MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20fe42296f9029c30fca68a7ff0b2b81c8498c7df69c66f131232029c0277fb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs 6 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20fe42296f9029c30fca68a7ff0b2b81c8498c7df69c66f131232029c0277fb5
SHA3-384 hash: 8dbdafc89042ca542eb4a0ac7eafbd8c8adc4f7caa1704661c1834305e1628c8b5c5c0b86d0fda60c51d8ab324795200
SHA1 hash: 8d4f82b50347aff03342f53284057355b74727a2
MD5 hash: 8f9ad0bf8cac0df3ab836815acd8a7ee
humanhash: nuts-glucose-mississippi-early
File name:8f9ad0bf8cac0df3ab836815acd8a7ee.exe
Download: download sample
Signature njrat
Create hunting rule
File size:157'538 bytes
First seen:2021-03-26 23:22:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6bac3cfe8acb6c6c4a30aaa022de2388 (308 x AveMariaRAT, 7 x njrat, 7 x Skeeeyah)
ssdeep 3072:Rf/J2ULiTehI8FrkZqSzaWw/W05A07AhbQuO0szUndYRtLEp3tv:r2UL2i9FGz78+0k1IAHp3tv
Threatray 741 similar samples on MalwareBazaar
TLSH 42F31265A3BC1022F312B57EBDA4A41921C9FC7B5AD7C25E4F0DB8073D49A04279A737
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.19.130.43:16276

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.19.130.43:16276 https://threatfox.abuse.ch/ioc/5528/
3.142.167.54:16276 https://threatfox.abuse.ch/ioc/5529/
3.142.167.4:16276 https://threatfox.abuse.ch/ioc/5530/
3.142.81.166:16276 https://threatfox.abuse.ch/ioc/5531/
13.58.157.220:16276 https://threatfox.abuse.ch/ioc/5532/
3.142.129.56:16276 https://threatfox.abuse.ch/ioc/5533/

Intelligence

File Origin
# of uploads :
1
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
putty_msi.exe
Verdict:
Malicious activity
Analysis date:
2021-03-21 13:14:11 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/fe7537fa-b227-434c-af28-5248f6bf55bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127220/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Malware.Poison-6986144-0
Create hunting rule

Win.Malware.Razy-7056533-0
Create hunting rule

Win.Trojan.Ulise-9792178-0
Create hunting rule

Win.Trojan.Ulise-9792179-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Replacing executable files
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a file
Moving a file to the %temp% directory
Replacing files
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/787eb46f-e8eb-4d62-871e-4dd51b5b1f06
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655627
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Deletes itself after installation
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376746 Sample: USa65a4S7d.exe Startdate: 27/03/2021 Architecture: WINDOWS Score: 100 63 8.tcp.ngrok.io 2->63 73 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus / Scanner detection for submitted sample 2->77 79 4 other signatures 2->79 10 USa65a4S7d.exe 1 2->10         started        14 putty_msi.exe 2->14         started        16 wscript.exe 1 2->16         started        signatures3 process4 file5 59 C:\Users\user\Desktop\USa65a4S7d.exe, PE32 10->59 dropped 89 Tries to detect sandboxes / dynamic malware analysis system (file name check) 10->89 91 Contain functionality to detect virtual machines 10->91 93 Contains functionality to inject code into remote processes 10->93 95 Deletes itself after installation 10->95 18 USa65a4S7d.exe 2 7 10->18         started        21 cmd.exe 2 10->21         started        61 C:\Users\user\AppData\Local\...\putty_msi.exe, PE32 14->61 dropped 97 Injects a PE file into a foreign processes 14->97 24 cmd.exe 14->24         started        26 putty_msi.exe 14->26         started        29 putty_msi.exe 1 16->29         started        signatures6 process7 dnsIp8 55 C:\Users\user\AppData\...\USa65a4S7d.exe.log, ASCII 18->55 dropped 31 putty_msi.exe 1 18->31         started        34 attrib.exe 1 18->34         started        81 Command shell drops VBS files 21->81 83 Drops VBS files to the startup folder 21->83 36 conhost.exe 21->36         started        57 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 24->57 dropped 38 conhost.exe 24->38         started        65 192.168.2.1 unknown unknown 26->65 85 Tries to detect sandboxes / dynamic malware analysis system (file name check) 29->85 87 Injects a PE file into a foreign processes 29->87 40 cmd.exe 1 29->40         started        42 putty_msi.exe 29->42         started        file9 signatures10 process11 signatures12 99 Tries to detect sandboxes / dynamic malware analysis system (file name check) 31->99 101 Contain functionality to detect virtual machines 31->101 103 Injects a PE file into a foreign processes 31->103 44 putty_msi.exe 1 5 31->44         started        47 cmd.exe 1 31->47         started        49 conhost.exe 34->49         started        51 conhost.exe 40->51         started        process13 dnsIp14 67 8.tcp.ngrok.io 13.58.157.220, 16276, 49718, 49726 AMAZON-02US United States 44->67 69 3.142.129.56, 16276, 49761, 49768 AMAZON-02US United States 44->69 71 2 other IPs or domains 44->71 53 conhost.exe 47->53         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20fe42296f9029c30fca68a7ff0b2b81c8498c7df69c66f131232029c0277fb5/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-03-26 06:09:00 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ed7eeklpsau4gd6knct76czlqheetdd562ogn4jremqctqbhp62q._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0409769a5a6cdbb139bfcc900eb503ab0cc4250d7d90e9a6b7faca8ee828aee2
njrat
1ae8d7d60e8e1655ade9b9c5a3638b99c24c8fd393addec31845d42f13b035da
njrat
6ab925b9c76936556d7078116c24276531ecbfccf3a81d456173ad33d984c1c0
njrat
6abb519964bde0a1d422bd0430901c61e9b94c1d16f0364c4a8354547d9effb6
njrat
7b71b12d30d6ce6adb82e9f8c105c1f1cc36ed8744b0c21cfa8aa08d21119f08
njrat
8ceb5cc007f0a99fd5c92671f43184171e0fa11dda6479788ad53261a23b045d
njrat
9873f8a2a1cdb7c34dde321266bb205b614087d656a4193d519c55339e6eee6c
njrat
a550fdbbfd0b9b50ebff8877004ffa9914d0587c618389332c1c70a7b5b8bf0e
njrat
ae93db3af8d593b801a7f4fbb366d4f62cd66b355c3f4a048cad3ba79d390391
njrat
f72a3a205308a3446a78432854e1a3a022328ccb3bbb584f96bfafe4db12bf64
njrat
+ 731 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210326-fv9dqbax5a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
df3d56ec16ab0aa62127b45667ed0c77f08c80a43fba0cdf0a43fa64faba44b5
MD5 hash:
52ffc95139b59b0f38e727373eacfa63
SHA1 hash:
e0ce5d70a4a21dc7ae435efb2656687143a9e8f3
Link:
https://www.unpac.me/results/5fabe613-2f72-4a0c-8a50-a954c6053d0a/
Parent samples :
554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986
b8e35d21cd27c3f66b7e9dede80e2052299ffd45a7d160ac891277ff656dcb60
SH256 hash:
a17a204f51511144ca97d110dee827ff8fade1088983c30d0bc2fc5ddbe92e64
MD5 hash:
641ad4e559d3865a7db4f3bfdb368766
SHA1 hash:
8cdc17830d4d8462871c9fa30a05b1243b684aa9
Link:
https://www.unpac.me/results/5fabe613-2f72-4a0c-8a50-a954c6053d0a/
SH256 hash:
bead9614c6d8c54036103e3416f5019cab60a877bb5690e77e38c17db9970f38
MD5 hash:
cedf7bf065f3380619e2750d37559a3a
SHA1 hash:
0a20a7bd71f427c5fb9295c3e341d0c502855a79
Link:
https://www.unpac.me/results/5fabe613-2f72-4a0c-8a50-a954c6053d0a/
SH256 hash:
20fe42296f9029c30fca68a7ff0b2b81c8498c7df69c66f131232029c0277fb5
MD5 hash:
8f9ad0bf8cac0df3ab836815acd8a7ee
SHA1 hash:
8d4f82b50347aff03342f53284057355b74727a2
Link:
https://www.unpac.me/results/5fabe613-2f72-4a0c-8a50-a954c6053d0a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20fe42296f9029c30fca68a7ff0b2b81c8498c7df69c66f131232029c0277fb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127220/

Comments