MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3420bb201817ff2ceb811a81d43faf881e961ca1a0e6d578ffaab466ab22c9f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3420bb201817ff2ceb811a81d43faf881e961ca1a0e6d578ffaab466ab22c9f4
SHA3-384 hash: 67f754536eb877f31b7484b0f1089cf8d7e899c4699c6690e580f744155493834d251203107fca6202c4d3547ef63843
SHA1 hash: b62c048d22c7fe513a242cba5557e1034b51aaad
MD5 hash: 05398325b07d87ff2396976c1ccef888
humanhash: georgia-eleven-thirteen-diet
File name:ORDER.pdf.scr
Download: download sample
Signature njrat
Create hunting rule
File size:330'240 bytes
First seen:2020-07-24 10:50:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:A1O7kPAjRtyqsr/wZkmtbPPK2GhN1/d/d/Q9vrtyrx:JtyVr/ClbPPK2iNirtg
Threatray 58 similar samples on MalwareBazaar
TLSH 286417052AD41A9FF5AD37B9739351109BBCA0261A7AEF2E3DC6E0FC1836714C582B53
Reporter abuse_ch
Tags:GoDaddy NjRAT RAT scr


Avatar
abuse_ch
Malspam distributing njrat:

HELO: a2nlsmtp01-02.prod.iad2.secureserver.net
Sending IP: 198.71.225.36
From: Sajib Kamal <infojhb@nsds.co.za>
Reply-To: info@coastsonic.com
Subject: PO #200724A
Attachment: ORDER.pdf.zip (contains "ORDER.pdf.scr")

NjRAT C2:
dongreg202020.kozow.com:8874 (84.38.133.117)

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32164/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a file in the %AppData% directory
Creating a process from a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397278
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 250870 Sample: ORDER.pdf.scr Startdate: 24/07/2020 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected Njrat 2->34 36 8 other signatures 2->36 8 ORDER.pdf.exe 3 2->8         started        12 svchost.exe 2 2->12         started        14 svchost.exe 2 2->14         started        process3 file4 28 C:\Users\user\AppData\...\ORDER.pdf.exe.log, ASCII 8->28 dropped 40 Drops PE files with benign system names 8->40 16 ORDER.pdf.exe 1 4 8->16         started        19 svchost.exe 12->19         started        signatures5 process6 file7 26 C:\Users\user\AppData\Roaming\svchost.exe, PE32 16->26 dropped 21 svchost.exe 2 16->21         started        process8 signatures9 38 Machine Learning detection for dropped file 21->38 24 svchost.exe 21->24         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3420bb201817ff2ceb811a81d43faf881e961ca1a0e6d578ffaab466ab22c9f4/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-24 10:52:06 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gqqlwiayc77sz24bdka5ip5prapjmhfbudtnk6h7vk2gnkzczh2a._file
Verdict:
suspicious
Similar samples:
06b3325ecfca6773b75ff8d9829cdb9139914c2cf55c5734e8ee315857c5ed9c
njrat
1471e8e6ac0fc93f251e6cc084c631818c2ca56f8acd22c0513d6bc7a5bff6e2
njrat
1ab199282785da53b5d473ab89af264ae67dda695946890c76a8266a7d80352c
njrat
1cff19685b36b678ecd8a9d4bd7a5fe366bd3340de67528b2b444f6c9fd841d1
njrat
6bea7ce2131569b667bc699c65c26bedf04d57844c6fd0ada025a9c5e0282f43
njrat
8062bfd89bed5bf003bb7cbeb5caf6b9136158dcc499e60ea161b896b2d78ce5
njrat
94604c2e73f692b1c67cece78f153633ee7b011bba198cfc5d92923cc2267a05
njrat
a7b27af3279848802a012fad89ce6f0543e80e54b28b02360bb416e39a55bbf3
njrat
baa0b105bc19ddaf3c0303f8e7dcaab546e64a4ed340fe3271d9169a2c9cee46
njrat
fa7942a25cea90d890bca23298576191b75723375e2106d8ada228a85bfcfa7f
njrat
+ 48 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:njrat
Link:
https://tria.ge/reports/200724-4w9g37wt4a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/3420bb201817ff2ceb811a81d43faf881e961ca1a0e6d578ffaab466ab22c9f4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

zip 8c143c251239b8955cd8807ff7afa83d39be8aa4759468f05a59e5f971c81532

njrat

Executable exe 3420bb201817ff2ceb811a81d43faf881e961ca1a0e6d578ffaab466ab22c9f4

(this sample)

  
Dropped by
MD5 f3f08c653ae4d18cba18b7d0af86eae0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/32164/
  
Dropped by
SHA256 8c143c251239b8955cd8807ff7afa83d39be8aa4759468f05a59e5f971c81532

Comments