MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e
SHA3-384 hash: 966500cd017adbc0ca3840028bf15c1fb08833c6975f40f757c652abd85a5d9e1d40ba96a8236ce82209edfe28212be8
SHA1 hash: 1c81b383748ec30678d96c3aea78fbd08fbbb923
MD5 hash: a2f35e38f6b100b91d0ddab680538d39
humanhash: berlin-november-mobile-winter
File name:4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e
Download: download sample
Signature njrat
Create hunting rule
File size:1'801'216 bytes
First seen:2021-09-30 07:39:27 UTC
Last seen:2021-09-30 09:03:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2674e2c85d69ad77d97510ac486e707b (2 x njrat, 1 x AZORult)
ssdeep 49152:2SQxHM8XOpoK/LvjCC2Sfl29daVzBvBm:2HJepVjCCVflSdaZ
Threatray 310 similar samples on MalwareBazaar
TLSH T17585336F3E94DDFFC82513F54636D25899305DE28A02AA37BE058C8A65F3E603794ED0
File icon (PE):PE icon
dhash icon 265c38e4f4346662 (1 x njrat)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193390/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Deleting a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the Windows directory
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Firewall traversal
Enabling autorun by creating a file
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/927e47cc-9152-4589-9cd9-a6ab4b98979b
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862299
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Detected njRat
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494726 Sample: m7UvHdGkvV Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for dropped file 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 14 other signatures 2->50 9 m7UvHdGkvV.exe 10 2->9         started        13 Local Security Authority Proccess.exe 3 2->13         started        15 Local Security Authority Proccess.exe 2 2->15         started        17 Local Security Authority Proccess.exe 2 2->17         started        process3 file4 36 C:\Users\user\AppData\Local\Temp\Server.exe, PE32 9->36 dropped 38 C:\Users\user\AppData\...asyAutoClicker.exe, PE32 9->38 dropped 62 Detected unpacking (changes PE section rights) 9->62 64 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->64 66 Tries to evade analysis by execution special instruction which cause usermode exception 9->66 68 Hides threads from debuggers 9->68 19 Server.exe 1 5 9->19         started        23 EasyAutoClicker.exe 4 9->23         started        signatures5 process6 file7 34 C:\...\Local Security Authority Proccess.exe, PE32 19->34 dropped 52 Antivirus detection for dropped file 19->52 54 Multi AV Scanner detection for dropped file 19->54 56 Machine Learning detection for dropped file 19->56 58 Drops executables to the windows directory (C:\Windows) and starts them 19->58 25 Local Security Authority Proccess.exe 2 5 19->25         started        60 Contains functionality to detect sleep reduction / modifications 23->60 signatures8 process9 dnsIp10 42 91.213.44.57, 9 SVOLS-ASRU Russian Federation 25->42 40 C:\...\f227f14b70512c480fba70d41029f780.exe, PE32 25->40 dropped 70 Protects its processes via BreakOnTermination flag 25->70 72 Creates autostart registry keys with suspicious names 25->72 74 Creates an autostart registry key pointing to binary in C:\Windows 25->74 30 netsh.exe 1 3 25->30         started        file11 signatures12 process13 process14 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e/
Threat name:
Win32.Trojan.VBinder
Create hunting rule
Status:
Malicious
First seen:
2021-09-27 07:46:05 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jmuwyvw2yetxaupmvbgkx6fwemxpuurp2jnfb7wzl2caycmngjha._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1292e5a45426d40909dc8199da5fc6346a4b8a652baff6bacee9e64bb253f16c
njrat
22624e441ebb33943e4c72b4f4c3b625b0f7ec3d8b2afada33a92771144b0373
njrat
2a22805bbe73a869fc9240d722d6cfb22c582683918103bda90f3a321756c44d
njrat
329c2259d6015d98464322b873b783d18da6ac1a13d7ec40d1de9f143659b1bb
njrat
6cb0c6c55411375878184fba0feeee93c99c7f184818449e548ef875486ec38a
njrat
a43c0d39f01808746f82c041edad38edbb89334c098311331d3e2733824f6259
njrat
a8f36e203ba22b243837f95a371fbad43ef4162e2cf6f01ab78714fed88e7bb3
njrat
c7b54cc4aa3d4b08652359ddb2e8b0d91ccd6d0a01c7a34eb527fde4f0f44957
njrat
ed34d4eba0bc7d434f32bb9bca0147632592656ddf0c2aa892fbee54b0850ff1
njrat
ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439
njrat
+ 300 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion persistence trojan
Link:
https://tria.ge/reports/210930-jhkknaghe2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
autoit_exe
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
91.213.44.57:9
Unpacked files
SH256 hash:
da5bddc5bd9153fc94a6dc41215e135028d5f32d4e88bb936edfea9342ad15c0
MD5 hash:
07abd5f49a5680cefde8da593e868895
SHA1 hash:
5adc8df43b58f2296c0adf8de1f25e9a7b0f461b
Detections:
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/bd6daa70-f07b-415b-b518-308097bfb1c1/
SH256 hash:
6d5b54f49b181fe3b8f17fa57d56ab29151fc59a5104c90b74add3249ca534b6
MD5 hash:
2d87ab9b88a18363a5b41c60a5d779e1
SHA1 hash:
05f7e0d8a97f5285bf9dd19abf2da1d1e20a5ce3
Link:
https://www.unpac.me/results/bd6daa70-f07b-415b-b518-308097bfb1c1/
SH256 hash:
4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e
MD5 hash:
a2f35e38f6b100b91d0ddab680538d39
SHA1 hash:
1c81b383748ec30678d96c3aea78fbd08fbbb923
Link:
https://www.unpac.me/results/bd6daa70-f07b-415b-b518-308097bfb1c1/
Malware family:
njRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/4b296c56dac1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4b296c56dac1277051eca84cabf8b6232efa522fd25a50fed95e840c098d324e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193390/

Comments