MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22b4c7b7a020cddf746df1e5ede1216ca1aa47f2583225ae608129f7616f61fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	22b4c7b7a020cddf746df1e5ede1216ca1aa47f2583225ae608129f7616f61fe
SHA3-384 hash:	98fcf5ee0ae20fe36ebf211a32a4e9745e8084b5b3306d7a0d54f5ca37266393df5b45aa069df9bbcb65e8a8964b940a
SHA1 hash:	e521b1253137f2d479ddab289dcbf34e471619f1
MD5 hash:	acbe931c4d267f04d5b3fa1291b4417b
humanhash:	lactose-four-hotel-pennsylvania
File name:	22b4c7b7a020cddf746df1e5ede1216ca1aa47f2583225ae608129f7616f61fe
Download:	download sample
Signature	njrat Create hunting rule
File size:	117'760 bytes
First seen:	2021-09-08 09:09:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	1536:jC95e0SHkpbWGaVvJ8DgbHU7vMntcL0Jvkal0sNhBBwqoplCzPTv+ck87O55jOjq:jA5e0wkpbW9boviJLlx4ch1r9m
Threatray	151 similar samples on MalwareBazaar
TLSH	T1B0B39B6129FB115EF3A69BF11FC9F4BF8AA9E6772549E0B6254207C64761F008C01B3B
Reporter	JAMESWT_WT
Tags:	exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

525

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

22b4c7b7a020cddf746df1e5ede1216ca1aa47f2583225ae608129f7616f61fe

Verdict:

Malicious activity

Analysis date:

2021-09-08 09:38:42 UTC

Tags:

rat njrat bladabindi

Link:

https://app.any.run/tasks/6fb9167a-5b2f-483e-beef-27904bd1e433

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/186297/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.37552553.32068.7987.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a process with a hidden window

Sending a UDP request

DNS request

Connection attempt

Launching the process to change the firewall settings

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a3f360c0-9487-4d48-ac8a-cfa21593c33f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22b4c7b7a020cddf746df1e5ede1216ca1aa47f2583225ae608129f7616f61fe/

Threat name:

ByteCode-MSIL.Backdoor.NjRAT

Status:

Malicious

First seen:

2021-09-05 06:11:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 45 (57.78%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ek2mpn5aedg565dn6hs63yjbnsq2ur7slazclltaqeu7oylpmh7a._file

Verdict:

malicious

njrat

38189e64fbba24355aa564b8acb3a11edf0eaff77c74b4a5acfe845286a9bef2

njrat

41bf09074cb6abd166ac8ba878de9739d94916c7d8eb1257a0d76a17dabc1620

njrat

451ebce366a48d651915a71a9a8544844bbb6ce11356c565959472d35b6cea25

njrat

6d3ffb896e637867433266d733f0a343f51e2bf02c0ee58cfc45967e650966ac

njrat

730bfa776152c38152b5c9180061bf02b4b63a62f2f214cf022bce4bda218c8a

njrat

8481677369aef0cd9d9fcbebe2a8f52916e4532666b1ea8e02eb046a0fa40409

njrat

ad829874016d1d2d62a1cd0d711626ecb11173f7136a442dec978d6bdda0a605

njrat

bf7a956dd59e896c36470f38328b0a68da5f7f8a0d42d835db501324e1daec58

njrat

+ 141 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat evasion persistence trojan

Link:

https://tria.ge/reports/210908-k43tssebh3/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Adds Run key to start application

Modifies Windows Firewall

njRAT/Bladabindi

Unpacked files

SH256 hash:

79c04bfb353fb897fd728fb983e7e034cf71c4ec91f1db07e8738565887acbf7

MD5 hash:

8c99276cb4a6b55f8305352218fee7d1

SHA1 hash:

37eb933edf41efe2b89aa6a71e9702ccad6bde54

Detections:

win_njrat_w1

win_njrat_g1

Link:

https://www.unpac.me/results/b4ab226c-1ed4-432e-8b82-44f4118bd31f/

SH256 hash:

22b4c7b7a020cddf746df1e5ede1216ca1aa47f2583225ae608129f7616f61fe

MD5 hash:

acbe931c4d267f04d5b3fa1291b4417b

SHA1 hash:

e521b1253137f2d479ddab289dcbf34e471619f1

Link:

https://www.unpac.me/results/b4ab226c-1ed4-432e-8b82-44f4118bd31f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/22b4c7b7a020cddf746df1e5ede1216ca1aa47f2583225ae608129f7616f61fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/186297/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample