MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
SHA3-384 hash: 439ff5d49172d5cea1de29916e71e82b17dfc315584bcefd8cc23b7c70fa0b9f84c764001f5d688d94a39caec402303c
SHA1 hash: d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
MD5 hash: 5f9e61796a21e65f9a03f92ee6a8f6d8
humanhash: artist-west-mango-four
File name:2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
Download: download sample
Signature njrat
Create hunting rule
File size:6'426'968 bytes
First seen:2022-05-17 13:04:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep 98304:gE3hvgANqcEQ/j3p6m2ODXEFCwjMYSm69eUjLJJ9xYyqrTW78j8lUtugTO04yaQX:VL3/2ObKUfTr50C2KgTO04yV
TLSH T17F5633EA3BFDFE0DDD7208BBE39E8561072ADD84AB75718A9721363CA03F5605241B41
TrID 87.0% (.EXE) AutoIt3 compiled script executable (510622/80/67)
4.6% (.EXE) UPX compressed Win32 Executable (27066/9/6)
4.5% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4)
1.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
0.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon c8e8d8f0e4f962a4 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
79.134.225.59:7788

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.59:7788 https://threatfox.abuse.ch/ioc/582152/

Intelligence

File Origin
# of uploads :
1
# of downloads :
353
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe
Verdict:
Malicious activity
Analysis date:
2022-05-17 23:55:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/72983cdf-a375-460d-8bf5-d83e3bdf8c92

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
PyInstaller
Create hunting rule
Link:
https://www.capesandbox.com/analysis/271601/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Zapchast-1340
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a file
Running batch commands
Creating a process with a hidden window
DNS request
Sending an HTTP GET request
Launching a process
Using the Windows Management Instrumentation requests
Downloading the file
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/18315/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
MeasuringTime
SystemUptime
CheckCmdLine
EvasionQueryPerformanceCounter
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed powershell shell32.dll
Link:
https://www.filescan.io/uploads/62839db022b733139c2537c3/reports/9714e1b0-cf90-4e68-9c65-c6c6a7c7295a/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/42d5980b-c75b-4073-a803-f2cd5c2bd9a7
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/995834
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates files with lurking names (e.g. Crack.exe)
Drops VBS files to the startup folder
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell download and execute file
Windows Shell Script Host drops VBS files
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 628330 Sample: 2691AC49A444378F3C668C7EAAF... Startdate: 17/05/2022 Architecture: WINDOWS Score: 100 59 ameen.myftp.biz 2->59 81 Found malware configuration 2->81 83 Antivirus detection for URL or domain 2->83 85 Antivirus / Scanner detection for submitted sample 2->85 87 9 other signatures 2->87 9 2691AC49A444378F3C668C7EAAF0E0E0ABF95C5C3053A.exe 3 4 2->9         started        12 wscript.exe 7 2->12         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\...\WinUpdat.exe, PE32+ 9->43 dropped 45 C:\Users\user\AppData\Local\...\WinUpdat.vbs, ASCII 9->45 dropped 47 C:\Users\user\AppData\Local\...\autCB0E.tmp, PE32+ 9->47 dropped 15 wscript.exe 8 9->15         started        19 WinUpdat.exe 19 9->19         started        93 Wscript starts Powershell (via cmd or directly) 12->93 21 powershell.exe 12->21         started        signatures6 process7 dnsIp8 49 C:\Users\user\AppData\...\WinUpdat.vbs, ASCII 15->49 dropped 69 Wscript starts Powershell (via cmd or directly) 15->69 71 Windows Shell Script Host drops VBS files 15->71 73 Drops VBS files to the startup folder 15->73 24 powershell.exe 15 23 15->24         started        51 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 19->51 dropped 53 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 19->53 dropped 55 C:\Users\user\AppData\Local\...\python27.dll, PE32+ 19->55 dropped 57 10 other files (none is malicious) 19->57 dropped 75 Creates files with lurking names (e.g. Crack.exe) 19->75 28 WinUpdat.exe 19->28         started        30 conhost.exe 19->30         started        63 192.168.2.1 unknown unknown 21->63 65 supportnimbuzz.hexat.com 21->65 77 Writes to foreign memory regions 21->77 79 Injects a PE file into a foreign processes 21->79 32 conhost.exe 21->32         started        34 RegSvcs.exe 21->34         started        file9 signatures10 process11 dnsIp12 67 supportnimbuzz.hexat.com 54.36.158.41, 49755, 49771, 80 OVHFR France 24->67 89 Writes to foreign memory regions 24->89 91 Injects a PE file into a foreign processes 24->91 36 RegSvcs.exe 2 2 24->36         started        39 conhost.exe 24->39         started        41 cmd.exe 28->41         started        signatures13 process14 dnsIp15 61 ameen.myftp.biz 79.134.225.59, 49803, 49805, 49806 FINK-TELECOM-SERVICESCH Switzerland 36->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-04 09:29:00 UTC
File Type:
PE (Exe)
Extracted files:
707
AV detection:
27 of 41 (65.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2i2ysneiq3y6pdgrr7kv4ha4cv7sxc4gbj2kfvt7gtyzguiqw5a._file
Verdict:
unknown
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:njrat botnet:default botnet:lime botnet:nyan cat pyinstaller rat suricata trojan upx
Link:
https://tria.ge/reports/220517-qbgzhscbf5/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Async RAT payload
AsyncRat
njRAT/Bladabindi
suricata: ET MALWARE Generic AsyncRAT Style SSL Cert
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
ameen.myftp.biz:7788
worm.access.ly:7778
newworld.mypsx.net:8877
Dropper Extraction:
http://supportnimbuzz.hexat.com/3/Att.jpg
https://cdn.discordapp.com/attachments/934436223181787207/937137622730559579/Att.jpg
https://cdn.discordapp.com/attachments/935877066816114718/938236541149515816/Att.jpg
Unpacked files
SH256 hash:
2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba
MD5 hash:
5f9e61796a21e65f9a03f92ee6a8f6d8
SHA1 hash:
d6032fd04db0fbb6195b6e8d31491a3fc289f1ce
Link:
https://www.unpac.me/results/6e995ee9-e002-4a4f-a8fb-25b355fdf371/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2691ac49a444378f3c668c7eaaf0e0e0abf95c5c3053a516b3f9a78c9a8885ba

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/271601/

Comments