MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20b9ec5a56219d5254b07c32c45c34eac8017ed9cb8335eb2c6f5312b9ea44ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20b9ec5a56219d5254b07c32c45c34eac8017ed9cb8335eb2c6f5312b9ea44ff
SHA3-384 hash: 47a0c94900da2e8aa07bdd89bb3b0315a6415679efbab3f6ccbda240de8d915f60dacbefb1aa167e45e361cd13ecdce8
SHA1 hash: 1163b83e1b33a60f835a9cd9087743f6a8878437
MD5 hash: cd86589f7c942614837268fc639fe910
humanhash: nebraska-vermont-wisconsin-vegan
File name:TT(12-06-2020).exe
Download: download sample
Signature njrat
Create hunting rule
File size:677'888 bytes
First seen:2020-12-07 08:54:04 UTC
Last seen:2020-12-07 10:41:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:NouiejeZITKsQZcCZY5FPnVzMv9BX5Kgq:NoDdvZYjZMvHHq
Threatray 401 similar samples on MalwareBazaar
TLSH 1DE47C313A405993C5F9ABF54214A160CF766E2B296DE2C86CC23EDF35F2F534949A23
Reporter ffforward
Tags:bladabindi exe NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
897
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TT(12-06-2020).exe
Verdict:
Malicious activity
Analysis date:
2020-12-07 08:54:57 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/f8bf2a63-0c92-42ee-95be-445141126391

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106999/
Detection(s):
SecuriteInfo.com.Generic.mg.cd86589f7c942614.31420.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Gathering data
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/556690
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 327443 Sample: TT(12-06-2020).exe Startdate: 07/12/2020 Architecture: WINDOWS Score: 100 47 officeee.tk 2->47 53 Malicious sample detected (through community Yara rule) 2->53 55 Sigma detected: Scheduled temp file as task from temp location 2->55 57 Detected njRat 2->57 59 11 other signatures 2->59 11 TT(12-06-2020).exe 6 2->11         started        signatures3 process4 dnsIp5 51 192.168.2.1 unknown unknown 11->51 41 C:\Users\user\AppData\...\vBaCRwnnxW.exe, PE32 11->41 dropped 43 C:\Users\user\AppData\Local\...\tmp1EDC.tmp, XML 11->43 dropped 45 C:\Users\user\...\TT(12-06-2020).exe.log, ASCII 11->45 dropped 65 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->65 16 TT(12-06-2020).exe 1 2 11->16         started        19 schtasks.exe 1 11->19         started        file6 signatures7 process8 file9 39 C:\Users\user\AppData\Roaming\server.exe, PE32 16->39 dropped 21 server.exe 5 16->21         started        24 conhost.exe 19->24         started        process10 signatures11 61 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->61 63 Machine Learning detection for dropped file 21->63 26 server.exe 2 2 21->26         started        29 schtasks.exe 1 21->29         started        31 server.exe 21->31         started        33 conhost.exe 24->33         started        process12 dnsIp13 49 officeee.tk 37.46.150.178, 49732, 49733, 49734 IWAYCH Moldova Republic of 26->49 35 netsh.exe 1 3 26->35         started        process14 process15 37 conhost.exe 35->37         started       
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20b9ec5a56219d5254b07c32c45c34eac8017ed9cb8335eb2c6f5312b9ea44ff/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-12-07 08:55:06 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ec46ywswegovevfqpqzmixbu5leac7wzzobtl2zmn5jrfopkit7q._file
Verdict:
malicious
Similar samples:
1c6e9570729c4d4d1700f1a3b936308966a5164c1959157da7904f5de40a9f18
njrat
2f5cd6b013a52c1946739554d64f35f0af679025755c2191811045833d3ce7a4
njrat
45db04125ffed825431a746e397c7c1fb4fb3ccf8768701d791847df9e9d09ee
njrat
4d742fd1047a6a9d019de5deceaae8896d5cee545392b37afab84d29efdcb470
njrat
975d36217950a31fa9591d0ad5236f8817f4f51c5d23f01e88c5684dd197cb15
njrat
c2fad2f1da50fadaeb21235a2f1ab6ca135174b10c0f7e499bf9f7bb1d03daf2
njrat
c69e882c771b1818558a97832a4ffc97db0ca2bdca969abcae1b1b9094123b0b
njrat
d79ac65fba80d34f0012d82182dd67ca707475ff4628bf5012d2a3d4db7d413b
njrat
d809df216f28368e1bc3de96702139476f8f2364d2d6e82dec7a540815bc83c0
njrat
e01cfde284baf9742419669d25007c6db1da8a5895b8547c53b51113ee01f53d
njrat
+ 391 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion trojan
Link:
https://tria.ge/reports/201207-922jhhebzj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Looks for VMWare Tools registry key
Modifies Windows Firewall
Looks for VirtualBox Guest Additions in registry
njRAT/Bladabindi
Unpacked files
SH256 hash:
20b9ec5a56219d5254b07c32c45c34eac8017ed9cb8335eb2c6f5312b9ea44ff
MD5 hash:
cd86589f7c942614837268fc639fe910
SHA1 hash:
1163b83e1b33a60f835a9cd9087743f6a8878437
Link:
https://www.unpac.me/results/7a0deec0-28aa-43ec-8812-f87595c69692/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/7a0deec0-28aa-43ec-8812-f87595c69692/
SH256 hash:
c35d1a9bf50c6dc0306bc25fbbf3bc6c20305ed18ce3b48fe9e74cc5aa05ee2c
MD5 hash:
67dafd2d9f3d5ec0d4921dc9e4a0b7c2
SHA1 hash:
49d36213cd6d2effdb1d2eb2fdaa2ea510ef3e01
Link:
https://www.unpac.me/results/7a0deec0-28aa-43ec-8812-f87595c69692/
SH256 hash:
eb0d72d971e6ee4099fa0b0d4e7f0e12863c4b04185a0b68647c201b0ce6a757
MD5 hash:
bd45f85bdf277285c58286ab9dfbce5b
SHA1 hash:
a4f898132ebe1499dd39b88e6307ac28dfe806ea
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/7a0deec0-28aa-43ec-8812-f87595c69692/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
MassLogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20b9ec5a56219d5254b07c32c45c34eac8017ed9cb8335eb2c6f5312b9ea44ff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

59111296f5117a3995a23b9e01511caa03590da459112c22a55980782b39605b

njrat

Executable exe 20b9ec5a56219d5254b07c32c45c34eac8017ed9cb8335eb2c6f5312b9ea44ff

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/895809/
anyrun
any.run
https://app.any.run/tasks/2a1851ee-cb84-48fb-b1a7-c9db0317ead7
  
Dropped by
SHA256 59111296f5117a3995a23b9e01511caa03590da459112c22a55980782b39605b
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/106999/

Comments