MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 388ab95baf40b182dd03aea611509049aab338626aa902913a31ad0b7a7489d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 388ab95baf40b182dd03aea611509049aab338626aa902913a31ad0b7a7489d6
SHA3-384 hash: 35d0f6691657b4c17fb571c33228705b2141dd16f0e01c7c3488cee0acb48074df50c5a878c29b6ba1c011d9c28eb0b9
SHA1 hash: 49e14d9c901726f16aafd850e4bea48051714699
MD5 hash: 812725a066910cbe47ba16ddee3e9efe
humanhash: mirror-foxtrot-beer-yankee
File name:TDRSKO.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'288'676 bytes
First seen:2023-01-23 10:29:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3bf8a7746a8d1ee8f6e5960c3f69378 (247 x Formbook, 75 x AgentTesla, 64 x SnakeKeylogger)
ssdeep 24576:+RmJkcoQricOIQxiZY1iaKklbCmyS5gOk55o63EJfo:rJZoQrbTFZY1iaKklbRySGOkIjJw
TLSH T14455D012B5858035C2B232F19E7EF75696386D360326D19B27F83A315E71443EF2A72E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 3b3a1e2e38636f78 (2 x DarkComet, 1 x njrat)
Reporter cocaman
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
219
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TDRSKO.exe
Verdict:
Malicious activity
Analysis date:
2023-01-23 10:29:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/99f6ba4e-9b70-4398-99e3-0b8776219e51

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/355843/
Detection(s):
Win.Malware.Agentb-6964357-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Creating a file
Searching for synchronization primitives
Deleting a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Query of malicious DNS domain
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Enabling a "Do not show hidden files" option
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62433/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit barys bladabindi greyware keylogger lodarat njrat overlay packed powershell shell32.dll
Link:
https://www.filescan.io/uploads/63ce61b01c9cbf7d62519d60/reports/4c75e820-fdb6-4a03-9a24-c7777e7eb953/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8a56dbf-a242-40c1-a8a1-5d9e6c03fbd7
Result
Threat name:
LodaRAT, Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156872
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected LodaRAT
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 789604 Sample: TDRSKO.exe Startdate: 23/01/2023 Architecture: WINDOWS Score: 100 84 jimbrown4441-34284.portmap.io 2->84 90 Malicious sample detected (through community Yara rule) 2->90 92 Antivirus detection for dropped file 2->92 94 Antivirus / Scanner detection for submitted sample 2->94 96 8 other signatures 2->96 10 TDRSKO.exe 2 6 2->10         started        15 Win32.exe 2->15         started        17 LEBYGR.exe 2 2->17         started        19 8 other processes 2->19 signatures3 process4 dnsIp5 88 jimbrown4441-34284.portmap.io 193.161.193.99, 34284, 49698, 49700 BITREE-ASRU Russian Federation 10->88 78 C:\Users\user\AppData\Roaming\...\Win32.exe, PE32 10->78 dropped 80 C:\Users\user\AppData\Local\Temp\LEBYGR.exe, PE32 10->80 dropped 82 C:\Users\user\AppData\Local\Temp\CBAWHL.vbs, ASCII 10->82 dropped 114 Creates multiple autostart registry keys 10->114 21 LEBYGR.exe 1 5 10->21         started        25 cmd.exe 1 10->25         started        27 wscript.exe 10->27         started        116 Antivirus detection for dropped file 15->116 118 Multi AV Scanner detection for dropped file 15->118 29 schtasks.exe 17->29         started        31 schtasks.exe 17->31         started        33 schtasks.exe 19->33         started        35 schtasks.exe 19->35         started        37 schtasks.exe 19->37         started        39 5 other processes 19->39 file6 signatures7 process8 file9 74 C:\Users\user\AppData\Local\Temp\Windw.exe, PE32 21->74 dropped 98 Antivirus detection for dropped file 21->98 100 Multi AV Scanner detection for dropped file 21->100 102 Machine Learning detection for dropped file 21->102 104 Uses schtasks.exe or at.exe to add and modify task schedules 21->104 41 Windw.exe 3 5 21->41         started        56 2 other processes 21->56 58 2 other processes 25->58 46 conhost.exe 29->46         started        48 conhost.exe 31->48         started        50 conhost.exe 33->50         started        52 conhost.exe 35->52         started        54 conhost.exe 37->54         started        60 5 other processes 39->60 signatures10 process11 dnsIp12 86 jimbrown4441-34284.portmap.io 41->86 76 C:\Users\user\AppData\Roaming\...\Windw.exe, PE32 41->76 dropped 106 Antivirus detection for dropped file 41->106 108 Multi AV Scanner detection for dropped file 41->108 110 Protects its processes via BreakOnTermination flag 41->110 112 4 other signatures 41->112 62 schtasks.exe 41->62         started        64 schtasks.exe 41->64         started        66 conhost.exe 56->66         started        68 conhost.exe 56->68         started        file13 signatures14 process15 process16 70 conhost.exe 62->70         started        72 conhost.exe 64->72         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/388ab95baf40b182dd03aea611509049aab338626aa902913a31ad0b7a7489d6/
Threat name:
Win32.Trojan.LoadaRat
Create hunting rule
Status:
Malicious
First seen:
2023-01-23 08:38:27 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
34 of 39 (87.18%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcflsw5picyyfxidv2tbcueqjgvlgodcnkuqfej2ggwqw6turhla._file
Verdict:
unknown
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat persistence trojan
Link:
https://tria.ge/reports/230123-mjtfqsee7z/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
njRAT/Bladabindi
Unpacked files
SH256 hash:
ac8eec68e830a58603644c4bf2f6b22b380a5796fad9e8af9b4c2052aac0795e
MD5 hash:
d3df43cf768aeb556d7d932cbc53f566
SHA1 hash:
648dac48d26745ccc619f3d0491c66b87af6ac54
Link:
https://www.unpac.me/results/c2422df8-6a94-4257-9df4-1ef948446682/
SH256 hash:
388ab95baf40b182dd03aea611509049aab338626aa902913a31ad0b7a7489d6
MD5 hash:
812725a066910cbe47ba16ddee3e9efe
SHA1 hash:
49e14d9c901726f16aafd850e4bea48051714699
Link:
https://www.unpac.me/results/c2422df8-6a94-4257-9df4-1ef948446682/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/388ab95baf40b182dd03aea611509049aab338626aa902913a31ad0b7a7489d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

zip 3f72e08a3a93e083145e69aebf94ef9fa2dfe039bfc21d526c01ba2305046562

njrat

Executable exe 388ab95baf40b182dd03aea611509049aab338626aa902913a31ad0b7a7489d6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3f72e08a3a93e083145e69aebf94ef9fa2dfe039bfc21d526c01ba2305046562
Cape
Cape
https://www.capesandbox.com/analysis/355843/
  
Dropped by
MD5 dc1c050cfbee16eaad4483533ce16efa

Comments