MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3cda93c7bdf9531aad606df7e3b9485ae8fffb3d3480d24c3f9d12ac203ca1ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 15

Intelligence 15 IOCs YARA 6 File information Comments 1

SHA256 hash:	3cda93c7bdf9531aad606df7e3b9485ae8fffb3d3480d24c3f9d12ac203ca1ec
SHA3-384 hash:	d5ffa32542c74f7bc2e18ca2bae9176944a21d9188d45b9b6b5df3bfdf457f248cee5b30bcbfa5a54290096966afcddd
SHA1 hash:	f3dfceb676b16e6a4327ab557baba96f1930b7e2
MD5 hash:	217c4f4c7f4e70b2576bab1bd027b2cb
humanhash:	salami-carbon-xray-fourteen
File name:	217c4f4c7f4e70b2576bab1bd027b2cb
Download:	download sample
Signature	njrat Create hunting rule
File size:	37'888 bytes
First seen:	2022-07-19 10:07:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	384:GrC1MiLhBndznNCyMGmFgCHdPc2iXfsrAF+rMRTyN/0L+EcoinblneHQM3epzXoe:vHRNRMGmFxJ9iPsrM+rMRa8Nu+qt
Threatray	1'058 similar samples on MalwareBazaar
TLSH	T168033A4D7BF18168C5FE457B06B2D41207BAE04F6E23D90E8EE564AA37636C08B54EF1
TrID	61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.0% (.SCR) Windows screen saver (13101/52/3) 8.8% (.EXE) Win64 Executable (generic) (10523/12/4) 5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	zbetcheckin
Tags:	32 exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

304

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

build.exe

Verdict:

Malicious activity

Analysis date:

2022-07-18 15:32:06 UTC

Tags:

loader

Link:

https://app.any.run/tasks/1c805310-bd8c-49f4-80e8-3a230a045c6a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

njRat

Link:

https://www.capesandbox.com/analysis/291831/

Detection(s):

Win.Packed.Bladabindi-7994427-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Trojan.B-468

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Enabling the 'hidden' option for analyzed file

Creating a file in the Windows directory

Creating a process from a recently created file

Creating a file

Creating a process with a hidden window

Creating a window

Searching for synchronization primitives

DNS request

Launching the process to change the firewall settings

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd.exe fingerprint greyware keylogger njrat packed rat stealer

Link:

https://www.filescan.io/uploads/62d682feef2b0e63a825c119/reports/68be7e94-8b02-4a4d-8894-0fac114d623c/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/53bdb059-1411-43a2-835c-d701ef9a562c

Result

Threat name:

njRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1036419

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Detected njRat

Drops executables to the windows directory (C:\Windows) and starts them

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Uses netsh to modify the Windows network and firewall settings

Yara detected Generic Downloader

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3cda93c7bdf9531aad606df7e3b9485ae8fffb3d3480d24c3f9d12ac203ca1ec/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2022-07-18 19:58:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 26 (96.15%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=htnjhr557fjrvllanx36hokillup76z5gsanetb7tujkyib4uhwa._file

Verdict:

malicious

Label(s):

njrat

5320400539e21be4eee7c8adc75f045b957d5696007adb23c0f390bcfdfea9cc

njrat

53777546c28cb8912525bf2f3f0e7a69e29f61755b82cbba7d1a0c0d9c562536

njrat

772ca61d127be3c8992d2537bca4e0df6f77b68718d086cb4eef28fb7c6412b9

njrat

c7b54cc4aa3d4b08652359ddb2e8b0d91ccd6d0a01c7a34eb527fde4f0f44957

njrat

cf0f62c6105ceec3db23af296678feed3ea95d14ff032223d5397c7351cfc9e0

njrat

ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439

njrat

+ 1'048 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:тест evasion trojan

Link:

https://tria.ge/reports/220719-l58bcacbdn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Checks computer location settings

Executes dropped EXE

Modifies Windows Firewall

njRAT/Bladabindi

Malware Config

C2 Extraction:

6.tcp.eu.ngrok.io:12088

Unpacked files

SH256 hash:

3cda93c7bdf9531aad606df7e3b9485ae8fffb3d3480d24c3f9d12ac203ca1ec

MD5 hash:

217c4f4c7f4e70b2576bab1bd027b2cb

SHA1 hash:

f3dfceb676b16e6a4327ab557baba96f1930b7e2

Detections:

win_njrat_g1

win_njrat_w1

Link:

https://www.unpac.me/results/1f3fb866-0a20-4e79-b8c3-5870c1063c4f/

Malware family:

njRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3cda93c7bdf9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NJRat

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/3cda93c7bdf9531aad606df7e3b9485ae8fffb3d3480d24c3f9d12ac203ca1ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_netsh_firewall_command Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	SUSP_Ngrok_URL Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects a PE file that contains an ngrok.io URL. This can be used as C2 channel