MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44af542480535de8b9060996210572ca8e7e4873ca4d8537e23dfbca6219fa6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44af542480535de8b9060996210572ca8e7e4873ca4d8537e23dfbca6219fa6b
SHA3-384 hash: 1224a6e3980909be24f509fc27eef754d6b12a2d335499947d6ddc8d89caa7880915608f7bbcd23cb924831a6475cb17
SHA1 hash: c850414698af79c33df2cd52efbe2248a49366f8
MD5 hash: 4e7b9265aeb6438c1dca9ac737ab8879
humanhash: yellow-romeo-zebra-alpha
File name:SecuriteInfo.com.Trojan.Olock.1.12272.6180
Download: download sample
Signature njrat
Create hunting rule
File size:656'384 bytes
First seen:2022-11-08 05:05:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:cuZxQi6LQEDISLeA2umdXegmLsUZ0oLZkg1YnZmSaCzLn0ZE4kri19X9:caOISd2XeTDLZf6XLMkrYX
Threatray 2'556 similar samples on MalwareBazaar
TLSH T19DD4223765B1C660CA5C863F54B9055233F1478EB806CA3B5DC068F68B773ABA211EE7
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 96e8f296ccf2e884 (8 x Formbook, 7 x AgentTesla, 4 x Loki)
Reporter SecuriteInfoCom
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Trojan.Olock.1.12272.6180
Verdict:
Malicious activity
Analysis date:
2022-11-08 05:06:41 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/9687fd5e-88cc-46ae-b255-7618f3764c52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/330341/
Detection(s):
SecuriteInfo.com.Trojan.Olock.1.12272.6180.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Launching a process
Creating a file
Creating a process with a hidden window
Launching the process to change the firewall settings
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6369e3bb470500d17a1edc10/reports/cda3f362-cc12-4f8b-83d1-4aa3c0445c77/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dfc2a3d8-e666-468c-84a7-fde7f17ca83e
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1107923
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Detected njRat
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 740587 Sample: SecuriteInfo.com.Trojan.Olo... Startdate: 08/11/2022 Architecture: WINDOWS Score: 100 35 markindejunojib.ddns.net 2->35 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Detected njRat 2->43 45 10 other signatures 2->45 9 SecuriteInfo.com.Trojan.Olock.1.12272.6180.exe 3 2->9         started        13 RegSvcs.exe 3 2->13         started        15 RegSvcs.exe 4 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 33 SecuriteInfo.com.T....12272.6180.exe.log, ASCII 9->33 dropped 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Injects a PE file into a foreign processes 9->59 19 RegSvcs.exe 5 2 9->19         started        23 conhost.exe 13->23         started        25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        signatures6 process7 dnsIp8 37 markindejunojib.ddns.net 194.5.98.8, 49713, 49714, 49715 DANILENKODE Netherlands 19->37 47 Creates autostart registry keys with suspicious names 19->47 49 Creates an autostart registry key pointing to binary in C:\Windows 19->49 51 Uses netsh to modify the Windows network and firewall settings 19->51 53 Modifies the windows firewall 19->53 29 netsh.exe 3 19->29         started        signatures9 process10 process11 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44af542480535de8b9060996210572ca8e7e4873ca4d8537e23dfbca6219fa6b/
Threat name:
ByteCode-MSIL.Spyware.SnakeLogger
Create hunting rule
Status:
Malicious
First seen:
2022-11-08 04:45:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
19
AV detection:
16 of 25 (64.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=isxvijeakno6roigbglccblszkhh4sdtzjgykn7chx54uyqz7jvq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1c2de35b1875197d605b226ac3a898ce2330a1b1c2b557f1931a0848f1655b27
njrat
3dff7ec382a12eb1b4765c5e0927bcb9d7f34461dfd113cbc51fbb1aa0a33761
njrat
3e7cf8b2e3f6d13ecfccc5eb1cfb57dfe12303e3315500cecf37f53687a3c784
njrat
4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
njrat
8841139a2739207235aa3d30d6b9b58bf55ec221d75e48cf254c195e0f87778b
njrat
9e38c4343ab5ae60cad93323da9745d40c6856f6092992bfb68b36368e61a8c0
njrat
c7b5dd67a462b9994b0596e8b4aef43ae616077aa900315b0a565e58bc6347aa
njrat
dd9f42733ea79ecf71009de2bc28ba54bbd66d3ef91b16bb5863e5e1b3bd9f79
njrat
f904d56fd3998c0316366864c6a8d08ddde1c679c22cc57fabb4141931ee89e7
njrat
+ 2'546 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:light evasion persistence trojan
Link:
https://tria.ge/reports/221108-frdxpahdh6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
markindejunojib.ddns.net:54923
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a49e5db2-7303-4faf-aa84-78448fd20a1d
Unpacked files
SH256 hash:
0e4986cc476e3aa66163463b1f606138fe54c754e9cf11c1c5e5eca9cba66bf1
MD5 hash:
c3dda2e4eeaa4165a8031eab93c9831f
SHA1 hash:
8351685bbf13f1a933e36df8523f7de3f46fd682
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/e51d7906-86f0-494b-a596-4c29bcd60611/
SH256 hash:
5b9446e91ecebec3af06ff7c1b3bc505e58230d9c1dd21817eb0809d75d37251
MD5 hash:
bcf3c5599e8039dae99015e0f0ffb1e6
SHA1 hash:
1b45b212847360c27feb5a59d03c8dc105e5b9bc
Link:
https://www.unpac.me/results/e51d7906-86f0-494b-a596-4c29bcd60611/
SH256 hash:
7f272c4db499b1501a5ea1711d23de0e6a0c07faf16275e9b01722dae889c7c9
MD5 hash:
dd8b9511dda8eb7c84e1621046828883
SHA1 hash:
7f715270ffcadcba5c3148d2a0cecfaaf6c2e805
Link:
https://www.unpac.me/results/e51d7906-86f0-494b-a596-4c29bcd60611/
SH256 hash:
f2c0cfd7452dd0f17f002e96a06fa4dec3707f3fc1b94d658021f92aca84acd3
MD5 hash:
7791f5df26e350e21b25617adf7e6718
SHA1 hash:
51816c01a4aeab9e293f35d500f2a0fb5acc0167
Link:
https://www.unpac.me/results/e51d7906-86f0-494b-a596-4c29bcd60611/
SH256 hash:
92bd802a0f7eb1213758a6c1a4c07302e0320c3a2aeb6273b0303dd3bbdefe90
MD5 hash:
046e97119545e5abde2f40b5dc3a0344
SHA1 hash:
3e69b67ddff2554c8cd72e129d4da9c8acd9d331
Link:
https://www.unpac.me/results/e51d7906-86f0-494b-a596-4c29bcd60611/
SH256 hash:
44af542480535de8b9060996210572ca8e7e4873ca4d8537e23dfbca6219fa6b
MD5 hash:
4e7b9265aeb6438c1dca9ac737ab8879
SHA1 hash:
c850414698af79c33df2cd52efbe2248a49366f8
Link:
https://www.unpac.me/results/e51d7906-86f0-494b-a596-4c29bcd60611/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/44af54248053/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44af542480535de8b9060996210572ca8e7e4873ca4d8537e23dfbca6219fa6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/330341/

Comments