MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 405ce89e927ad2d13ab0bfcbdeec61af03454b034f5acfeaa756571f8a15198b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 405ce89e927ad2d13ab0bfcbdeec61af03454b034f5acfeaa756571f8a15198b
SHA3-384 hash: b9b2d27aacfb428c38f0acd3ac40935a78810f5bf0907706cf8e28104ebf62f1d1f5423b24c5263b8a98ef4d5cb366c7
SHA1 hash: a6d0582c67099889909b5723c3223e72e5d8d835
MD5 hash: 8496b94ce84599e9e16b77729ceb9287
humanhash: maine-alanine-emma-purple
File name:405CE89E927AD2D13AB0BFCBDEEC61AF03454B034F5AC.exe
Download: download sample
Signature njrat
Create hunting rule
File size:7'299'550 bytes
First seen:2023-11-09 07:55:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:5YNkkqVvgWPKbpuu1rEe11F5w2jg8Hz//b/PxJfTgxxsACljbzRvfTBvZUD3ySqH:5m
Threatray 133 similar samples on MalwareBazaar
TLSH T1E17633104F6D3F56DB28423CB0EF6F1E1BA0BF548009E6D667D564CB265BBC20A0F95A
TrID 59.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.6% (.SCR) Windows screen saver (13097/50/3)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon b36bf0b161913280 (2 x njrat, 1 x RedLineStealer, 1 x AZORult)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
93.190.143.118:443

Intelligence

File Origin
# of uploads :
1
# of downloads :
398
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Malware.Msilperseus-6838278-0
Create hunting rule

Win.Trojan.Agent-1109363
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file
Running batch commands
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
obfuscated overlay packed packed smartassembly smart_assembly
Link:
https://www.filescan.io/uploads/654c90a8641154c7e3efd4cc/reports/30d4e637-a633-4edf-aed0-cf2f1336a239/overview
Verdict:
Malicious
Labled as:
MSILPerseus.Generic
Link:
https://www.hybrid-analysis.com/sample/405ce89e927ad2d13ab0bfcbdeec61af03454b034f5acfeaa756571f8a15198b
Result
Verdict:
MALICIOUS
Malware family:
winactivator
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1a879e0a-6674-4114-9b9e-a23292a61f6f
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1339565
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1339565 Sample: 405CE89E927AD2D13AB0BFCBDEE... Startdate: 09/11/2023 Architecture: WINDOWS Score: 80 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for dropped file 2->68 70 12 other signatures 2->70 8 405CE89E927AD2D13AB0BFCBDEEC61AF03454B034F5AC.exe 6 2->8         started        12 lsass.exe 2->12         started        14 lsass.exe 2->14         started        16 lsass.exe 2->16         started        process3 file4 58 C:\Users\user\AppData\Local\Temp\lsass.exe, PE32 8->58 dropped 60 C:\Users\user\AppData\Local\...\KMSAuto.exe, PE32 8->60 dropped 84 Drops PE files with benign system names 8->84 18 lsass.exe 5 3 8->18         started        23 KMSAuto.exe 1 1 8->23         started        signatures5 process6 dnsIp7 62 93.190.143.118, 443, 49735, 49736 WORLDSTREAMNL Netherlands 18->62 54 C:\...\36f1336cd593172fe0f47dffcbc9c4d2.exe, PE32 18->54 dropped 72 Antivirus detection for dropped file 18->72 74 Multi AV Scanner detection for dropped file 18->74 76 Protects its processes via BreakOnTermination flag 18->76 82 4 other signatures 18->82 25 netsh.exe 18->25         started        56 C:\Users\user\AppData\Local\...\signtool.exe, PE32 23->56 dropped 78 Machine Learning detection for dropped file 23->78 80 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->80 27 WMIC.exe 1 23->27         started        30 cmd.exe 1 23->30         started        32 cmd.exe 23->32         started        34 4 other processes 23->34 file8 signatures9 process10 signatures11 36 conhost.exe 25->36         started        86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->86 38 conhost.exe 27->38         started        40 WMIC.exe 1 30->40         started        42 conhost.exe 30->42         started        44 conhost.exe 32->44         started        46 WMIC.exe 32->46         started        48 conhost.exe 34->48         started        50 conhost.exe 34->50         started        52 4 other processes 34->52 process12
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/405ce89e927ad2d13ab0bfcbdeec61af03454b034f5acfeaa756571f8a15198b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/405ce89e927ad2d13ab0bfcbdeec61af03454b034f5acfeaa756571f8a15198b/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2022-01-28 23:24:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iboorhuspljncovqx7f553dbv4buksydj5nm72vhkzlr7cqvdgfq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
388325db8b3ee1efceb9be9796c047c8b686fd58c6665fb1ee3d33d682267876
njrat
405ce89e927ad2d13ab0bfcbdeec61af03454b034f5acfeaa756571f8a15198b
njrat
7b98971fec556ad5d6e994853395525da068c2f3e1cfd92b6388c37934e14533
njrat
7dcaef0a3442fdb263af59d4af0cd67cc08f61c04db6bdbfaf6609b478a52e1c
njrat
96553ba738a8e268293c58acade34423b565bea52c0f37a6dfeecc6ee8b4c5b6
njrat
b582a072dd59fcb9c53886ee635bea3e052650e8b3886e1a024acc67fe5c180a
njrat
d22ce6ecc2f98d7507f41b3e43af3b08e8aad02f3cc7740bc77812931c3f7ab1
njrat
fa448e36486c632887c7c71e09596263ecefd1531f7977c7bb08471f08be8275
njrat
+ 123 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked- ** actv win ** evasion persistence trojan upx
Link:
https://tria.ge/reports/231109-jsn1tshg26/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
UPX packed file
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
93.190.143.118:443
Unpacked files
SH256 hash:
8ca7e156d7b87b4d205b356b7dad564e9ee9683e6dac12c1b13c1706ffb13efb
MD5 hash:
add90051b9dad99eb6de7153f5ee13cc
SHA1 hash:
65853b8e4a8f99b8f06dc4374989f11da8c4106c
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
MD5 hash:
b40fe65431b18a52e6452279b88954af
SHA1 hash:
c25de80f00014e129ff290bf84ddf25a23fdfc30
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
cb56c248a38292c234d1aabe5e33a671fe8ae8aed28e0c8c4fbe767e4e7b82f5
MD5 hash:
2ed9c12a91e795804b1b770958c647ac
SHA1 hash:
abbe70214ed622ff52e0c72e75e5eab1b4c7529b
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
9df942b020d6251ec9ef402a9cfe42cf1408f170dbba57ccacb7014b5451bf67
MD5 hash:
c5cab07622065450206b2513840e5564
SHA1 hash:
6f573696c01c4a785223f514ae46fcec1266899e
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
6acaa70493133170451f82f6228ef0c96a44243e69935b4516023c935dcfb810
MD5 hash:
0520d5eabeb550c6bb24357a961b230a
SHA1 hash:
497515c0afa95745944417913b50e0520eb98d3c
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
9349212231bcf66ed0333f499e4eca790eb7dc4f71ce356932e7a828bde8009d
MD5 hash:
7a257db300ff5ddd4b5d1d8cccf70c5f
SHA1 hash:
4489b2fa4a78bda57e1966f255cfdec3ca75fab1
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
d8700874a27ff3ec11b726313bf3a69448991784bfc0ef5adae3625b636a1b38
MD5 hash:
ac68537d316919a78b57ea6f90be7cf2
SHA1 hash:
3e3bd7e5c24c584248388abcea1b811e8201eda4
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
fd7499214abaa13bf56d006ab7de78eb8d6adf17926c24ace024d067049bc81d
MD5 hash:
01a80aad5dabed1c1580f7e00213cf9d
SHA1 hash:
174f9e420ab6c21e59ff7a0e42b8ebb3d742f0ec
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
4169cdd54ef59c77cf606f2f13b7a6abaa4e0f6d5ed3a57191d3a94e76d723c4
MD5 hash:
2ffb9349f481b8b752133cf79f226829
SHA1 hash:
f51dd9ae1fb0cf3b609e39d55cb4fab8d9e7bc9c
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
00e6de79d56cda439dadb64d3d5860e433e2d1cd25ae1892fffe7524930449ee
MD5 hash:
e44a20687ac24b5467364cc61cfeb609
SHA1 hash:
1424def47e75c0fe50966a9f1f800f860e288f21
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
aa251f5ec4c03a8dba9c77628e16bb0554c6895b6f1167bce81347560c7b99b7
MD5 hash:
b80228d664066dd6a2ebec1b21360174
SHA1 hash:
e3867d0d04c6252d11ca4233be1e6da6c5b6bf5d
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
fa1023557a516da897ec6806a733cebd7c8d86a399e4a336dbdab4d62698fd02
MD5 hash:
35ec81c159324194ac9e015b24462ef1
SHA1 hash:
9b77746df6567a03a7efaab0c6468bf7bf2b7dea
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
ca7ccd8a37d9f3d219a6e795fb6edeb7c36a6af50c840fecc4961c80eaa27bc8
MD5 hash:
e8d0539872d078b32e54cbcf38aa3718
SHA1 hash:
3899fadb21214551758d41c19d4d45e13520cab5
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
ae68edffcd050989528fd1971f794b4f819502f4769a3195efa975d6e495f3b9
MD5 hash:
939eb38148256228e83cd253ecf86766
SHA1 hash:
2ec7c8048a4b834ffcf0e8b28438734818495d5e
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
3113159c50a1e8eaa359a962ac442d839a229c6e9b96cb21605c7c7d45104ea2
MD5 hash:
cfa85c9a98e47e163be98a7c5098992a
SHA1 hash:
c268b461af922c9726b874bddde2def3de93cb44
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
SH256 hash:
405ce89e927ad2d13ab0bfcbdeec61af03454b034f5acfeaa756571f8a15198b
MD5 hash:
8496b94ce84599e9e16b77729ceb9287
SHA1 hash:
a6d0582c67099889909b5723c3223e72e5d8d835
Link:
https://www.unpac.me/results/b8411d02-5563-4327-9768-c22c54859a43/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/405ce89e927a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/405ce89e927ad2d13ab0bfcbdeec61af03454b034f5acfeaa756571f8a15198b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:Check_Wine
Create hunting rule
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:INDICATOR_EXE_Packed_SmartAssembly
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with SmartAssembly
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defedner features
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:UPX20030XMarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu
Rule name:vbaproject_bin
Create hunting rule
Author:CD_R0M_
Description:{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments