MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e47f47065a13a48ae86ee76059ec4060e397f94cc25aa51ec6177f837314fe1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e47f47065a13a48ae86ee76059ec4060e397f94cc25aa51ec6177f837314fe1
SHA3-384 hash: e984a725903707a54d983b9f002df9dd9b3464cb719769a0ca8b822f0f4ace10a56d415fa5a8e149a1464843006e30fd
SHA1 hash: e6b55fbb3e8e315c42cbca81b9175d09f8a94b71
MD5 hash: 34a167ec71dea14960f86c20713cd07d
humanhash: hawaii-utah-solar-oxygen
File name:34a167ec71dea14960f86c20713cd07d.exe
Download: download sample
Signature njrat
Create hunting rule
File size:302'080 bytes
First seen:2021-05-05 13:28:22 UTC
Last seen:2021-05-05 15:17:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:jrxHkXLxmNfUzNchbaYj3Z4kfhJUvohix4F4az3/xr+VBFaI1YIYiheeeeeeeees:ffZZJthixIZrMBgkSOG9iO2RK
Threatray 220 similar samples on MalwareBazaar
TLSH 0F545ACD76A78DC3CA5605B07863D12C4373EDABA1B3E34A38B1636EDA612E713605C5
Reporter abuse_ch
Tags:exe NjRAT RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/150636/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.46158778.30091.6087.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
DNS request
Connection attempt
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/712000
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e47f47065a13a48ae86ee76059ec4060e397f94cc25aa51ec6177f837314fe1/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-04-20 03:42:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
29 of 47 (61.70%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fzd7i4dfue5erlug5z3alhweayhds74uzqs2uupmmf37qnzrj7qq._file
Verdict:
malicious
Similar samples:
0137042c076d728f11067b31394854e43724b1b588a65d0718d696ac2efd7f3f
njrat
151c9749ebcb80a9044840b499d3ec969f2cd5679b59253c23883c70af486475
njrat
3b019e395d076e03b3b4a2d9468d3acb36df69115e059119194fbd8dd6d1dd6b
njrat
3ee82cb6b92599b06273f1a48091fdbab0ca285fb8147501a0392b8a2eba583c
njrat
47aaf274ba6635b13798292366c06640a3dff0d314b56aabf0dc4f6d22ab5bd4
njrat
755b3b6ab9cb1b088a11c9ff66eec6a20754a2d27fd2bb5478ef702aa977605a
njrat
79e2a3311700e87e6d5e4d5f8e23f8f6b5500aa9e25e71afb016df130f21bae0
njrat
ad7e94c87890fd0d5e1ad30178606823c42c01b5e07bbc56bb86bf2bf3ae1477
njrat
b33514e7b334b8aee694323114c7d2694f3cdb49c7614291ca8f064c23ff8542
njrat
dd9fd40438d1819fb9f9d72ddc6f5d06c1651aa6543ca6560819d27a764c68d2
njrat
+ 210 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210505-ew58znep7j/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
2e47f47065a13a48ae86ee76059ec4060e397f94cc25aa51ec6177f837314fe1
MD5 hash:
34a167ec71dea14960f86c20713cd07d
SHA1 hash:
e6b55fbb3e8e315c42cbca81b9175d09f8a94b71
Link:
https://www.unpac.me/results/a34fb9d4-f56d-45ef-9b25-4c8cc499e36f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 2e47f47065a13a48ae86ee76059ec4060e397f94cc25aa51ec6177f837314fe1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1195012/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/150636/

Comments