MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39e03a91f48ef299ca71775121d2b7037897f478d84fce131e5b2049eb2b786b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs 4 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 39e03a91f48ef299ca71775121d2b7037897f478d84fce131e5b2049eb2b786b
SHA3-384 hash: ea0206be002659217400696ed8345ebdc0adbf7c0e2ffac379e8f20525379ceb514c8a3ae7e3df7d174a3c0063f43d9a
SHA1 hash: 8ec30e3be5032df31f6f98d18668fb7259580c44
MD5 hash: d6f74f6c6fd51e2a67729383a609ed01
humanhash: india-ten-cold-zulu
File name:d6f74f6c6fd51e2a67729383a609ed01.exe
Download: download sample
Signature njrat
Create hunting rule
File size:501'143 bytes
First seen:2022-04-10 22:41:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:yRZ+IoG/n9IQxW3OBseDT+tG8bxfAX1YIN2/CYiPqDu:82G/nvxW3WdmxfAXLpPuu
Threatray 8'753 similar samples on MalwareBazaar
TLSH T159B4E102FDC159B2C6610D324669AB61257D7D201F248FEBA3D86E6DE9301D0FB31BA7
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.131.147.49:11113

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.131.147.49:11113 https://threatfox.abuse.ch/ioc/518480/
3.22.15.135:11113 https://threatfox.abuse.ch/ioc/518481/
3.129.187.220:11113 https://threatfox.abuse.ch/ioc/518482/
3.138.180.119:11113 https://threatfox.abuse.ch/ioc/518483/

Intelligence

File Origin
# of uploads :
1
# of downloads :
475
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d6f74f6c6fd51e2a67729383a609ed01.exe
Verdict:
Suspicious activity
Analysis date:
2022-04-10 22:43:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6c344f32-2945-4203-ad80-c9ef0ff6674b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/262450/
Detection(s):
Win.Trojan.Generic-9942096-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process from a recently created file
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching a tool to kill processes
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/13359/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/62535d3c04b81dabe2793254/reports/934f3206-d656-4806-a562-9014cb5404f5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/af5f017a-3a74-4aa7-950f-f877f91c133e
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/974134
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Drops fake system file at system root drive
Sigma detected: File Created with System Process Name
Sigma detected: Suspcious CLR Logs Creation
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Uses taskkill to terminate AV processes
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 606621 Sample: ugRkPg0vbr.exe Startdate: 11/04/2022 Architecture: WINDOWS Score: 100 66 4.tcp.ngrok.io 2->66 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Malicious sample detected (through community Yara rule) 2->80 82 Antivirus detection for dropped file 2->82 84 12 other signatures 2->84 12 ugRkPg0vbr.exe 4 2->12         started        15 svchost.exe 2->15         started        18 svchost.exe 2->18         started        20 11 other processes 2->20 signatures3 process4 dnsIp5 62 C:\VisualHacking_1.2.5.sfx.exe, PE32 12->62 dropped 23 cmd.exe 1 12->23         started        102 Changes security center settings (notifications, updates, antivirus, firewall) 15->102 25 MpCmdRun.exe 15->25         started        104 Query firmware table information (likely to detect VMs) 18->104 68 127.0.0.1 unknown unknown 20->68 70 192.168.2.1 unknown unknown 20->70 64 C:\Users\user\AppData\...\svchost.exe.log, ASCII 20->64 dropped file6 signatures7 process8 process9 27 VisualHacking_1.2.5.sfx.exe 3 23->27         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        file10 60 C:\VisualHacking_1.2.5.exe, PE32 27->60 dropped 100 Multi AV Scanner detection for dropped file 27->100 35 VisualHacking_1.2.5.exe 1 5 27->35         started        signatures11 process12 file13 52 C:\Users\user\AppData\Roaming\svchost.exe, PE32 35->52 dropped 86 Antivirus detection for dropped file 35->86 88 Machine Learning detection for dropped file 35->88 90 Drops PE files with benign system names 35->90 39 svchost.exe 2 9 35->39         started        signatures14 process15 dnsIp16 72 3.131.147.49, 11113, 49722, 49724 AMAZON-02US United States 39->72 74 3.133.207.110, 11113, 49837 AMAZON-02US United States 39->74 76 4 other IPs or domains 39->76 54 C:\svchost.exe, PE32 39->54 dropped 56 C:\...\36386e890598642806af9b791569153a.exe, PE32 39->56 dropped 58 C:\autorun.inf, Microsoft 39->58 dropped 92 Antivirus detection for dropped file 39->92 94 System process connects to network (likely due to code injection or exploit) 39->94 96 Uses taskkill to terminate AV processes 39->96 98 8 other signatures 39->98 44 taskkill.exe 1 39->44         started        46 netsh.exe 1 3 39->46         started        file17 signatures18 process19 process20 48 conhost.exe 44->48         started        50 conhost.exe 46->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/39e03a91f48ef299ca71775121d2b7037897f478d84fce131e5b2049eb2b786b/
Threat name:
Win32.Trojan.Zilla
Create hunting rule
Status:
Malicious
First seen:
2022-04-08 23:30:23 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
19 of 42 (45.24%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hhqdvepur3zjtstro5isduvxan4jp5dy3bh44ey6lmqet2zlpbvq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0087b8cfcb8eeeb038ccf007e78e78c18001c79b440891853893851887e88738
njrat
1292e5a45426d40909dc8199da5fc6346a4b8a652baff6bacee9e64bb253f16c
njrat
22624e441ebb33943e4c72b4f4c3b625b0f7ec3d8b2afada33a92771144b0373
njrat
2a22805bbe73a869fc9240d722d6cfb22c582683918103bda90f3a321756c44d
njrat
329c2259d6015d98464322b873b783d18da6ac1a13d7ec40d1de9f143659b1bb
njrat
6cb0c6c55411375878184fba0feeee93c99c7f184818449e548ef875486ec38a
njrat
7cc4f1580d6f425b3025bdb83a4782bea363f6d8c1c7fa6374e159aa06327ca2
njrat
a43c0d39f01808746f82c041edad38edbb89334c098311331d3e2733824f6259
njrat
ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439
njrat
+ 8'743 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:deathhackers evasion persistence suricata trojan
Link:
https://tria.ge/reports/220410-2mmvpadgdr/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Enumerates physical storage devices
Drops autorun.inf file
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
4.tcp.ngrok.io:11113
Unpacked files
SH256 hash:
aebfd767e2960b867e09ed660ebf04bf9f0e16f7b9593c9f6c9c7541effadbb0
MD5 hash:
808df2250e1a6721ee89fcd46e09318b
SHA1 hash:
feca90d410f1e1f0269e3eff9718ea2f51fdf347
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/23a06138-69f7-4eae-bfec-ce046b91e3fc/
SH256 hash:
39e03a91f48ef299ca71775121d2b7037897f478d84fce131e5b2049eb2b786b
MD5 hash:
d6f74f6c6fd51e2a67729383a609ed01
SHA1 hash:
8ec30e3be5032df31f6f98d18668fb7259580c44
Link:
https://www.unpac.me/results/23a06138-69f7-4eae-bfec-ce046b91e3fc/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/39e03a91f48e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/39e03a91f48ef299ca71775121d2b7037897f478d84fce131e5b2049eb2b786b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/262450/

Comments