MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8
SHA3-384 hash: d941d0b6d13d8da3d88dbde025cc1c4d46571bc3efad9d7408054f3278fce333567d44babf54816cb3e36ee82e2ad0a1
SHA1 hash: c62782e2468daaccb5474a9ac7bbb2cb75088421
MD5 hash: 8080fef17c2b0e3f6862ea32a120dbc7
humanhash: kitten-one-sad-kitten
File name:8080FEF17C2B0E3F6862EA32A120DBC7.exe
Download: download sample
Signature njrat
Create hunting rule
File size:539'574 bytes
First seen:2021-05-03 01:45:21 UTC
Last seen:2021-05-03 02:00:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:URZ+IoG/n9IQxW3OBseUUT+tcYbSbxbhh0fibVKshGTLTt7dba:u2G/nvxW3WieCSbJ0qbVKdX2
Threatray 715 similar samples on MalwareBazaar
TLSH E6B4E101BEC194B2D5711D325A39AB20693CBD201F24DEEFA3D46A5DDA341C0EA35BB7
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
187.10.231.26:5000

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
187.10.231.26:5000 https://threatfox.abuse.ch/ioc/28073/

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/148055/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a UDP request
Creating a process with a hidden window
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/706827
Signature
.NET source code contains very large strings
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 402334 Sample: oQmEJT3IKr.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 46 Found malware configuration 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 9 other signatures 2->52 10 oQmEJT3IKr.exe 8 2->10         started        13 Host de Rede.exe 1 2->13         started        15 Host de Rede.exe 2->15         started        17 Host de Rede.exe 2->17         started        process3 file4 40 C:\Users\user\AppData\...\HostdeRede.exe, PE32 10->40 dropped 19 HostdeRede.exe 8 10->19         started        process5 file6 36 C:\Users\user\AppData\...\HostdeRede.exe, PE32 19->36 dropped 54 Multi AV Scanner detection for dropped file 19->54 23 HostdeRede.exe 1 3 19->23         started        signatures7 process8 file9 38 C:\Users\user\AppData\...\Host de Rede.exe, PE32 23->38 dropped 56 Antivirus detection for dropped file 23->56 58 Multi AV Scanner detection for dropped file 23->58 60 Machine Learning detection for dropped file 23->60 27 Host de Rede.exe 4 3 23->27         started        signatures10 process11 dnsIp12 44 ativadores2021.sytes.net 187.10.231.26, 5000 TELEFONICABRASILSABR Brazil 27->44 42 C:\...\f6012d15862396d33951e65a80b4be9e.exe, PE32 27->42 dropped 62 Creates autostart registry keys with suspicious names 27->62 32 netsh.exe 1 3 27->32         started        file13 signatures14 process15 process16 34 conhost.exe 32->34         started       
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 04:19:09 UTC
File Type:
PE (Exe)
Extracted files:
35
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=idszhohmlmauwvwuwhbfokyrhbpoefi53nz5y7xiulxuu75rxlua._file
Verdict:
malicious
Similar samples:
5cbafb76c6a0e930414647523ffb4abe9d9ab7f41270ddf4c4ef5d9fd1f39346
njrat
6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
njrat
7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4
njrat
78710c49b37af00745534239b0d17c2e019a99f867492667592d131b77f0933f
njrat
8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
njrat
91b886840c7f674d17b48e5d2264228a55fe0f28e32e102c84dad5cca49ed807
njrat
c77a79785de7336c777bb3d65e0914c39c265b81494b50c64ce835cb9712855e
njrat
d31dcb27d98e4e58b3210b325121812395dc8f64c7c20398d8144346a10d7350
njrat
e2efc9d3d3132046d0567a2198ed10a65fb764b1091d399323f7029e0f22b73f
njrat
e46a16ade0a00728c59210acdcd131a5bab46470d9acb07afb58917a1e287456
njrat
+ 705 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/210503-866kmgxmfj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
b9c046742a66572c4d6a9a5404e8b1313a0ef97b034747dbc1c1be279148ceee
MD5 hash:
f4be48133d32b2d544227dfbac183ee6
SHA1 hash:
b62d944ff8721d813e719ed287f139a758dd59e3
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/22df31de-ef1b-4f2e-8a74-2fe2ffeb25f2/
SH256 hash:
0fefa98c13266b6a052803ae594d0c818eab7c8a7366e0d02b94525b87df0869
MD5 hash:
32a50e560f019a49bec23f6c7f1a43db
SHA1 hash:
260549487c32e2beddd80be307cbd580d5b98b3a
Link:
https://www.unpac.me/results/22df31de-ef1b-4f2e-8a74-2fe2ffeb25f2/
SH256 hash:
40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8
MD5 hash:
8080fef17c2b0e3f6862ea32a120dbc7
SHA1 hash:
c62782e2468daaccb5474a9ac7bbb2cb75088421
Link:
https://www.unpac.me/results/22df31de-ef1b-4f2e-8a74-2fe2ffeb25f2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/148055/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-03 02:01:04 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0029.002] Cryptography Micro-objective::SHA1::Cryptographic Hash
1) [C0029.003] Cryptography Micro-objective::SHA256::Cryptographic Hash
2) [C0031.001] Cryptography Micro-objective::AES::Decrypt Data
3) [C0032.001] Data Micro-objective::CRC32::Checksum
4) [C0026.002] Data Micro-objective::XOR::Encode Data
5) [C0030.001] Data Micro-objective::MurmurHash::Non-Cryptographic Hash
6) [F0004.007] Defense Evasion::Bypass Windows File Protection
8) [C0046] File System Micro-objective::Create Directory
9) [C0048] File System Micro-objective::Delete Directory
10) [C0047] File System Micro-objective::Delete File
11) [C0049] File System Micro-objective::Get File Attributes
12) [C0051] File System Micro-objective::Read File
13) [C0050] File System Micro-objective::Set File Attributes
14) [C0052] File System Micro-objective::Writes File
15) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
16) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
17) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
18) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
19) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
20) [C0040] Process Micro-objective::Allocate Thread Local Storage
21) [C0017] Process Micro-objective::Create Process
22) [C0038] Process Micro-objective::Create Thread
23) [C0041] Process Micro-objective::Set Thread Local Storage Value
24) [C0018] Process Micro-objective::Terminate Process