MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2
SHA3-384 hash: 86c288586879a40047873e8fda36fe732630d8a6ad84acc7bf2583708508d8541bd48172fbd317b7c7b8b5598eb32a3e
SHA1 hash: 2cc4ae531be8b82dccf3c4c14e326307e2926658
MD5 hash: 6382e1ba0bdcd1a586f97e1e20f77868
humanhash: finch-mountain-avocado-massachusetts
File name:277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2
Download: download sample
Signature njrat
Create hunting rule
File size:1'310'720 bytes
First seen:2021-02-28 07:10:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:BJM62op+dKJ1np98udmHCiHRJqKtbPS85d2s8MnDIrcQaIE7OZhXnTNRlaWu50L8:BqodrdmHCStBX2s1UQQVE6ZhXnTFaf5X
Threatray 74 similar samples on MalwareBazaar
TLSH 0355CE31A7846EF0F09FE537CDA5AA241E3E6438453619BD7EC5EE0819330BA243675E
Reporter JAMESWT_WT
Tags:NjRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2
Verdict:
Malicious activity
Analysis date:
2021-02-28 07:50:22 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/46f1b50f-92d6-4ea0-9f81-a1d38b2c6293

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119822/
Detection(s):
Win.Trojan.Generic-6297788-0
Create hunting rule

Win.Trojan.Nitol-6335025-0
Create hunting rule

Win.Packed.Generic-7102054-0
Create hunting rule

Win.Packed.njRAT-9815539-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Moving a recently created file
Creating a process from a recently created file
Searching for the window
Creating a file in the %temp% directory
DNS request
Sending an HTTP GET request
Sending a UDP request
Deleting a recently created file
Creating a process with a hidden window
Connection attempt
Setting a single autorun event
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Launching the process to change the firewall settings
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621110
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Creates HTML files with .exe extension (expired dropper behavior)
Creates multiple autostart registry keys
Detected njRat
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Injects files into Windows application
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 359547 Sample: L2NVQjRX9s Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 89 xred.mooo.com 2->89 117 Malicious sample detected (through community Yara rule) 2->117 119 Antivirus detection for dropped file 2->119 121 Antivirus / Scanner detection for submitted sample 2->121 123 12 other signatures 2->123 11 L2NVQjRX9s.exe 1 4 2->11         started        15 Synaptics.exe 2->15         started        17 NpYKCcBqCA.exe 2->17         started        19 5 other processes 2->19 signatures3 process4 file5 73 C:\Users\user\AppData\...73pYKCcBqCA.exe, PE32 11->73 dropped 75 C:\Users\...75pYKCcBqCA.exe:Zone.Identifier, ASCII 11->75 dropped 77 C:\Users\user\AppData\...\L2NVQjRX9s.exe.log, ASCII 11->77 dropped 125 Creates multiple autostart registry keys 11->125 127 Injects a PE file into a foreign processes 11->127 129 Contains functionality to detect sleep reduction / modifications 11->129 21 L2NVQjRX9s.exe 1 6 11->21         started        24 Synaptics.exe 15->24         started        26 Synaptics.exe 15->26         started        131 Antivirus detection for dropped file 17->131 133 Machine Learning detection for dropped file 17->133 28 NpYKCcBqCA.exe 17->28         started        135 Injects files into Windows application 19->135 30 NpYKCcBqCA.exe 19->30         started        signatures6 process7 file8 61 C:\Users\user\...\._cache_L2NVQjRX9s.exe, PE32 21->61 dropped 63 C:\ProgramData\Synaptics\Synaptics.exe, PE32 21->63 dropped 65 C:\ProgramData\Synaptics\RCXFCB2.tmp, PE32 21->65 dropped 67 C:\...\Synaptics.exe:Zone.Identifier, ASCII 21->67 dropped 32 Synaptics.exe 1 21->32         started        35 ._cache_L2NVQjRX9s.exe 1 5 21->35         started        69 C:\ProgramData\...\._cache_Synaptics.exe, PE32 24->69 dropped 38 ._cache_Synaptics.exe 24->38         started        71 C:\Users\user\...\._cache_NpYKCcBqCA.exe, PE32 28->71 dropped 40 ._cache_NpYKCcBqCA.exe 28->40         started        42 ._cache_NpYKCcBqCA.exe 30->42         started        process9 file10 99 Antivirus detection for dropped file 32->99 101 Multi AV Scanner detection for dropped file 32->101 103 Drops PE files to the document folder of the user 32->103 107 3 other signatures 32->107 44 Synaptics.exe 108 32->44         started        57 C:\Users\user\AppData\Local\Temp\Server.exe, PE32 35->57 dropped 59 C:\Users\user\...\._cache_L2NVQjRX9s.exe.log, ASCII 35->59 dropped 48 Server.exe 35->48         started        105 Machine Learning detection for dropped file 38->105 signatures11 process12 dnsIp13 91 googlehosted.l.googleusercontent.com 142.250.185.97, 443, 49726, 49727 GOOGLEUS United States 44->91 93 www-env.dropbox-dns.com 162.125.66.18, 443, 49761, 49762 DROPBOXUS United States 44->93 97 14 other IPs or domains 44->97 79 C:\Users\user\Documents\BPMLNOBVSB\~$cache1, PE32 44->79 dropped 81 C:\Users\user\Desktop\L2NVQjRX9s.exe, PE32 44->81 dropped 83 C:\Users\user\Desktop\._cache_Synaptics.exe, PE32 44->83 dropped 87 4 other malicious files 44->87 dropped 51 ._cache_Synaptics.exe 44->51         started        95 127.0.0.1 unknown unknown 48->95 85 C:\...\316cc8fdf2ba11b55349f6a002cabe83.exe, PE32 48->85 dropped 109 Antivirus detection for dropped file 48->109 111 Multi AV Scanner detection for dropped file 48->111 113 Protects its processes via BreakOnTermination flag 48->113 115 4 other signatures 48->115 53 netsh.exe 48->53         started        file14 signatures15 process16 process17 55 conhost.exe 53->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 13:06:07 UTC
AV detection:
36 of 47 (76.60%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
114845ae528187f40696e5644e7ad7215e4409cd8a7d6b9433975b2b527ae1c4
njrat
1a64802e01d94712cb6daf8339296b78cf0a7a81251e80937d01d975b31938dc
njrat
252ed32b4eaa2631fd004cb2124b6fd02a76f729a78ca51354cef21dd69f8cb5
njrat
27c7e09f3d97d73a998e1cfb8fca499b77b3045797459c7696b924106d2866c6
njrat
35932eeee29750e11e5f50f5600fc9711c5cfce787edc77a7c9b1d09f7ebca2d
njrat
422761ce807ba569d378b3130493e84a531d310d1ed8e0559d6313fdf91cd5b0
njrat
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
njrat
d8d750910aac8726d8cb50476b6a5b6635e6d8ce3ecd02d562c637269d1a1088
njrat
eaf4c919002576a1aa5c7729d2f953d8c0fcc2c4d34b3597ec15c207ef026e05
njrat
fe19c0cd68bc2cf6045a8a0585ec0ed3f520d4093032f6a05759b8c408b5cce3
njrat
+ 64 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion macro persistence trojan
Link:
https://tria.ge/reports/210228-y2xned61wx/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Modifies registry class
Modifies system certificate store
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Suspicious Office macro
njRAT/Bladabindi
Unpacked files
SH256 hash:
277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2
MD5 hash:
6382e1ba0bdcd1a586f97e1e20f77868
SHA1 hash:
2cc4ae531be8b82dccf3c4c14e326307e2926658
Link:
https://www.unpac.me/results/f30c4160-6429-4866-9771-3cad79085e5f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Barys
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/277a2404fd4b34ba64813a529d1029bd7f1971b14a09df35e382ae639c3c28a2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119822/

Comments