MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c2de35b1875197d605b226ac3a898ce2330a1b1c2b557f1931a0848f1655b27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 13

Intelligence 13 IOCs 1 YARA 10 File information Comments

SHA256 hash:	1c2de35b1875197d605b226ac3a898ce2330a1b1c2b557f1931a0848f1655b27
SHA3-384 hash:	899479a5a256b9ca28f96bc297e066021720a59a0914eb0a4289eb980605f5ef8375395d74a7d08b2193d95dc490c482
SHA1 hash:	60969d91d1045b9b725ec8ee6df47ac74f1fb68d
MD5 hash:	2d9cf7d987f8a980d0bc4c9744ee4ded
humanhash:	magnesium-foxtrot-spring-carolina
File name:	2d9cf7d987f8a980d0bc4c9744ee4ded.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	24'064 bytes
First seen:	2022-10-14 12:40:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'659 x Formbook, 12'250 x SnakeKeylogger)
ssdeep	384:isqS+ER6vRKXGYKRWVSujUtX9w6Dglo61Z5DVmRvR6JZlbw8hqIusZzZCt:9f65K2Yf1jKRpcnu1
Threatray	2'067 similar samples on MalwareBazaar
TLSH	T19BB22C4E3FA98856C9BC17748AB5955003B4D1470423EE2FCCD564CBAFB3AD92D48AF8
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13101/52/3) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
91.109.188.15:1177

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
91.109.188.15:1177	https://threatfox.abuse.ch/ioc/888372/

Intelligence

File Origin

# of uploads :

# of downloads :

280

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/320362/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a process with a hidden window

Creating a window

Searching for synchronization primitives

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Enabling the 'hidden' option for files in the %temp% directory

Launching the process to change the firewall settings

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe fingerprint greyware njrat packed rat stealer

Link:

https://www.filescan.io/uploads/634958dfb5f60e72b8c64120/reports/932711ce-74d0-4ace-9464-5b4e6641a991/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/37e4cf4d-b1d0-47f4-9e19-d94a4a9400b7

Result

Threat name:

njRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1090712

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Detected njRat

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Uses dynamic DNS services

Uses netsh to modify the Windows network and firewall settings

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/1c2de35b1875197d605b226ac3a898ce2330a1b1c2b557f1931a0848f1655b27/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2022-10-09 18:42:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dqw6gwyyoumx2yc3ejvmhkeyzyrtbinryk2vp4mtdieer4lflmtq._file

Verdict:

malicious

Label(s):

njrat

78393fd5184de1db0bfadf7d9f345df7eeebe0249a2c57fe315812331dc76fbe

njrat

a525db0585bb18696e68b1097470debe74c2911dcf57b39b82ab6f3d59a36f1e

njrat

a6a5d9c990f65662ccf6888c02135c6f4e267ccd0fb1e5abbbf97fa0795bf54e

njrat

b0906674cc1eaca6a373175878614cc50ea6b10e1ad7d7d6ff48c6565758c469

njrat

c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e

njrat

ee7f0f0195c2efe95d6db388a0845ff4e70ee3462bd5ba23976a08ef0eb27da4

njrat

+ 2'057 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:hacked evasion persistence trojan

Link:

https://tria.ge/reports/221014-pwrh1sdea2/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Adds Run key to start application

Modifies Windows Firewall

njRAT/Bladabindi

Malware Config

C2 Extraction:

mkgf.ddns.net:1177

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/69193cb0-3c3f-407f-91b9-96cf9e32dcee

Unpacked files

SH256 hash:

1c2de35b1875197d605b226ac3a898ce2330a1b1c2b557f1931a0848f1655b27

MD5 hash:

2d9cf7d987f8a980d0bc4c9744ee4ded

SHA1 hash:

60969d91d1045b9b725ec8ee6df47ac74f1fb68d

Detections:

win_njrat_w1

win_njrat_g1

Link:

https://www.unpac.me/results/ccea8dd1-3047-41d0-a88f-b63c57c57301/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/1c2de35b1875197d605b226ac3a898ce2330a1b1c2b557f1931a0848f1655b27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	CN_disclosed_20180208_c_RID2E71 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	malware_Njrat_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi

Rule name:	MAL_njrat Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_LightDefender_Njrat_Rule Create hunting rule
Author:	Skystars LightDefender
Description:	Detects Njrat

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_netsh_firewall_command Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/320362/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample