MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c421e6eea0c7d28016da05e2be26a099f94bb355e05ed1088c2098c024760b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c421e6eea0c7d28016da05e2be26a099f94bb355e05ed1088c2098c024760b1
SHA3-384 hash: 997b82c15e7c1b39e3d12ef52c091cf58a128ece23ee0ca8946598d0aa8511a20f9e11a40b9e4752d5eb85ef2c84e626
SHA1 hash: 199d88b796e9b0673176d62c3bbd91b2abe91af4
MD5 hash: 1c21b71575b93c67fe932365f6650e46
humanhash: nitrogen-east-cat-hawaii
File name:Anast_Server1.exe
Download: download sample
Signature njrat
Create hunting rule
File size:902'979 bytes
First seen:2020-09-16 12:10:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a1a66d588dcf1394354ebf6ec400c223 (49 x RedLineStealer, 7 x CryptBot, 4 x AZORult)
ssdeep 24576:G53uhFcxKfoS4SRlEvv1qlGZa1Py747jI+1Y/Z6tUK:G5+hFkmD4ol6RZaswUFBJK
Threatray 16 similar samples on MalwareBazaar
TLSH C81512107AA825F6CC9265704E81B2999DBAF312073A07D76374264D3F733E8DB39687
Reporter JAMESWT_WT
Tags:NjRAT

Code Signing Certificate

Organisation:Microsoft Corporation
Issuer:Microsoft Code Signing PCA 2011
Algorithm:sha256WithRSAEncryption
Valid from:Mar 4 18:39:48 2020 GMT
Valid to:Mar 3 18:39:48 2021 GMT
Serial number: 3300000188AF52D6B9926DE8F9000000000188
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 6AE3F473BA70322FA133C1E95F0B3499260AF8B21B568BF240701466C9F655F7
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/62019/
Detection(s):
PUA.Win.Trojan.Generic-6843329-0
Create hunting rule

PUA.Win.Dropper.Driverpack-6931197-0
Create hunting rule

PUA.Win.Downloader.Driverpack-6998194-0
Create hunting rule

PUA.Win.File.Generic-7135455-0
Create hunting rule

PUA.Win.Adware.Generic-7505646-0
Create hunting rule

PUA.Win.File.Generic-7557964-0
Create hunting rule

SecuriteInfo.com.Artemis8A5D1E11C3D3.26302.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching cmd.exe command interpreter
Launching a process
DNS request
Delayed writing of the file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Deleting a recently created file
Enabling the 'hidden' option for recently created files
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/467772
Signature
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Certutil Command
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 286303 Sample: Anast_Server1.exe Startdate: 16/09/2020 Architecture: WINDOWS Score: 100 55 Malicious sample detected (through community Yara rule) 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected Njrat 2->59 61 4 other signatures 2->61 10 Anast_Server1.exe 7 2->10         started        process3 signatures4 69 Contains functionality to register a low level keyboard hook 10->69 13 cmd.exe 1 10->13         started        15 cmd.exe 1 10->15         started        process5 signatures6 18 cmd.exe 2 13->18         started        22 conhost.exe 13->22         started        73 Drops PE files with a suspicious file extension 15->73 24 conhost.exe 15->24         started        process7 file8 43 C:\Users\user\AppData\Local\...\explorer.com, PE32 18->43 dropped 63 Uses ping.exe to sleep 18->63 26 explorer.com 18->26         started        29 PING.EXE 1 18->29         started        32 PING.EXE 1 18->32         started        34 certutil.exe 2 18->34         started        signatures9 process10 dnsIp11 71 Drops PE files with a suspicious file extension 26->71 36 explorer.com 6 26->36         started        51 127.0.0.1 unknown unknown 29->51 53 kdCBal.hWe 32->53 signatures12 process13 dnsIp14 49 hnnGOkyapU.hnnGOkyapU 36->49 45 C:\Users\user\AppData\...\vogukSoft.com, PE32 36->45 dropped 47 C:\Users\user\AppData\...\vogukSoft.url, MS 36->47 dropped 65 Writes to foreign memory regions 36->65 67 Allocates memory in foreign processes 36->67 41 RegAsm.exe 36->41         started        file15 signatures16 process17
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1c421e6eea0c7d28016da05e2be26a099f94bb355e05ed1088c2098c024760b1/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-09-16 12:09:38 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=drbb43xkbr6sqalnubpcxytkbgpzjozvlyc62eeiyieyyashmcyq._file
Verdict:
suspicious
Similar samples:
1630f3fabf80e99d1990176b5736835496bdbd74610d1e43eefd7088e2529a6e
njrat
1db0242b6f7de2919880e833801ce2b48bbf83c136235a537b17211e1193d611
njrat
2261f624e99b92e00913fd0fc189ae96bb115b3ae5b393e0170066f032b12af1
njrat
29c0c875bd961391938a48794be49c006a1ee8c31e25a1fd5f0891f5dcd46e6c
njrat
70a71789d47c49a03c3547aec8ec74aa76c43811aacb2dd43dd455590c11a2cc
njrat
77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd
njrat
94dc4632159764895ff15118dacc7c5b4c3f84722b4ae5c89b9b120adeec92bf
njrat
cb04bfdeb1a12eaab0a0442ecdf62ce49d2c1daa5b4345412cf3462b9ab26803
njrat
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
njrat
e832fe2b9251b58442d1c9e380ae5f5d338af57a43329f79786e333c15507ec4
njrat
+ 6 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
evasion trojan family:njrat
Link:
https://tria.ge/reports/200916-78ddn1vnba/
Behaviour
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c421e6eea0c7d28016da05e2be26a099f94bb355e05ed1088c2098c024760b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/62019/

Comments