477d86b3d4f1c348d73ba058f1f1727a3d5175771a356aec140d87838dbc65d423c7fbb748879cd3a
SHA1 hash: c4a98006c5741bc85dbb4842e609f0540adb0991
MD5 hash: 5d039fea0ea1ad9dbdb3b9b3075bd3a0
humanhash: wolfram-speaker-papa-pluto
File name:16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491
Download: download sample
Signature njrat
Create hunting rule
File size:9'166'621 bytes
First seen:2024-12-05 15:58:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b0b97d1a91a2730b3daa8bbb2e86b402 (7 x njrat)
ssdeep 196608:hCbGPZmVfjsCbGPZmVfjiCbGPZmVfjsCbGPZmVfj2CbGPZmVfjsCbGPZmVfjiCb1:0GmVNGmVrGmVNGmVnGmVNGmVrGmVNGmZ
TLSH T19996CF12B7D740FAEDA339701977E32B9B357618533AC5CBEFE02E618E111409A39366
TrID 63.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
11.6% (.EXE) Win64 Executable (generic) (10522/11/4)
7.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
5.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon d4dcd4d4ccc4c4c4 (3 x njrat)
Reporter adrian__luca
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
467
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491.exe
Verdict:
Malicious activity
Analysis date:
2024-12-05 17:13:42 UTC
Tags:
autoit njrat
Link:
https://app.any.run/tasks/2a9a8289-296e-473e-8f8d-f8cbd527ca82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Autoit-6996111-0
Create hunting rule

Win.Trojan.Autoit-6996115-1
Create hunting rule

Win.Dropper.DarkKomet-10022708-0
Create hunting rule

Win.Malware.Bladabindi-6887918-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6751cdda12e85e185e764205
Tags:
bladabindi autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Сreating synchronization primitives
Launching a process
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Searching for synchronization primitives
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Query of malicious DNS domain
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit bladabindi fingerprint keylogger microsoft_visual_cc njrat overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/6751cdd73a8fa052799a8ac6/reports/b5b95185-9418-4d9d-a15c-2fd43078fdfb/overview
Verdict:
Malicious
Labled as:
Trojan.AutoIT.Generic
Link:
https://www.hybrid-analysis.com/sample/16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3d377e74-c9e1-4272-9b3e-b306b815bea4
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1569338
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Creates autostart registry keys with suspicious names
Disables zone checking for all users
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569338 Sample: 5Npa6mwGXW.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 63 youri.mooo.com 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Multi AV Scanner detection for submitted file 2->67 69 Machine Learning detection for sample 2->69 71 AI detected suspicious sample 2->71 10 5Npa6mwGXW.exe 1 3 2->10         started        14 winmgr107.exe 2->14         started        16 winmgr107.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 57 C:\ProgramData\winmgr107.exe, PE32 10->57 dropped 59 C:\Users\...\5Npa6mwGXW.exe:Zone.Identifier, ASCII 10->59 dropped 61 C:\ProgramData\5Npa6mwGXW.exe.txt, Non-ISO 10->61 dropped 87 Creates autostart registry keys with suspicious names 10->87 20 winmgr107.exe 1 10->20         started        24 cmd.exe 3 2 10->24         started        signatures6 process7 file8 55 C:\...\winmgr107.exe:Zone.Identifier, ASCII 20->55 dropped 73 Antivirus detection for dropped file 20->73 75 Multi AV Scanner detection for dropped file 20->75 77 Machine Learning detection for dropped file 20->77 79 6 other signatures 20->79 26 RegAsm.exe 3 4 20->26         started        29 schtasks.exe 1 20->29         started        31 schtasks.exe 1 20->31         started        37 16 other processes 20->37 33 notepad.exe 24->33         started        35 conhost.exe 24->35         started        signatures9 process10 signatures11 81 Disables zone checking for all users 26->81 83 Uses netsh to modify the Windows network and firewall settings 26->83 85 Modifies the windows firewall 26->85 39 netsh.exe 2 26->39         started        41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 37->45         started        47 conhost.exe 37->47         started        49 conhost.exe 37->49         started        51 13 other processes 37->51 process12 process13 53 conhost.exe 39->53         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491/
Threat name:
Win32.Backdoor.njRAT
Create hunting rule
Status:
Malicious
First seen:
2024-11-27 20:54:00 UTC
File Type:
PE (Exe)
Extracted files:
61
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyma4qajo7gaws3hrwan63bzpkqyzbcfgaibc5szvczuvmmncsiq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
admintool_powerrun
Create hunting rule
Similar samples:
error
njrat
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:jjj defense_evasion discovery evasion persistence privilege_escalation trojan
Link:
https://tria.ge/reports/241205-te38ps1net/
Behaviour
Modifies registry class
NTFS ADS
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Subvert Trust Controls: Mark-of-the-Web Bypass
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
youri.mooo.com:1605
Verdict:
Malicious
Tags:
Win.Trojan.Autoit-6996111-0
YARA:
n/a
Link:
https://app.threat.zone/submission/b59a5db2-2861-42e9-ba7d-871e5e4eefe5
Unpacked files
SH256 hash:
2d11e35718e91e56fcd2391c2ca69aed75658e5432fa757fdfd27424eadda327
MD5 hash:
8a82e8b3fdcf7b8cc7278e1af792a017
SHA1 hash:
cde5da878c06e05ede06815790f21ff8a7a438a8
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Njrat
Create hunting rule
win_njrat_bytecodes_oct_2023
Create hunting rule
MALWARE_Win_NjRAT
Create hunting rule
CN_disclosed_20180208_c
Create hunting rule
win_njrat_strings_oct_2023
Create hunting rule
Link:
https://www.unpac.me/results/edc9fccf-8e1e-47d7-8342-69f6a6331673/
Parent samples :
1b10bef23627d776d4038e05f01e77b49e527a45b798824515b20e30f6d8c5a0
16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491
SH256 hash:
16180e400977cc0b4b678d80df6c397aa18c84453010117659a8b34ab18d1491
MD5 hash:
5d039fea0ea1ad9dbdb3b9b3075bd3a0
SHA1 hash:
c4a98006c5741bc85dbb4842e609f0540adb0991
Link:
https://www.unpac.me/results/edc9fccf-8e1e-47d7-8342-69f6a6331673/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIt
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:AutoIT packer
Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::CopySid
ADVAPI32.dll::GetLengthSid
ADVAPI32.dll::GetAce
USER32.dll::GetUserObjectSecurity
ADVAPI32.dll::InitializeAcl
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CLSIDFromProgID
ole32.dll::CoCreateInstance
ole32.dll::CoCreateInstanceEx
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
MULTIMEDIA_APICan Play MultimediaWINMM.dll::mciSendStringW
WINMM.dll::timeGetTime
WINMM.dll::waveOutSetVolume
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AddAce
ADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetAclInformation
ADVAPI32.dll::GetSecurityDescriptorDacl
ADVAPI32.dll::GetTokenInformation
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
KERNEL32.dll::CreateProcessW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleA
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA
KERNEL32.dll::DeleteFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::GetUserNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetAddConnection2W
MPR.dll::WNetUseConnectionW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegConnectRegistryW
ADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::UnlockServiceDatabase
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BlockInput
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::FindWindowW

Comments