MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e77593073ce7c57226c55e20d5ca2e09c84c86a083a9d56b3dd1bb732305683. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e77593073ce7c57226c55e20d5ca2e09c84c86a083a9d56b3dd1bb732305683
SHA3-384 hash: 99932c9258b8d9fde76c9725d59e66faba96adbbf3e9f2d2836534f388b1d67dfc8d9acf56a8252fd719732931f4a092
SHA1 hash: 13a637e413dcb6ee1ef3bc4434653a9c16151b1f
MD5 hash: 908bc4e4033a4107ad5696a0942b7c3e
humanhash: music-vegan-fifteen-beryllium
File name:nTGwZqW4.exe
Download: download sample
Signature njrat
Create hunting rule
File size:24'064 bytes
First seen:2020-09-12 08:17:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'653 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 384:vMQ+SAN7uprgvM5OSUswZXg69gbm4hfpFmRvR6JZlbw8hqIusZzZwd9:7OaxVULRpcnuJ
Threatray 299 similar samples on MalwareBazaar
TLSH D4B22A4E3FA98856C5BC17748AA5965003B091870423EE2FCDC550DBAFB3AD91D8CAFD
Reporter pmelson
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/58752/
Detection(s):
Win.Trojan.B-468
Create hunting rule

Win.Trojan.Ratenjay-1
Create hunting rule

Win.Trojan.Bladabindi-6192388-0
Create hunting rule

Win.Trojan.Generic-6417450-0
Create hunting rule

Win.Trojan.Generic-6454614-0
Create hunting rule

Win.Trojan.Generic-6454615-0
Create hunting rule

Win.Packed.Bladabindi-6804148-0
Create hunting rule

Win.Packed.Bladabindi-6917466-0
Create hunting rule

Win.Dropper.njRAT-7436651-0
Create hunting rule

Win.Packed.Generic-7672854-0
Create hunting rule

Win.Packed.Generic-7672855-0
Create hunting rule

Win.Packed.njRAT-7672853-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Threat name:
njRat BrowserPasswordDump Tool
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/464690
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal Internet Explorer form passwords
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected BrowserPasswordDump Tool by SecurityXploded
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 284753 Sample: nTGwZqW4.exe Startdate: 12/09/2020 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 13 other signatures 2->49 8 nTGwZqW4.exe 1 5 2->8         started        11 Systemnet.exe 3 2->11         started        13 Systemnet.exe 2 2->13         started        15 Systemnet.exe 2 2->15         started        process3 file4 37 C:\Users\user\AppData\Roaming\Systemnet.exe, PE32 8->37 dropped 39 C:\Users\user\AppData\...\nTGwZqW4.exe.log, ASCII 8->39 dropped 17 Systemnet.exe 6 8 8->17         started        process5 dnsIp6 41 198.46.168.101, 49735, 49739, 5454 AS-COLOCROSSINGUS United States 17->41 33 C:\...\38915791aff7413adf1e4092c180246b.exe, PE32 17->33 dropped 35 C:\Users\user\AppData\...\tmp1F23.tmp.exe, PE32 17->35 dropped 51 Antivirus detection for dropped file 17->51 53 Multi AV Scanner detection for dropped file 17->53 55 Tries to steal Instant Messenger accounts or passwords 17->55 57 8 other signatures 17->57 22 tmp1F23.tmp.exe 17->22         started        25 vbc.exe 2 17->25         started        27 netsh.exe 3 17->27         started        file7 signatures8 process9 signatures10 59 Antivirus detection for dropped file 22->59 61 Multi AV Scanner detection for dropped file 22->61 63 Machine Learning detection for dropped file 22->63 65 Contains functionality to steal Internet Explorer form passwords 25->65 67 Tries to harvest and steal browser information (history, passwords, etc) 25->67 29 conhost.exe 25->29         started        31 conhost.exe 27->31         started        process11
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e77593073ce7c57226c55e20d5ca2e09c84c86a083a9d56b3dd1bb732305683/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-09-12 08:19:04 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dz3vsmdtzz6foitmkxra2xfc4coijsdkba5j2vvt3un3omrqk2bq._file
Verdict:
malicious
Similar samples:
3b0fd1cd0eb83c48df1472510556295bb1a7552deb4f935a340043a0208829ca
njrat
48a33e9cc2edf9c3b9069b89644ff882624292692824be9218a995655458341b
njrat
56fff985f854a691d88f7775e85b4b8b822b5e17d9d52accecf70e6978ce124e
njrat
5b650ef6be4143cad97601ad536b42b14a35340a9b180dabf981f3347fa14a98
njrat
7b5fb3577e72b0b475c14e6be21d12ba40187709f11834f9de0bd5ba696b8e5e
njrat
7f151047bf16651dc37450231277d5190f7af1bad7db6b173705b3cdeb3071df
njrat
806662974bbcbfcdbb239012fb781860d4b84f6e95af9fe5f6f39d1e1fd02d19
njrat
83aaa5321d2adc81e9d5326970437de8c85105298e5ab34de6c892c4e385c18e
njrat
b3df70770623cd714096a8652b3bd2f381e9b7bb26f387933bc2e65f61b4f7cb
njrat
c5b7facb1053e87d655699925bdd6391b047aea6740e26be0806240212419a5f
njrat
+ 289 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
trojan family:njrat evasion persistence
Link:
https://tria.ge/reports/200912-g39we1jq4a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e77593073ce7c57226c55e20d5ca2e09c84c86a083a9d56b3dd1bb732305683

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 1e77593073ce7c57226c55e20d5ca2e09c84c86a083a9d56b3dd1bb732305683

(this sample)

  
Link
https://www.virustotal.com/gui/file/1e77593073ce7c57226c55e20d5ca2e09c84c86a083a9d56b3dd1bb732305683/detection
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/58752/

Comments