MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dff7ec382a12eb1b4765c5e0927bcb9d7f34461dfd113cbc51fbb1aa0a33761. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dff7ec382a12eb1b4765c5e0927bcb9d7f34461dfd113cbc51fbb1aa0a33761
SHA3-384 hash: ab86b5989814515d64bcd1bf3e0313d52d7549cb7e7e373faa12df5bb7677035d0f28a62a17f6ac09dbdb8b4aa841b4b
SHA1 hash: b015b6264a6facf28b6eb1f74fc266783c85516c
MD5 hash: 1bbb212f1c447babc6b3c5de73efcfe4
humanhash: seventeen-venus-sweet-cup
File name:1bbb212f1c447babc6b3c5de73efcfe4.exe
Download: download sample
Signature njrat
Create hunting rule
File size:7'983'656 bytes
First seen:2022-10-05 10:40:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep 98304:jwNRrCYpAx0tUktxSRKKHkj+3c4O4gQnFQOX3tzklAyb3cns513QUNLjrqz:jwjpCkzSpM4O4TnFDHtzktzKE13vNLjy
TLSH T1DF86335FBBC0D9DAD1986778A2C3D8C957315C8699CB11E4A790FE6247FC48CB83E428
TrID 48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.4% (.EXE) Win64 Executable (generic) (10523/12/4)
10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e0e8e4c4f0e8e0f4 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
154.177.40.158:5552

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
154.177.40.158:5552 https://threatfox.abuse.ch/ioc/870799/

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/316850/
Detection(s):
SecuriteInfo.com.UntrustedCertificate.Generic99B.8129.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Creating a process with a hidden window
Launching a process
Searching for synchronization primitives
Searching for the window
DNS request
Creating a file in the %AppData% directory
Sending a custom TCP request
Unauthorized injection to a recently created process
Launching the process to interact with network services
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/41301/overview
Behaviour
MalwareBazaar
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/633d5f3f78d4acb349f4cfed/reports/8ef8ad32-43ee-44f4-b8f3-617f40d4ebed/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eecd90ea-242c-407c-9c99-59961a3ffcbd
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1084035
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains VNC / remote desktop functionality (version string found)
Creates autostart registry keys with suspicious names
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Uses regedit.exe to modify the Windows registry
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 716598 Sample: S4zkrYGHIa.exe Startdate: 05/10/2022 Architecture: WINDOWS Score: 72 80 Snort IDS alert for network traffic 2->80 82 Multi AV Scanner detection for domain / URL 2->82 84 Malicious sample detected (through community Yara rule) 2->84 86 11 other signatures 2->86 10 S4zkrYGHIa.exe 10 2->10         started        13 drvinst.exe 2->13         started        15 mscod.exe 2->15         started        17 4 other processes 2->17 process3 file4 74 C:\...\Wifi Password Show-Key Finder.exe, Unknown 10->74 dropped 19 Wifi Password Show-Key Finder.exe 10->19         started        22 kegen.exe 1 5 10->22         started        76 C:\Windows\System32\...\SET5162.tmp, PE32+ 13->76 dropped process5 file6 56 C:\...\Wifi Password Show-Key Finder.tmp, PE32 19->56 dropped 24 Wifi Password Show-Key Finder.tmp 5 313 19->24         started        58 C:\Users\user\AppData\Roaming\mscod.exe, PE32 22->58 dropped 27 mscod.exe 4 2 22->27         started        process7 dnsIp8 60 C:\Users\user\AppData\...\syspin.exe (copy), PE32 24->60 dropped 62 C:\Users\user\AppData\Local\...\is-3B06L.tmp, PE32 24->62 dropped 64 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 24->64 dropped 66 66 other files (54 malicious) 24->66 dropped 31 NetHelper.exe 24->31         started        33 net.exe 1 24->33         started        35 CertMgr.exe 24->35         started        39 2 other processes 24->39 78 hotkey.ddns.net 154.177.40.158, 49685, 5552 TE-ASTE-ASEG Egypt 27->78 88 Multi AV Scanner detection for dropped file 27->88 90 Creates autostart registry keys with suspicious names 27->90 92 Uses netsh to modify the Windows network and firewall settings 27->92 94 Modifies the windows firewall 27->94 37 netsh.exe 27->37         started        file9 signatures10 process11 process12 41 snetcfg.exe 31->41         started        44 conhost.exe 33->44         started        46 net1.exe 1 33->46         started        48 conhost.exe 35->48         started        50 conhost.exe 37->50         started        52 conhost.exe 39->52         started        file13 68 C:\Windows\System32\drivers\SETAA7E.tmp, PE32+ 41->68 dropped 70 C:\Users\user\AppData\...\nbdrv.sys (copy), PE32+ 41->70 dropped 72 C:\Users\user\AppData\Local\...\SET487A.tmp, PE32+ 41->72 dropped 54 conhost.exe 41->54         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dff7ec382a12eb1b4765c5e0927bcb9d7f34461dfd113cbc51fbb1aa0a33761/
Threat name:
Win32.Trojan.Hider
Create hunting rule
Status:
Malicious
First seen:
2022-10-02 13:22:29 UTC
File Type:
PE (Exe)
Extracted files:
664
AV detection:
29 of 41 (70.73%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hx7x5q4cuexldndwlrpasj54xhl7grdb37irhs6fd65rvifdg5qq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:mscod evasion persistence trojan
Link:
https://tria.ge/reports/221005-mq39hsecek/
Behaviour
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
hotkey.ddns.net:5552
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3dbaf315-1227-4e1f-a191-bb4f75026d84
Unpacked files
SH256 hash:
d19712d381fcd45e58d46e6a930d7827b5a5fb4434c8ee9ae1819fb03a0ba380
MD5 hash:
ffefe07d32cebf6470f6e577ea3cb0cb
SHA1 hash:
de26b82b1e32c67faff3227ca9d65e40914fddb6
Link:
https://www.unpac.me/results/59c0ad76-bc7d-4c6d-a83b-f6ac8b6099c9/
SH256 hash:
af41154dd2456652fd8461e0039705105bde02f5563808209c1d050662fd206e
MD5 hash:
ff69e66b97da8d9e46a7b73cc60177a8
SHA1 hash:
6f5275a7d4eb3039de7a2d21c972a26f9be95526
Link:
https://www.unpac.me/results/59c0ad76-bc7d-4c6d-a83b-f6ac8b6099c9/
SH256 hash:
0baecf5f7028f569447e573f7f8a8fcc5901d2f1879691ece103d6738ef8f0e4
MD5 hash:
fd853a45ffdbb1b1ec04f1199abe454b
SHA1 hash:
576efd75eb4735cd94e99c6bc7329c0e075f12b8
Link:
https://www.unpac.me/results/59c0ad76-bc7d-4c6d-a83b-f6ac8b6099c9/
SH256 hash:
6b3bfeba8ef5c46101f922b8b682f1676765449dfcb608b498d5c31ca0ccb96c
MD5 hash:
228b7c1dd6a2ee6dd31636affbcf1816
SHA1 hash:
229f07d4db9c2fc8e56a3380cf6d4c07392057aa
Link:
https://www.unpac.me/results/59c0ad76-bc7d-4c6d-a83b-f6ac8b6099c9/
SH256 hash:
6b0efad039988e68023625b8eac885bc554603a561718034784c76f7b4ef9bf0
MD5 hash:
83f13e536e4def6b5bc6bd8244c79dbe
SHA1 hash:
7fa8c4f5e4b108a39c97284a07d6efdec0787aa6
Link:
https://www.unpac.me/results/59c0ad76-bc7d-4c6d-a83b-f6ac8b6099c9/
SH256 hash:
d958c7402ee45361172649bbc44f8b86caa0c62943b1e9dd1d87a1d0ec853488
MD5 hash:
ce03a603381eeafa2e229cdc53743731
SHA1 hash:
17a00e4b8fb6cf542b3bd6deebaaf48c756ed9fd
Link:
https://www.unpac.me/results/59c0ad76-bc7d-4c6d-a83b-f6ac8b6099c9/
SH256 hash:
3dff7ec382a12eb1b4765c5e0927bcb9d7f34461dfd113cbc51fbb1aa0a33761
MD5 hash:
1bbb212f1c447babc6b3c5de73efcfe4
SHA1 hash:
b015b6264a6facf28b6eb1f74fc266783c85516c
Link:
https://www.unpac.me/results/59c0ad76-bc7d-4c6d-a83b-f6ac8b6099c9/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3dff7ec382a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3dff7ec382a12eb1b4765c5e0927bcb9d7f34461dfd113cbc51fbb1aa0a33761

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/316850/

Comments