MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2ebc7cf945c4eba60eb0f25f6b58eb8d7d0558f6b5622530b2b3808987173952. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2ebc7cf945c4eba60eb0f25f6b58eb8d7d0558f6b5622530b2b3808987173952
SHA3-384 hash: 3fc01ad59d1c9147d156cc3d8af0866ab8995def379dd94e0f9afea4e0edf1546313a5fa32905036200bfbb2df21fa6b
SHA1 hash: 387e2f026ca3ec2a291b09fa76f88fe40ae7007c
MD5 hash: 6c6a951636ae4dee7a842c6af1d43236
humanhash: tennessee-fish-berlin-whiskey
File name:6c6a951636ae4dee7a842c6af1d43236.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'261'568 bytes
First seen:2021-07-22 07:58:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5d9d937853db8b666bd4b525813d7bd (40 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep 24576:Xa34mgPdQJZbdZCOhDff3rNQE9lpylqdEoM3/kWfTDBnq7ZU+9A9D+HgNkVvC:XaT0W7CO1ffb3ryl13MWPsqk9C
Threatray 116 similar samples on MalwareBazaar
TLSH T1244523568F2C17A4F0A7F2F458E8A67CF3A8FE1096C15C530B763588D8B5335B0AE526
dhash icon b861ccc8743464ac (2 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
225
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6c6a951636ae4dee7a842c6af1d43236.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 08:39:09 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/816b3fa5-ab7e-4ced-9fcf-2c3b0a05a527

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DarkComet
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173245/
Detection(s):
Win.Trojan.Poison-8692
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
DarkComet
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7e998f7b-b82b-40eb-bd2e-8bc80a9fcfa0
Result
Threat name:
Darkcomet Njrat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820017
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes
Contains functionalty to change the wallpaper
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected Darkcomet RAT
Drops PE files to the startup folder
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected DarkComet
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452427 Sample: jlO8ljZtrD.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 100 77 secret92.ddns.net 2->77 83 Malicious sample detected (through community Yara rule) 2->83 85 Antivirus detection for dropped file 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 11 other signatures 2->89 11 jlO8ljZtrD.exe 10 2->11         started        14 msdcsc.exe 2->14         started        18 msdcsc.exe 2->18         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 67 C:\Users\user\AppData\Local\Temp\darknj.exe, PE32 11->67 dropped 69 C:\Users\user\AppData\...\R-Launcher.exe, PE32 11->69 dropped 22 darknj.exe 1 4 11->22         started        26 R-Launcher.exe 11->26         started        81 secret92.ddns.net 78.62.182.29, 8082, 82 TELIA-LIETUVALT Lithuania 14->81 107 Writes to foreign memory regions 14->107 109 Allocates memory in foreign processes 14->109 111 Installs a global keyboard hook 14->111 113 Creates a thread in another existing process (thread injection) 14->113 28 notepad.exe 14->28         started        file6 signatures7 process8 file9 63 C:\Users\user\AppData\Local\Temp63J.EXE, PE32 22->63 dropped 65 C:\ProgramData\Microsoft\...\msdcsc.exe, PE32 22->65 dropped 91 Multi AV Scanner detection for dropped file 22->91 93 Detected Darkcomet RAT 22->93 95 Contains functionality to log keystrokes 22->95 97 9 other signatures 22->97 30 NJ.EXE 1 7 22->30         started        34 cmd.exe 1 22->34         started        36 cmd.exe 1 22->36         started        41 2 other processes 22->41 38 javaw.exe 84 26->38         started        signatures10 process11 dnsIp12 73 C:\Users\user\AppData\...\WindowsServices.exe, PE32 30->73 dropped 75 C:\Tools.exe, PE32 30->75 dropped 115 Multi AV Scanner detection for dropped file 30->115 43 WindowsServices.exe 30->43         started        117 Uses cmd line tools excessively to alter registry or file data 34->117 47 conhost.exe 34->47         started        49 attrib.exe 1 34->49         started        51 conhost.exe 36->51         started        53 attrib.exe 36->53         started        79 192.168.2.1 unknown unknown 38->79 55 icacls.exe 1 38->55         started        file13 signatures14 process15 file16 71 C:\...\cf6e0aafbf214c3565426c44740c8dce.exe, PE32 43->71 dropped 99 Multi AV Scanner detection for dropped file 43->99 101 Protects its processes via BreakOnTermination flag 43->101 103 Creates autostart registry keys with suspicious names 43->103 105 4 other signatures 43->105 57 netsh.exe 43->57         started        59 conhost.exe 55->59         started        signatures17 process18 process19 61 conhost.exe 57->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2ebc7cf945c4eba60eb0f25f6b58eb8d7d0558f6b5622530b2b3808987173952/
Threat name:
Win32.Trojan.VBinder
Create hunting rule
Status:
Malicious
First seen:
2021-07-22 06:11:47 UTC
AV detection:
44 of 46 (95.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f26hz6kfytv2mdvq6jpwwwhlrv6qkwhwwvrckmfswoaitbyxhfja._file
Verdict:
malicious
Similar samples:
03e6b99846c4ab6a841fa7aa135d2e7230a98957c1595e2ee0bc2b14329871ca
njrat
43b3fa1a455eedfc3a6084046a958b6a41074b92d94ecb5a0262911eab570f86
njrat
77dddb8e258184f22bbbf1d17a3e9f121528da1cd431ca26c44a870218ee0184
njrat
846d82f6f9d6b965ef683cd91724d72917263cf21e9f0f7e4ed2cb4f1ceacce8
njrat
8eb3881ba7d320c0760042529414e8ee87b8bfc648c34d87dd36ed854b0c8b7b
njrat
b41ce85e33620cf66ce5d7d284a31d784c89ad096f4d7cc79c50a8b1c121e5e9
njrat
b906fffb5dfe57a4a0704e2a89803ce0af2f9e6dc16338fab258051f1c8c4c0e
njrat
f75668dcd2d8c554bde126315253439858d2155588b1889473a7df5914537f10
njrat
+ 106 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:darkcomet family:njrat evasion persistence rat trojan
Link:
https://tria.ge/reports/210722-lc8mx5yn9e/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Program crash
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Sets file to hidden
Darkcomet
Modifies WinLogon for persistence
njRAT/Bladabindi
Unpacked files
SH256 hash:
121a202b4ff70f91e823c347f13784ec44525a9b0d4940c449e5db442acc6536
MD5 hash:
b0fe10b99dd5f8494e7c71b8fda9239b
SHA1 hash:
e93f7447408e10424ea3f4b3a92473e125d2af6b
Detections:
win_darkcomet_g0
Create hunting rule
win_darkcomet_auto
Create hunting rule
Link:
https://www.unpac.me/results/0a89dabb-483f-4143-85bb-d2ddf871ddb7/
SH256 hash:
6aff408e1fdb12e3fb6dacb284495d64689fd70279333bc97dd46a86a2897eea
MD5 hash:
76f71bcfc7047bd48dc24070f2aa2f5f
SHA1 hash:
f3e6765c61c79d9427722535d15a8466636662a0
Link:
https://www.unpac.me/results/0a89dabb-483f-4143-85bb-d2ddf871ddb7/
SH256 hash:
ee68e3f8ce8f704003575076c1b48a29361adb3af5fe858e0e59b5f41c685d8d
MD5 hash:
d3b0deb25e223b27361f1024bdbcba0c
SHA1 hash:
8e250d9ea3abf31f589005d9406eb6850a2a02b6
Link:
https://www.unpac.me/results/0a89dabb-483f-4143-85bb-d2ddf871ddb7/
SH256 hash:
2ebc7cf945c4eba60eb0f25f6b58eb8d7d0558f6b5622530b2b3808987173952
MD5 hash:
6c6a951636ae4dee7a842c6af1d43236
SHA1 hash:
387e2f026ca3ec2a291b09fa76f88fe40ae7007c
Link:
https://www.unpac.me/results/0a89dabb-483f-4143-85bb-d2ddf871ddb7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/2ebc7cf945c4eba60eb0f25f6b58eb8d7d0558f6b5622530b2b3808987173952

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 2ebc7cf945c4eba60eb0f25f6b58eb8d7d0558f6b5622530b2b3808987173952

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1466964/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1466969/
Cape
Cape
https://www.capesandbox.com/analysis/173245/

Comments