MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e73294675f42df94d101ece8c550fcfa2746ae6f8bf3261e16d315c5d8de832. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 2 File information Comments

SHA256 hash:	1e73294675f42df94d101ece8c550fcfa2746ae6f8bf3261e16d315c5d8de832
SHA3-384 hash:	5673b27f7b1ff9ca814216c9dbc42160f7ccd4580cfde8b5a3f28d9d5c556148f77b9d794aa62332efc12340bfc67f1f
SHA1 hash:	4a2ff6b9018df0b31db61ce4f5a6d844c05dc3ce
MD5 hash:	de3d6958f101e3b252f18168f240480d
humanhash:	grey-mountain-foxtrot-venus
File name:	DE3D6958F101E3B252F18168F240480D.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	839'051 bytes
First seen:	2021-09-11 16:05:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (875 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	12288:BQnk3GDYKGcbloXh8I8NrcimffmgMlKz7qwTrm3XFQYncgPa6yJggRpFs7nC:rAOcZAhrMQZNM2GwTq3XFQYcqa6lCKjC
Threatray	962 similar samples on MalwareBazaar
TLSH	T1CD050201F6C28872E4721D365A366B04AE7E7D301F28DA2FB3E44CADDA755815634BB3
dhash icon	f1f8ece470f0b0b2 (7 x NanoCore, 2 x RemcosRAT, 2 x HawkEye)
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
75.127.1.230:5552

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
75.127.1.230:5552	https://threatfox.abuse.ch/ioc/220385/

Intelligence

File Origin

# of uploads :

# of downloads :

581

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DE3D6958F101E3B252F18168F240480D.exe

Verdict:

Malicious activity

Analysis date:

2021-09-11 16:07:12 UTC

Tags:

trojan rat njrat bladabindi

Link:

https://app.any.run/tasks/ac9882a6-80cb-41ba-926e-1669a9932739

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/187076/

Detection(s):

Win.Malware.Lisk-9884866-0

Win.Malware.Lisk-9886225-0

Win.Malware.Lisk-9886840-0

Win.Malware.Lisk-9890448-0

Win.Dropper.Lisk-9890449-0

Win.Malware.Lisk-9891258-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file in the %temp% directory

Adding an access-denied ACE

DNS request

Connection attempt

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/101c1aa3-0306-4904-9ad9-a7e320184e42

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/849220

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Writes to foreign memory regions

Yara detected AntiVM autoit script

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/1e73294675f42df94d101ece8c550fcfa2746ae6f8bf3261e16d315c5d8de832/

Threat name:

Win32.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2021-09-09 00:52:00 UTC

AV detection:

14 of 28 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dzzssrtv6qw7stiqd3hiyvipz6rhi2xg7c7teypbnuyvyxmn5aza._file

Verdict:

malicious

njrat

1bda290016ee1740d9c160c85818d1859ff39402b8c412da2499703d6b5a5ccf

njrat

3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2

njrat

64c32d82c0dd8612a93831055d36ba9b2767c213b2706212545fc80b34a4d900

njrat

80d596a7fa52a5d9b41243e03a88ba0ca560cc95219a38d764947a75f568bea1

njrat

a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183

njrat

b9b61268d1a21a119391e6316826c44425aec53a42155a7253f62639876eb687

njrat

c8c67b9895ec2b463cc43a5c9c1e32363ff1a7a061c99d01dd3de5691e9d1d47

njrat

ccca82e76f5e7fae5c3bcf6a5ff542f95ad241e2c47a00c969ddbf2f50beda25

njrat

+ 952 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:nanocore family:njrat botnet:nyan cat keylogger persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/210911-tj3sqsefam/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

NanoCore

njRAT/Bladabindi

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Malware Config

C2 Extraction:

alice2019.myftp.biz:5552

Unpacked files

SH256 hash:

41a21d108431f3ba2d59b932c00b27b7ca77a5c25dff66a0c33e3f3dd26b6a97

MD5 hash:

61d3729d68e3eafd8b04a428bebdd826

SHA1 hash:

5f0d47605c847963dd334c271d21db16d86f7154

Link:

https://www.unpac.me/results/7b7df986-0bd2-43dd-8f44-49d4dc1c9dc1/

SH256 hash:

62bbd3457129c038425f73aea95495c6db139437412c1a0308b7224efe83fd3a

MD5 hash:

27dab92b44715a4a33c7c5f10860dcf7

SHA1 hash:

18bd884ea85a4201a19b4b6978a59ca04316b61c

Link:

https://www.unpac.me/results/7b7df986-0bd2-43dd-8f44-49d4dc1c9dc1/

SH256 hash:

1e73294675f42df94d101ece8c550fcfa2746ae6f8bf3261e16d315c5d8de832

MD5 hash:

de3d6958f101e3b252f18168f240480d

SHA1 hash:

4a2ff6b9018df0b31db61ce4f5a6d844c05dc3ce

Link:

https://www.unpac.me/results/7b7df986-0bd2-43dd-8f44-49d4dc1c9dc1/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e73294675f42df94d101ece8c550fcfa2746ae6f8bf3261e16d315c5d8de832

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/187076/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample