MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41c69edec65f4baa333a8598fba2bfa832e327711e4c773f8bc52cd34b0b7e22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41c69edec65f4baa333a8598fba2bfa832e327711e4c773f8bc52cd34b0b7e22
SHA3-384 hash: 37493d843400deb9d133d54c09e7d10d8397407693ad0eda639e0fe6fb279b73215c636777bcdc4dacd2b1f30b5964b7
SHA1 hash: 8782b48b3cd171fdc4245d7400d19d88202e41c6
MD5 hash: 592a36246a9fa6df0a750eb76a7a4bd7
humanhash: salami-harry-nitrogen-pasta
File name:41c69edec65f4baa333a8598fba2bfa832e327711e4c773f8bc52cd34b0b7e22
Download: download sample
Signature njrat
Create hunting rule
File size:861'184 bytes
First seen:2021-08-31 10:24:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:o2FEZJYs6oBpCS4gZS06NZfNMpuB3hNL:o2FEZJKMpS04Z1MkB/L
Threatray 2'153 similar samples on MalwareBazaar
TLSH T11E0590138EB591DBC8598A739DAC53E046BB9C50B127BDB3AC57F986E3B1D000EA0C57
dhash icon 86e8c4ccccd4e896 (1 x njrat)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
579
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
41c69edec65f4baa333a8598fba2bfa832e327711e4c773f8bc52cd34b0b7e22
Verdict:
Malicious activity
Analysis date:
2021-08-31 10:49:42 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/54fa96c1-dbb2-475c-bf51-382c2da3aef5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184159/
Detection(s):
Win.Trojan.Generic-6893425-0
Create hunting rule

Win.Packed.Forucon-6953438-0
Create hunting rule

Win.Packed.004d8cd-6953439-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
DNS request
Sending a UDP request
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f87d66de-ab83-4830-8b8b-6c78082c71b1
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842510
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Creates files with lurking names (e.g. Crack.exe)
Drops PE files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 474941 Sample: Z8yEKfw65d Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 48 xd91801.ddns.net 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 8 other signatures 2->60 10 Z8yEKfw65d.exe 9 2->10         started        14 CrackTeamVip.exe 1 2->14         started        16 CrackTeamVip.exe 2->16         started        18 CrackTeamVip.exe 2->18         started        signatures3 process4 file5 40 C:\ProgramData\CrackTeamVip\...\CrackTeam.exe, PE32 10->40 dropped 42 C:\ProgramData\CrackTeamVip\...\BeNyAzOu.exe, PE32 10->42 dropped 64 Creates files with lurking names (e.g. Crack.exe) 10->64 20 CrackTeam.exe 1 3 10->20         started        24 BeNyAzOu.exe 2 10->24         started        44 C:\Users\user\...\CrackTeamVip.exe.log, ASCII 14->44 dropped signatures6 process7 dnsIp8 36 C:\Users\user\AppData\...\CrackTeamVip.exe, PE32 20->36 dropped 38 C:\Users\user\AppData\...\CrackTeam.exe.log, ASCII 20->38 dropped 62 Creates files with lurking names (e.g. Crack.exe) 20->62 27 CrackTeamVip.exe 4 3 20->27         started        50 1.0.0.0 CLOUDFLARENETUS Australia 24->50 file9 signatures10 process11 dnsIp12 52 xd91801.ddns.net 27->52 46 C:\...\8054596d5da646a3905ef8a0601f1454.exe, PE32 27->46 dropped 66 Antivirus detection for dropped file 27->66 68 Multi AV Scanner detection for dropped file 27->68 70 Protects its processes via BreakOnTermination flag 27->70 72 5 other signatures 27->72 32 netsh.exe 1 3 27->32         started        file13 signatures14 process15 process16 34 conhost.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41c69edec65f4baa333a8598fba2bfa832e327711e4c773f8bc52cd34b0b7e22/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 21:41:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihdj5xwgl5f2umz2qwmpxiv7vazogj3rdzghop4lyuwngsylpyra._file
Verdict:
unknown
Similar samples:
1f5f7921e3be739b51bead01306a9cc5dc7fec1dbc01a6784497de89afb6742c
njrat
5b76c357c197a8126cb0fbdaae8a401913af56580e2bb2c344295c23f3deb9d0
njrat
5cc8c8e81ebe07e57ff61c75a204988a04071da991cf85a5bf85ddca60597fcf
njrat
69141d8c99ebc4e3298c2e7203d061fe46d3bd513e3f93498a9fe2753cd82b8a
njrat
6b3c0907618cdc1bdcb07dd987ee91dbcc691b2181d947e81d8d2756d7cea195
njrat
a0a383d7599b7c847b366b4b35114f24205e3e9f624311c7931eea0d2218618c
njrat
f16ce9d494986b9f5a386de9b3a9a691c7939db12d030daf87cbb4c5f299f315
njrat
f6fb0f9050f39e6c6b3441d6a71d0e975552093fcf77f1d45ab06ef9b1fd7691
njrat
+ 2'143 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:fucked by swatch evasion persistence trojan
Link:
https://tria.ge/reports/210831-33v3wpce1n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
xd91801.ddns.net:5552
Unpacked files
SH256 hash:
bbce819c1dc40cacd76fddeeff0216ec8bc9030f3062f8301bf0bc037d768438
MD5 hash:
0c5b37cffc766f2345f86372e7409d2e
SHA1 hash:
51359165ec25a2e81a2ab6efcd6f48569ff52ca9
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/8d3eabeb-7ab1-4e3c-b176-b572520ec131/
SH256 hash:
32b8233f3b641a70832e083be19f5a1e96adc2836011fd1a49c5c08e8e4edad8
MD5 hash:
66e052af8e2f2494490bc8066f877037
SHA1 hash:
dab5c0585f360d160a6a8b11d3f7541c43356730
Link:
https://www.unpac.me/results/8d3eabeb-7ab1-4e3c-b176-b572520ec131/
SH256 hash:
e73609b4be81dda8bec9fddcf9b8573d01c986dffa0ef447382c947b3852a633
MD5 hash:
8f30fb897542abdae612c3fe3c9a252a
SHA1 hash:
883d4c7c90bf0c063c5a6582772b4df161ebd3ff
Link:
https://www.unpac.me/results/8d3eabeb-7ab1-4e3c-b176-b572520ec131/
SH256 hash:
41c69edec65f4baa333a8598fba2bfa832e327711e4c773f8bc52cd34b0b7e22
MD5 hash:
592a36246a9fa6df0a750eb76a7a4bd7
SHA1 hash:
8782b48b3cd171fdc4245d7400d19d88202e41c6
Link:
https://www.unpac.me/results/8d3eabeb-7ab1-4e3c-b176-b572520ec131/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/41c69edec65f4baa333a8598fba2bfa832e327711e4c773f8bc52cd34b0b7e22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184159/

Comments