MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3f44beed7683b961aadd7837ebb51befd88369f5a0bd78858f41ad86f358a99a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3f44beed7683b961aadd7837ebb51befd88369f5a0bd78858f41ad86f358a99a
SHA3-384 hash: dd39f057d8bc318662e628493c83759ee01094e661eb0c3ff7a214feed328e963f842aea7637ca9a01e33f5fac665e23
SHA1 hash: e357065edbf5b7f6462c388a2b55b1fbadeb7f8a
MD5 hash: 93fa98d285e6b42b261f619a154c496c
humanhash: angel-montana-coffee-louisiana
File name:3f44beed7683b961aadd7837ebb51befd88369f5a0bd78858f41ad86f358a99a
Download: download sample
Signature njrat
Create hunting rule
File size:496'640 bytes
First seen:2020-11-07 16:45:11 UTC
Last seen:2020-11-07 16:50:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d5d9d937853db8b666bd4b525813d7bd (40 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep 12288:Oqtw9MdyLTA3qaehKiFhEmChsQ7rht8BBTj1jE33:3k7TA38KwrChTgBBXhM3
Threatray 514 similar samples on MalwareBazaar
TLSH 53B4238B061BCED5ED2E7CB7AA80D8A6D3301457F2339F876B50A6E913014FD512A8F4
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Creating a file in the mass storage device
Connection attempt to an infection source
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3f44beed7683b961aadd7837ebb51befd88369f5a0bd78858f41ad86f358a99a/
Threat name:
Win32.Backdoor.Poison
Create hunting rule
Status:
Malicious
First seen:
2020-11-07 16:47:27 UTC
AV detection:
41 of 48 (85.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=h5cl53lwqo4wdkw5pa36xni357mig2pvuc6xrbmpigwyn42yvgna._file
Verdict:
malicious
Similar samples:
0087b8cfcb8eeeb038ccf007e78e78c18001c79b440891853893851887e88738
njrat
1292e5a45426d40909dc8199da5fc6346a4b8a652baff6bacee9e64bb253f16c
njrat
22624e441ebb33943e4c72b4f4c3b625b0f7ec3d8b2afada33a92771144b0373
njrat
27f7e212954191d2fc10676ad69942421e904a5719cb2001149de2bb38c0610f
njrat
2a22805bbe73a869fc9240d722d6cfb22c582683918103bda90f3a321756c44d
njrat
329c2259d6015d98464322b873b783d18da6ac1a13d7ec40d1de9f143659b1bb
njrat
6cb0c6c55411375878184fba0feeee93c99c7f184818449e548ef875486ec38a
njrat
a43c0d39f01808746f82c041edad38edbb89334c098311331d3e2733824f6259
njrat
ed34d4eba0bc7d434f32bb9bca0147632592656ddf0c2aa892fbee54b0850ff1
njrat
ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439
njrat
+ 504 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201108-js6gmlvwpa/
Behaviour
Modifies system certificate store
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of WriteProcessMemory
Drops autorun.inf file
Drops autorun.inf file
Modifies service
Modifies service
Adds Run key to start application
Adds Run key to start application
Drops startup file
Drops startup file
Loads dropped DLL
Loads dropped DLL
Executes dropped EXE
Executes dropped EXE
Modifies Windows Firewall
Modifies Windows Firewall
Unpacked files
SH256 hash:
3f44beed7683b961aadd7837ebb51befd88369f5a0bd78858f41ad86f358a99a
MD5 hash:
93fa98d285e6b42b261f619a154c496c
SHA1 hash:
e357065edbf5b7f6462c388a2b55b1fbadeb7f8a
Link:
https://www.unpac.me/results/8a92d9a7-ec78-4f3e-bad7-0ecc455f5193/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments