MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e7cf8b2e3f6d13ecfccc5eb1cfb57dfe12303e3315500cecf37f53687a3c784. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e7cf8b2e3f6d13ecfccc5eb1cfb57dfe12303e3315500cecf37f53687a3c784
SHA3-384 hash: dfe5232163a1159009544a8c3ee18ba997b165e8a894547593b66a96408af1ba621af35561f9be2d631b1d59c76f6bc7
SHA1 hash: 92ecef74c844c9863fa5b5e7ced12c1ee648dbf0
MD5 hash: ab3c1f05aaf4cac261fc3fd28618bb81
humanhash: west-fanta-mexico-helium
File name:ab3c1f05aaf4cac261fc3fd28618bb81.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'609'120 bytes
First seen:2022-02-03 07:06:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4070734502a100c8f90bbd445995533 (11 x CryptOne, 5 x DCRat, 2 x njrat)
ssdeep 24576:lGHCm8uPdJuwN7ikkIiYO2OLlGgKkHb9SPAL6PgH23fpC7hxc9/fdKifXC+0Ek7U:MuWzFhkAMBDKkHOPgWhC14dwY
Threatray 24 similar samples on MalwareBazaar
TLSH T191752302BAC14CB2E1B31C765739D721B97975602FB6CACFA390195D87A15C0EF31BA2
File icon (PE):PE icon
dhash icon 2b5899b16a99ce6c (2 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
190.189.114.92:4444

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
190.189.114.92:4444 https://threatfox.abuse.ch/ioc/378151/

Intelligence

File Origin
# of uploads :
1
# of downloads :
261
Origin country :
n/a
Vendor Threat Intelligence
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/231667/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader11.13729.7346.27398.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5827/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi greyware meterpreter overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/61fb7ee218d1bfdde4eea060/reports/3f3be2b2-de11-4dcb-9566-6584ef3e8d8d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/384fb2ad-c9cc-4d63-9f86-68b17e3b1b6e
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/933080
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e7cf8b2e3f6d13ecfccc5eb1cfb57dfe12303e3315500cecf37f53687a3c784/
Threat name:
ByteCode-MSIL.Trojan.Fugrafa
Create hunting rule
Status:
Malicious
First seen:
2022-02-01 18:36:00 UTC
File Type:
PE (Exe)
Extracted files:
33
AV detection:
29 of 43 (67.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hz6prmxd63it5t6myxvrz62x37qsga7dgfkqbtwpg72tnb5dy6ca._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
325ecd90ce19dd8d184ffe7dfb01b0dd02a77e9eabcb587f3738bcfbd3f832a1
njrat
6256527c14f620b3e72b8841930d51e83d9a443a5f3676e966d3f2969ed35bfa
njrat
8eded48c166f50be5ac33be4b010b09f911ffc155a3ab76821e4febd369d17ef
njrat
bb55fcf1625411295d87059f3116db4109ef0783504fbce9c5eca05ef72d45e0
njrat
+ 14 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:2020 evasion suricata trojan
Link:
https://tria.ge/reports/220203-hw41sadgaj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
Malware Config
C2 Extraction:
ShadowCrow1997.duckdns.org:4444
Unpacked files
SH256 hash:
5f47cd15c4d9b0b45dc6d8f06d58890f05330b66aa0098e462945b946dbdaf50
MD5 hash:
30fd76d451bfcde402c3b3eb83421535
SHA1 hash:
ab8b60aacac284db1a6d45d893db1550f905f60a
Link:
https://www.unpac.me/results/137042b6-119d-4f3a-bf50-6c859a54bf9c/
SH256 hash:
b51ff6f2f04549b7b1699067c744ed376d22213da42bec48966feb23a345d72e
MD5 hash:
98584cda364c8a8ec2a53c0620b0d78a
SHA1 hash:
3bee94c9cc3edd8a213453b7ed952eda69a820bc
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/137042b6-119d-4f3a-bf50-6c859a54bf9c/
SH256 hash:
3e7cf8b2e3f6d13ecfccc5eb1cfb57dfe12303e3315500cecf37f53687a3c784
MD5 hash:
ab3c1f05aaf4cac261fc3fd28618bb81
SHA1 hash:
92ecef74c844c9863fa5b5e7ced12c1ee648dbf0
Link:
https://www.unpac.me/results/137042b6-119d-4f3a-bf50-6c859a54bf9c/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3e7cf8b2e3f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/3e7cf8b2e3f6d13ecfccc5eb1cfb57dfe12303e3315500cecf37f53687a3c784

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/231667/

Comments