MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4429abcc87b519e564fb443eac261da3f2976056c87a61a55c177c46c72cd474. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4429abcc87b519e564fb443eac261da3f2976056c87a61a55c177c46c72cd474
SHA3-384 hash: be7e2b48be0fdfda3257b96dc433fab82be7861af29460b07bf932fff9ba811b160f996134412842cbfd99b06c63fb6a
SHA1 hash: a6148d612ea1dae4edbc307f8a605ceb89ed6672
MD5 hash: a826a9dda069efa6dda5ef9d0e5984fd
humanhash: shade-speaker-charlie-edward
File name:a826a9dda069efa6dda5ef9d0e5984fd.exe
Download: download sample
Signature njrat
Create hunting rule
File size:2'122'240 bytes
First seen:2022-05-27 14:41:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:0ZyCA8CBmn+RrNj9ay5IerO8P8zMw/R2UUO4UzD/5DwR/J6whCu:0iwYpIIOn//R23OVzD/5Upmu
Threatray 968 similar samples on MalwareBazaar
TLSH T13DA5390DF6F26E21CB2D02BBD723857841E3F5082601C596AFE839982F567EDD9CB944
TrID 56.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.1% (.SCR) Windows screen saver (13101/52/3)
8.1% (.EXE) Win64 Executable (generic) (10523/12/4)
7.7% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
5.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon e8e8e4848484c484 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
156.218.52.139:5552

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
156.218.52.139:5552 https://threatfox.abuse.ch/ioc/642308/

Intelligence

File Origin
# of uploads :
1
# of downloads :
340
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
a826a9dda069efa6dda5ef9d0e5984fd.exe
Verdict:
Malicious activity
Analysis date:
2022-05-27 14:43:24 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/1f3238a4-35c8-4858-86cf-edd4eef8af65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Renamer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/274976/
Detection(s):
Win.Packed.Disfa-7433223-0
Create hunting rule

Win.Trojan.Renamer-9857867-0
Create hunting rule

Win.Trojan.Renamer-9857868-0
Create hunting rule

Win.Malware.Renamer-6726546-0
Create hunting rule

Win.Malware.Auopnspi-6887872-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Searching for synchronization primitives
Creating a file in the %AppData% directory
Enabling the 'hidden' option for analyzed file
Replacing executable files
Moving a file to the Program Files subdirectory
Creating a file in the Program Files subdirectories
Replacing files
Creating a file in the %temp% directory
Creating a process with a hidden window
Moving of the original file
Launching the process to change the firewall settings
Unauthorized injection to a recently created process
Infecting executable files
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
confuserex obfuscated packed
Link:
https://www.filescan.io/uploads/6290e31d65e33815993b2553/reports/6938cc46-b7a9-400d-aa66-190878194be5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dd5a1764-f7fb-4947-bbc7-f67ec5938c7b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1002847
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (overwrites its own PE header)
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4429abcc87b519e564fb443eac261da3f2976056c87a61a55c177c46c72cd474/
Threat name:
Win32.Virus.Renamer
Create hunting rule
Status:
Malicious
First seen:
2022-05-23 16:57:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iqu2xtehwum6kzh3iq7kyjq5upzjoycwzb5gdjk4c56enrzm2r2a._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1e77593073ce7c57226c55e20d5ca2e09c84c86a083a9d56b3dd1bb732305683
njrat
46fa7b3768b1f91187f59fb97a88e1efbbe603dc88419c73da07c627e9d57f74
njrat
4f7ee2b1be709d2dfcfb894323ac4b6a3f3b0482c646d49b051769a6e3785239
njrat
69bc3e840c7aeb2c0eaa156a23c7717fb2352c7a4e1a28deedfbc25b79b27b82
njrat
a1912487964fbfa6a9004a0889bde004a7b3d007e98706b79688bbb6229af557
njrat
bbbd41df9ee8363af5927a1b8f8b6d373edc69b34069c3a1ff0e5696138a290d
njrat
bc341eccbdfecf1616134d92035e90b0622ec6731e5c5f74418f00ce3033a689
njrat
d9009371df732bd8b3ccab8b38e9968069503292b112b2b27cb1c3c54814b3ab
njrat
e1c12e80d4fe90ebf246356de9336ba64ce4263eaf2525c27412d534b8a89b29
njrat
f4ae0a96fe157d059c62d52e5934283f6055e822451db81a0bb9f646e98dc310
njrat
+ 958 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion persistence trojan
Link:
https://tria.ge/reports/220527-r21d8afddj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
emoloveemomoody2020.ddns.net:5552
Unpacked files
SH256 hash:
59d1dac58c00709de263c9069dfdf07d5fa0cfa3215af9135211fd78d0f6fc7d
MD5 hash:
ccb6b78aa4e66cebf8527b5d679fa853
SHA1 hash:
676f5fd5ebb374cf293a94cbc83cdc2549ab5b21
Link:
https://www.unpac.me/results/1932814a-1f23-45c6-ae2b-8e4578b78124/
SH256 hash:
1e34802e00f00e9d1a73a458bedb6253bcd0557e0681c4a8513edaccd8e9c887
MD5 hash:
0502227010401b0492c48edc3c654131
SHA1 hash:
52c1858e1de9a723a1f8e8370228eb58572b7c95
Detections:
win_njrat_g1
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/1932814a-1f23-45c6-ae2b-8e4578b78124/
SH256 hash:
3f19b0e4959ac5dc2bd3078e49577d1734cd6efcdc13c83b14d806c3eee4837d
MD5 hash:
4b5086b5c81e7fafed6d828c565da0f0
SHA1 hash:
cefef0c672aafdb0a0a3d459d890f1bfcc3c6f52
Link:
https://www.unpac.me/results/1932814a-1f23-45c6-ae2b-8e4578b78124/
SH256 hash:
fa6d5b7374abdda2273b5e65176eecafe7cb36aaeafc501f316faab641f46c54
MD5 hash:
ffe0ab5a27ffefa7ae24c65e980c8401
SHA1 hash:
5e66eca3cf8617747645c21d11ba1ca76cb5fb13
Link:
https://www.unpac.me/results/1932814a-1f23-45c6-ae2b-8e4578b78124/
SH256 hash:
4429abcc87b519e564fb443eac261da3f2976056c87a61a55c177c46c72cd474
MD5 hash:
a826a9dda069efa6dda5ef9d0e5984fd
SHA1 hash:
a6148d612ea1dae4edbc307f8a605ceb89ed6672
Link:
https://www.unpac.me/results/1932814a-1f23-45c6-ae2b-8e4578b78124/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4429abcc87b519e564fb443eac261da3f2976056c87a61a55c177c46c72cd474

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_NET_NAME_ConfuserEx
Create hunting rule
Author:Arnim Rupp
Description:Detects ConfuserEx packed file
Reference:https://github.com/yck1509/ConfuserEx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/274976/

Comments