MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c86727fce52f4c23eeff8eeb9c37d0ba3ff63bf446e6fc4f61c39c201dac9b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 10

Intelligence 10 IOCs 1 YARA 3 File information Comments

SHA256 hash:	3c86727fce52f4c23eeff8eeb9c37d0ba3ff63bf446e6fc4f61c39c201dac9b6
SHA3-384 hash:	79a12c75a10fd1f3bbef8e40d8ee6e7f55413e8c0ef8e4bd7013a0cd24624298cf395736ffc6325e19497faee5b1e2b4
SHA1 hash:	887934ab692b1ea8698a0adce7a1226b421c15dc
MD5 hash:	42e07e51cab2706749200e0c80bea73d
humanhash:	butter-snake-alabama-quebec
File name:	42e07e51cab2706749200e0c80bea73d.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	631'296 bytes
First seen:	2022-10-10 21:40:43 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	3072:81/rz8baRYX2NCfOfW/mCOLK+PmGPWvnPjzf7nvCri/7HTz+Ky/GPeGiP2z7P3Pw:M/
Threatray	1'162 similar samples on MalwareBazaar
TLSH	T168D40C32D1992AB1C07BE33433F20EB383AA9DD0960ED6DD2A84D377776A743654168D
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):
dhash icon	414545c0d4c05503 (37 x njrat, 3 x AsyncRAT, 1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
141.255.152.251:1177

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
141.255.152.251:1177	https://threatfox.abuse.ch/ioc/876973/

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/318654/

Detection(s):

SecuriteInfo.com.BackDoor.Bladabindi.12231.3227.22024.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a file in the %AppData% subdirectories

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a process from a recently created file

Launching a process

Creating a process with a hidden window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a window

DNS request

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bladabindi njrat

Link:

https://www.filescan.io/uploads/6344916f0aa036a7dfcdcc41/reports/916e76f2-8516-433c-be7d-ee7305eedff8/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/4607290d-bf27-4288-a2b1-75098f10c29b

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1087277

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c86727fce52f4c23eeff8eeb9c37d0ba3ff63bf446e6fc4f61c39c201dac9b6/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2022-10-07 03:03:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hsdhe76okl2mepxp7dxltq35bor76y57irxg7rhwdq44eao2zg3a._file

Verdict:

malicious

Label(s):

njrat

3434441f773ee5123b242705f95ce6cd367bdc5a19a751884d7b664346252225

njrat

3441e66bd2febee7b35a6268f466b526628cdc2de0abab93b5cbf8a4c239d50a

njrat

39ea311cb6b0131d43cdbc20532029aae7f9239ed3b7e6a46c3c822741e8c655

njrat

3b58425d746d06b145008132053d1f57079cf757eaae75b589b7950f2d95f88a

njrat

5325cdea20361dac7b59b75dd03c25274ae0e40629155f1112ce71549bf0b3e8

njrat

61a8385def4eb1be1e85b3f1bdb3b98721af8f522c675c89f18a24707ad5905a

njrat

fe962c612248fb612bcca5eb506dd010e4799fc5f290aa00887644cd9154d05c

njrat

ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32

njrat

+ 1'152 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:2023 persistence trojan

Link:

https://tria.ge/reports/221010-1jrh2adecq/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Drops startup file

Executes dropped EXE

njRAT/Bladabindi

Malware Config

C2 Extraction:

muhammed1.ddns.net:1177

Unpacked files

SH256 hash:

e50e0a5e18ad965e0e2b7c77facfb05d544d9fe873fdca83829a20804bd25b51

MD5 hash:

051dfb35500a00b2771432c3e9640214

SHA1 hash:

b18cd83e37e3b6aa674f8c01d6dd28c613718d5e

Link:

https://www.unpac.me/results/30649313-03c5-4d7e-866c-04e5ab149dc4/

SH256 hash:

3c86727fce52f4c23eeff8eeb9c37d0ba3ff63bf446e6fc4f61c39c201dac9b6

MD5 hash:

42e07e51cab2706749200e0c80bea73d

SHA1 hash:

887934ab692b1ea8698a0adce7a1226b421c15dc

Link:

https://www.unpac.me/results/30649313-03c5-4d7e-866c-04e5ab149dc4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.99

Link:

https://yomi.yoroi.company/submissions/3c86727fce52f4c23eeff8eeb9c37d0ba3ff63bf446e6fc4f61c39c201dac9b6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/318654/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample