MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2664ca0874468958e3819f05885a3e52ffb392ac416cb5c5618031136aa2b438. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2664ca0874468958e3819f05885a3e52ffb392ac416cb5c5618031136aa2b438
SHA3-384 hash: bd2094bf82ac27db231238357463a336cffe83d8e27321d66717598bba18da2ae8960347c02619565dc160d1d11308a5
SHA1 hash: 8b9e560998dde9b09498df6c5539b31af7ccbdb4
MD5 hash: b7cf157c47d8d2d7bc77ba840ca3ec62
humanhash: india-fish-dakota-may
File name:2664ca0874468958e3819f05885a3e52ffb392ac416cb5c5618031136aa2b438
Download: download sample
Signature njrat
Create hunting rule
File size:15'648'256 bytes
First seen:2021-02-28 07:01:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 393216:ZiC/KvOBp0McZP6q0PatEpM8LkHEkU5UxnAArekQq:4vuXcZz0C+L6wMnVr9Qq
Threatray 73 similar samples on MalwareBazaar
TLSH 45F63382FFD6CA10E846437515FF00864566BCD257B9AB8258CE9E8704944F8BC7AF8F
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2664ca0874468958e3819f05885a3e52ffb392ac416cb5c5618031136aa2b438
Verdict:
Malicious activity
Analysis date:
2021-02-28 09:54:22 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/ec8e73db-8175-4330-9851-0259c1435c7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Generic-6895514-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Delayed reading of the file
Searching for the window
Sending a UDP request
Deleting a recently created file
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/620713
Signature
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2664ca0874468958e3819f05885a3e52ffb392ac416cb5c5618031136aa2b438/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 19:58:10 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezsmucdui2evry4bt4cyqwr6kl73hevmifwllrlbqayrg2vcwq4a._file
Verdict:
malicious
Similar samples:
044863910e84822872c6a9d134f18db1e04b17f2641f0baa7c3aca4f5f587fbb
njrat
09ba1d1497c0886120a435a4990aba55b9ee83c96b294ff66c6fac4295c8b8a1
njrat
0d22efcba5ba1b7d3f159b2d75da6c08a81c734c9d16ea8b8e0db48602dab58b
njrat
2432f01cd92be89d208d067815c2bd8c04c11736a3ab8fb8dbc464d1a0930a58
njrat
4671dbc33d55c1b28df97a2af222a558362ed68f24bc5a3bf433069f6d7673cb
njrat
88d7d88b3c0ededd4c99459a4231c3c4a0af8184e5e2492fce16992908f2547d
njrat
a80220c129dabdfc9a8159b120994e4e8a21b8c7a4709b8c6df717401d7b3924
njrat
ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6
njrat
b0fedb5fc4232c07ff1161ddcc830cf11596ba2653cc7cea1d5666b4bab1f276
njrat
be3acd23cffe0baa73da9501728b70240077320fe57f729e46111e06ef67f2ef
njrat
+ 63 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner persistence
Link:
https://tria.ge/reports/210228-et5q3nvyre/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
xmrig
Unpacked files
SH256 hash:
9ab4ca47d4e5922b2a146be5e80a2e93117bdfca333715cf847b142fb95ccf29
MD5 hash:
462e87143d5518da2e093a1079c4f2b7
SHA1 hash:
67b41b6ee627b985f9bae4afb189e858fef12ddc
Link:
https://www.unpac.me/results/634d402b-46b3-4501-a2f2-07a7842818ea/
SH256 hash:
8b43b93f0560c705509783a355b58820d37eca1b6ea60c66199a54264e4ef62f
MD5 hash:
e93fcc6638b35506a16702ddd6c739cc
SHA1 hash:
fb6f477f2fe1f33b3f0d032a80981c52118efbdd
Link:
https://www.unpac.me/results/634d402b-46b3-4501-a2f2-07a7842818ea/
SH256 hash:
e7eaa8b409d797968f7a39ffaae37b64291e514f797cfe5e385845215b291b9b
MD5 hash:
291878a0b837718462a59da37808f33f
SHA1 hash:
3f8f7f223783433840431006c7a43afab6f76108
Link:
https://www.unpac.me/results/634d402b-46b3-4501-a2f2-07a7842818ea/
SH256 hash:
2664ca0874468958e3819f05885a3e52ffb392ac416cb5c5618031136aa2b438
MD5 hash:
b7cf157c47d8d2d7bc77ba840ca3ec62
SHA1 hash:
8b9e560998dde9b09498df6c5539b31af7ccbdb4
Link:
https://www.unpac.me/results/634d402b-46b3-4501-a2f2-07a7842818ea/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2664ca0874468958e3819f05885a3e52ffb392ac416cb5c5618031136aa2b438

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments