MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22cd2928145df3e4a40db97a5e6ec531a5f18720d6c44122067abeba33efe7e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22cd2928145df3e4a40db97a5e6ec531a5f18720d6c44122067abeba33efe7e7
SHA3-384 hash: 77495db309c8d8d60be34b62496c3841003d22bb8b3cdbfc2c2cc5974860fbffacf2aaff5e8d9a3e22a6e2d56c08daf2
SHA1 hash: fd719615e881eebfafdaeb06e89a9cb6a86c93a7
MD5 hash: acfdc394445621587dfe17bd75f58484
humanhash: pizza-pennsylvania-mango-one
File name:acfdc394445621587dfe17bd75f58484.exe
Download: download sample
Signature njrat
Create hunting rule
File size:307'600 bytes
First seen:2022-08-14 15:10:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 6144:1Q+KaiKX2omqZEIvjzmW61pX+t4ODP9WMLB:pKry2/qZXzmVpX+t4ODVf9
Threatray 3'652 similar samples on MalwareBazaar
TLSH T14A64BF12BAC184B1D5721D3459F99774693CBC201F358EDFA3943A2D5E301C2AB3ABA7
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
41.108.184.148:1177

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
41.108.184.148:1177 https://threatfox.abuse.ch/ioc/843166/

Intelligence

File Origin
# of uploads :
1
# of downloads :
474
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
acfdc394445621587dfe17bd75f58484.exe
Verdict:
Suspicious activity
Analysis date:
2022-08-14 15:14:26 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c74fb69-a8d5-42fa-9615-8f77ef099405

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/298497/
Detection(s):
PUA.Win.Packer.NETCrypter-6309687-2
Create hunting rule

SecuriteInfo.com.Trojan.Uztuby.4.21386.15255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/28920/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62f9108e080024921b76fd96/reports/38a1cf0e-879c-427e-bc45-5edda9b1ad84/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4736bf6b-bbdb-43eb-984d-d03c116c9247
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1051195
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 683705 Sample: PFKOKqZ9D6.exe Startdate: 14/08/2022 Architecture: WINDOWS Score: 100 30 aminechoc1.ddns.net 2->30 36 Multi AV Scanner detection for domain / URL 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus detection for URL or domain 2->40 42 5 other signatures 2->42 9 PFKOKqZ9D6.exe 3 25 2->9         started        12 WindowsApplication1.exe 3 2->12         started        14 WindowsApplication1.exe 2 2->14         started        16 WindowsApplication1.exe 2 2->16         started        signatures3 process4 file5 28 C:\Users\user\...\WindowsApplication1.exe, PE32 9->28 dropped 18 WindowsApplication1.exe 5 2 9->18         started        22 notepad.exe 9->22         started        process6 dnsIp7 32 aminechoc1.ddns.net 41.108.184.148, 1177, 49748, 49751 ALGTEL-ASDZ Algeria 18->32 34 192.168.2.1 unknown unknown 18->34 44 Antivirus detection for dropped file 18->44 46 Multi AV Scanner detection for dropped file 18->46 48 Protects its processes via BreakOnTermination flag 18->48 50 4 other signatures 18->50 24 netsh.exe 1 3 18->24         started        signatures8 process9 process10 26 conhost.exe 24->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22cd2928145df3e4a40db97a5e6ec531a5f18720d6c44122067abeba33efe7e7/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-08-10 08:25:55 UTC
File Type:
PE (Exe)
Extracted files:
34
AV detection:
31 of 41 (75.61%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=elgsskaulxz6jjanxf5f43wfggs7dbza23ceciqgpk7lum7p47tq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
000285eadc4e6a68f32343409159c1b44aed8a0bc1c0cd57cca0c4043632907b
njrat
190f4fb1b115015c5953c32d83b90e4574b371611ca78f6d37f6c0839b7be9b5
njrat
20b6bad0f4cef3da8b183c5b57e45008ee345eb84b214281fe85694f825b93d8
njrat
283906c670f0a64dbd5f3ce78354ef08071db8b728c3ee93f55195da68fd7d1c
njrat
b43995d648b6e64824da5749a407029eae9feb84787266a4dae33f4c412ec661
njrat
dd08f8f4064603778ab013b6a8b0f80b22c5acc6d249a59d097bdedf0e7ece49
njrat
+ 3'642 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220814-skk4msfdbm/
Behaviour
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
b1a45af845848fe405990fb27ee511008e78fe2835025147f875f19f4b786781
MD5 hash:
b9e83e28645ed11c0e631c7309809724
SHA1 hash:
4958bea22c18853d405b9b5729d2e41b9daad96c
Detections:
win_njrat_g1
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/a0555ddc-65c6-4fd3-9fb1-90aa46c8d54b/
SH256 hash:
22cd2928145df3e4a40db97a5e6ec531a5f18720d6c44122067abeba33efe7e7
MD5 hash:
acfdc394445621587dfe17bd75f58484
SHA1 hash:
fd719615e881eebfafdaeb06e89a9cb6a86c93a7
Link:
https://www.unpac.me/results/a0555ddc-65c6-4fd3-9fb1-90aa46c8d54b/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/22cd2928145d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22cd2928145df3e4a40db97a5e6ec531a5f18720d6c44122067abeba33efe7e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/298497/

Comments