MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34931da71c14d251f6a43f21ef98c4b67bf17535d7164f154bc6206625363140. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34931da71c14d251f6a43f21ef98c4b67bf17535d7164f154bc6206625363140
SHA3-384 hash: 89a4a0f2d0705c5810f9394aa97431a12b97bd4750230dbb7efad0cc66f729024b69e24b9d9c46527f9ce438407aa4f4
SHA1 hash: 208ebf66e43af3139347bea25a5ad639cccc0405
MD5 hash: 017521d0bb61bc2f48fd865b5a29a069
humanhash: music-floor-fruit-oven
File name:017521d0bb61bc2f48fd865b5a29a069.exe
Download: download sample
Signature njrat
Create hunting rule
File size:228'864 bytes
First seen:2021-02-16 15:52:48 UTC
Last seen:2021-02-16 18:01:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 720f62ecaae027b5c3ec6686644322e9 (12 x njrat, 8 x RevengeRAT, 4 x AgentTesla)
ssdeep 6144:4aC2F8NXC796TB9vj48GVBlQ2iL/aat8k1:4keVQkTrvj4DBlyLPZ1
Threatray 83 similar samples on MalwareBazaar
TLSH CD24DF247180C2B3C877113548E6CB798A39353A27BED6D3FB991FA66E113D096353CA
Reporter abuse_ch
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117377/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.dc.29785.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a window
DNS request
Connection attempt
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/609187
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/34931da71c14d251f6a43f21ef98c4b67bf17535d7164f154bc6206625363140/
Threat name:
Win32.Trojan.Phonzy
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 14:55:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gsjr3jy4ctjfd5veh4q67ggewz57c5jv24le6fklyyqgmjjwgfaa._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
381d09e67a798dfc8f96b33822cf4b0616652f44275f382ee75b9b6c840e04f2
njrat
71b928fd0b29e21bbfa4755b5347f4dc40653a82ec7ecf4947e325dbec23abaa
njrat
7519ecc88854cf96e369f110243fec46fbf20e8d1259ffaee06ef865f59a3aa7
njrat
7f2da313a75add2d2762a6f8ef8ca2828fb96661ab726b8aaad79ae5f89577c9
njrat
942fee1452e6210f9f70c2a500bea5720100df2e118bd4765a18d66f40f1e467
njrat
ae3974aeea651951c5c5802cf7a556c7626529790db1fd34f29be31c29f58ce2
njrat
c0e6f7a4aa809d2b93ba137245380ada0a44ac5576935e13e165d02b1b937583
njrat
cbf41a6d78de6866a9f86a9d1b2b63720f4ea5f63c9be909764154e6bd674f66
njrat
d8151875b740aaaa169d95c2c4593579a1d57e371b2a97602a02a5496de7fd8f
njrat
fc0438827ee653b0804b75e30b97d4fe48180881ed25c5a3d5b9bb4fc669f2aa
njrat
+ 73 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210216-qm8zpf2vf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
3e376bfb14fa4203e6ab7377da4369c6927ce2fb6b773a60116f44e9ab20c21c
MD5 hash:
32513685a368c5341b580a9ef219c15a
SHA1 hash:
93fead534d1350260aa562991e5bc0f03d15b89e
Link:
https://www.unpac.me/results/0325c0df-601e-42d9-b678-79e8d5cf6b7b/
SH256 hash:
34931da71c14d251f6a43f21ef98c4b67bf17535d7164f154bc6206625363140
MD5 hash:
017521d0bb61bc2f48fd865b5a29a069
SHA1 hash:
208ebf66e43af3139347bea25a5ad639cccc0405
Link:
https://www.unpac.me/results/0325c0df-601e-42d9-b678-79e8d5cf6b7b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ZeroAccess
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/34931da71c14d251f6a43f21ef98c4b67bf17535d7164f154bc6206625363140

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 34931da71c14d251f6a43f21ef98c4b67bf17535d7164f154bc6206625363140

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1012890/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117377/

Comments