MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d
SHA3-384 hash: e4c646b4ba714b45a50c063457100683400d9ec46173e431c38eeefc607c82c13a3fa5fb03d624c10a2faec44677848c
SHA1 hash: d6de6ea6d8deb0b700cda51e8f366d3a333ffa29
MD5 hash: aaf009498fd654fe098a30d1ec1d3120
humanhash: princess-foxtrot-sweet-glucose
File name:Request For Quotation 34333.exe
Download: download sample
Signature njrat
Create hunting rule
File size:531'515 bytes
First seen:2024-08-16 13:29:21 UTC
Last seen:2024-08-16 14:24:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3f91aceea750f765ef2ba5d9988e6a00 (45 x GuLoader, 9 x RemcosRAT, 7 x Loki)
ssdeep 6144:+xwgiJ4h+W4PQgPniiWn14owKYHvYLPG7nIsJmwu1WGFKPVMmNK1ftxU3WaN5rfx:cS4QZyn14rBHcgpJmwuAN7Cfn2v5P
TLSH T1A2B4AC0DC2716C12D56E3AB00ABADBF31D165EF99E01E6CB66C7153C2FE1109E9DB241
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 9288b6f6f088968a (4 x GuLoader, 2 x RemcosRAT, 1 x njrat)
Reporter threatcat_ch
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
459
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request For Quotation 34333.exe
Verdict:
Suspicious activity
Analysis date:
2024-08-16 13:31:16 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4e965c9-825f-4846-9d7c-94b333bd1cae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.4677.12450.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66bf545caa5b40be0aa04a5d
Tags:
Encryption Injector
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66bf546932f6d05ff3ce2d64/reports/27c4b8f3-0dde-4d7c-8019-b0e88c5499cf/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2f610e0d-2d39-4901-9228-2c37f613cc33
Result
Threat name:
GuLoader, Remcos
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1493872
Signature
C2 URLs / IPs found in malware configuration
Detected Remcos RAT
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d/
Threat name:
Win32.Trojan.Guloader
Create hunting rule
Status:
Malicious
First seen:
2024-08-16 12:01:21 UTC
File Type:
PE (Exe)
Extracted files:
8
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cymrokrafms276ll5oaleh55u4hnsirxvcfhutmzb5o6o6yzm56q._file
Verdict:
unknown
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:guloader family:remcos botnet:benchao discovery downloader rat
Link:
https://tria.ge/reports/240816-qrsqys1cqk/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Guloader,Cloudeye
Remcos
Malware Config
C2 Extraction:
tochisglobal.ddns.net:6426
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b0b9a277-7036-4881-aa98-8962b05f86dd
Unpacked files
SH256 hash:
1624d9ad8b2e2658af224691263f64388ba3a997efe80011889e3c35237ce4c1
MD5 hash:
6c38da8922cc37b4bbb77de4a63ad843
SHA1 hash:
4e0533fd11df8bddbd543ed58df7b6060d9f4631
Link:
https://www.unpac.me/results/ea404ddf-410a-4962-8e7b-5a5610a93634/
SH256 hash:
92cb3b3a7280246743543325d3fe9a7d72c63227f9540d25d5ef27b2ce8856b4
MD5 hash:
af4324802813a5a897db2167fc10e291
SHA1 hash:
916bd47457dcb4247743626e86492436b77bebf8
Link:
https://www.unpac.me/results/ea404ddf-410a-4962-8e7b-5a5610a93634/
SH256 hash:
1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d
MD5 hash:
aaf009498fd654fe098a30d1ec1d3120
SHA1 hash:
d6de6ea6d8deb0b700cda51e8f366d3a333ffa29
Link:
https://www.unpac.me/results/ea404ddf-410a-4962-8e7b-5a5610a93634/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1619172a202b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Executable exe 1619172a202b25aff96beb80b21fbda70ed92237a88a7a4d990f5de77b19677d

(this sample)

  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments