MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 2b1995968ff5b1b0c1bc81553052f425decebcb3333b9fc5b95343c4df69c33f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
njrat
Vendor detections: 6
| SHA256 hash: | 2b1995968ff5b1b0c1bc81553052f425decebcb3333b9fc5b95343c4df69c33f |
|---|---|
| SHA3-384 hash: | f098de08d8ec13737a12a3092290a0a0a5ee6c70fb10d3a80db3d08d303f4037a4aed613c1d1964488db96d7b010fbd9 |
| SHA1 hash: | 27bda499cb441cb88ab2f84a0fbd8434d969f02c |
| MD5 hash: | 7899ec0612ae36968cea29dab3310547 |
| humanhash: | florida-bravo-fourteen-coffee |
| File name: | 2b1995968ff5b1b0c1bc81553052f425decebcb3333b9fc5b95343c4df69c33f |
| Download: | download sample |
| Signature | njrat |
| File size: | 3'343'872 bytes |
| First seen: | 2020-11-10 10:52:35 UTC |
| Last seen: | 2024-07-24 12:35:04 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader) |
| ssdeep | 98304:8viz/27qWGq/TzuqCDl2Ptao7jEzMzbNl:8viq75/TzufRz2Nl |
| Threatray | 144 similar samples on MalwareBazaar |
| TLSH | A7F5334676DC002BD570037128FD13C71BB4BCB25375978AB0CE648D19AA4B1BBB6FA6 |
| Reporter |  seifreed |
| Tags: | NjRAT |
Intelligence
File Origin
# of uploads :
2
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Sending a UDP request
Creating a window
Delayed reading of the file
Enabling the 'hidden' option for files in the %temp% directory
Creating a process with a hidden window
Connection attempt
Searching for the window
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Threat name:
Win32.Trojan.Strictor
Status:
Malicious
First seen:
2020-11-10 10:55:24 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 134 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
evasion persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Adds Run key to start application
JavaScript code in executable
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
2b1995968ff5b1b0c1bc81553052f425decebcb3333b9fc5b95343c4df69c33f
MD5 hash:
7899ec0612ae36968cea29dab3310547
SHA1 hash:
27bda499cb441cb88ab2f84a0fbd8434d969f02c
SH256 hash:
d50ec99ae97d1155256a0d8f5c0d62b76e55b1e070d1005ae71a5884f946c8b6
MD5 hash:
dbf8e21f85316e2d68d2fcb15c46a3fe
SHA1 hash:
0ee2cf23febc2d3a6eeabde809674f050c1a9d51
SH256 hash:
a9f9100e6a877e1caf7ed7457cc89a6a47f522cf1a62265088617c438c617de0
MD5 hash:
4c055444a7259b038947da82a0cd78d9
SHA1 hash:
92bf1a696b3953907e395df0f4b3a977491b6c22
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Delivery method
Other
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.