MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d085b9931c228e161c7911278f9ef1a5fb1b01a9687fba3cdd72fd3710c21f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs 5 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d085b9931c228e161c7911278f9ef1a5fb1b01a9687fba3cdd72fd3710c21f1
SHA3-384 hash: 2f206964e5ed9043ebbabb61f3c164babb102734360a964392fdcc2fffe2ec29902838f8b89506467c9625525acc2552
SHA1 hash: 2636fa472da6094a2bf1df0aa948e10187b6a175
MD5 hash: cd37eba5909b61d0af67f5b9f2888b71
humanhash: texas-fruit-august-football
File name:CD37EBA5909B61D0AF67F5B9F2888B71.exe
Download: download sample
Signature njrat
Create hunting rule
File size:145'408 bytes
First seen:2021-03-27 20:10:16 UTC
Last seen:2021-03-27 21:31:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:bOMpRJLek3OeeEk/VifZUFYecOxK1pXgbR54B5vISTU7uPgERdwGHB4VtUPHwy+W:bOsRJsL4KgbgcXkWyGyaHwy+0P6F6N
Threatray 87 similar samples on MalwareBazaar
TLSH 65E3178371C8C399CA142775E4EF097417E1AED31631D748FEDA62CB4D10BB28E67A86
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.17.7.232:13748

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.17.7.232:13748 https://threatfox.abuse.ch/ioc/5586/
3.134.39.220:13748 https://threatfox.abuse.ch/ioc/5587/
3.134.125.175:13748 https://threatfox.abuse.ch/ioc/5588/
3.14.182.203:13748 https://threatfox.abuse.ch/ioc/5589/
3.22.30.40:13748 https://threatfox.abuse.ch/ioc/5590/

Intelligence

File Origin
# of uploads :
2
# of downloads :
276
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CD37EBA5909B61D0AF67F5B9F2888B71.exe
Verdict:
Malicious activity
Analysis date:
2021-03-27 20:12:46 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/2ab8c477-c277-4f62-9627-3f5018aa39b9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/127287/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.508.5059.7090.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/351d5048-a1de-421b-9c31-21fff1c614aa
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655933
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Connects to many ports of the same IP (likely port scanning)
Detected njRat
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 376902 Sample: xRE9ic8pHe.exe Startdate: 27/03/2021 Architecture: WINDOWS Score: 100 50 0.tcp.ngrok.io 2->50 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 10 other signatures 2->58 9 xRE9ic8pHe.exe 1 2->9         started        13 Dllhost.exe 2->13         started        15 Dllhost.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 42 C:\Users\user\AppData\...\xRE9ic8pHe.exe.log, ASCII 9->42 dropped 62 Injects a PE file into a foreign processes 9->62 19 xRE9ic8pHe.exe 1 2 9->19         started        22 Dllhost.exe 13->22         started        24 Dllhost.exe 15->24         started        26 Dllhost.exe 17->26         started        28 Java update.exe 17->28         started        signatures6 process7 file8 40 C:\Users\user\AppData\Roaming\Dllhost.exe, PE32 19->40 dropped 30 Dllhost.exe 1 19->30         started        process9 signatures10 64 System process connects to network (likely due to code injection or exploit) 30->64 66 Multi AV Scanner detection for dropped file 30->66 68 Machine Learning detection for dropped file 30->68 70 Drops PE files to the startup folder 30->70 33 Dllhost.exe 3 3 30->33         started        process11 dnsIp12 44 0.tcp.ngrok.io 3.13.191.225, 13748, 49714, 49716 AMAZON-02US United States 33->44 46 3.134.125.175, 13748, 49723, 49725 AMAZON-02US United States 33->46 48 4 other IPs or domains 33->48 38 C:\Users\user\AppData\...\Java update.exe, PE32 33->38 dropped 60 System process connects to network (likely due to code injection or exploit) 33->60 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d085b9931c228e161c7911278f9ef1a5fb1b01a9687fba3cdd72fd3710c21f1/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-03-05 11:31:28 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fuefxgjryiuocyohsejhr6ppdjp3dma2s2d7xi6n24x5g4imehyq._file
Verdict:
malicious
Similar samples:
06f90298156769d7d36397266ebed17d40623b6fbee75a4a9c580f94523b0996
njrat
0ec695d9d1bc48cd0eae9a3af6634a1a65954710226e4a08cac7b2db9f05a6db
njrat
10af2cacc6d5057ff24acfd6811ba45568d6542de1fcfb526f7b9029661f4df9
njrat
83fda1582e8aa614098d944606a562589f0880c105ef011b0e8b68bf90354da3
njrat
88d7d88b3c0ededd4c99459a4231c3c4a0af8184e5e2492fce16992908f2547d
njrat
aad1019189d0f856e1a35c778a446a3aea6b0e704d175d677f523da6c0242b40
njrat
bffa8c77d1dac6b0b0af3c5653a5190ea5d0bc0c0b22f44237bfd66bf351a0d6
njrat
d6f0bfa0aa9e2b9004d36f51fff20f947adbaa6bbb7fffdde1fc37d105fa7257
njrat
f03b45bf3960206214a913c09aae91adc52f1a6171334bb0c0bd8f96f4dea82d
njrat
fa0dbbb301cd37e630b70e2262a442c4c265baf4f0bed3c4dc4af4fbba2c556f
njrat
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210327-68v8lbwq76/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
0892d95b514ffe83c7bbf363f8676443aaa61e70413ba7024b2d3732d84e368c
MD5 hash:
05d78f11dc71e5f7b41a5aa661b85cbc
SHA1 hash:
defca0e444b327adb9a3a3d47bbc38457f8f51e2
Link:
https://www.unpac.me/results/6aca3bdd-e866-421f-aaa5-000eba7d9e7d/
SH256 hash:
79243bc7d5809322d4bb6286496db1711b239a17cfacfb158c6a6e5b91e57bb5
MD5 hash:
67e49231a7da6e0665d2b6510f7932f8
SHA1 hash:
22fba7336a9a804b0607c5a05e708ac753f5f4cb
Link:
https://www.unpac.me/results/6aca3bdd-e866-421f-aaa5-000eba7d9e7d/
SH256 hash:
2d085b9931c228e161c7911278f9ef1a5fb1b01a9687fba3cdd72fd3710c21f1
MD5 hash:
cd37eba5909b61d0af67f5b9f2888b71
SHA1 hash:
2636fa472da6094a2bf1df0aa948e10187b6a175
Link:
https://www.unpac.me/results/6aca3bdd-e866-421f-aaa5-000eba7d9e7d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Frauhost
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d085b9931c228e161c7911278f9ef1a5fb1b01a9687fba3cdd72fd3710c21f1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/127287/

Comments