MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b4a624f6ed9e08abee909ae1ba1d8cd9cedb2adc4fea2e9866eb1958be63119. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 12

Intelligence 12 IOCs 2 YARA File information Comments

SHA256 hash:	4b4a624f6ed9e08abee909ae1ba1d8cd9cedb2adc4fea2e9866eb1958be63119
SHA3-384 hash:	03fe9f490bf9d1e3eabcfb1fb2172cbbb713247befe16c5a8596528618a75b95618f78942154c2daaa0ca002d1f198c6
SHA1 hash:	d8bb8c0d2d2212e13e18479b50713e420f1f035c
MD5 hash:	0d7512b8f1f15d8d36167dbae6f75562
humanhash:	washington-hotel-carbon-michigan
File name:	0d7512b8f1f15d8d36167dbae6f75562.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	169'406 bytes
First seen:	2022-04-27 09:46:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	29b61e5a552b3a9bc00953de1c93be41 (174 x Formbook, 82 x AgentTesla, 81 x Loki)
ssdeep	3072:zqRaMrUwmuvDWLcfhDgHg/br1QaSZ9UYFzjBU32WCoq/rOuY3fjLcNVK2IMAGGx7:znx1K8HCI9Ho9uY3LOIt3dxqhwIO
Threatray	6'334 similar samples on MalwareBazaar
TLSH	T146F31283A1D0ECBBDA8708B40F36366DFB7BC1925301A74747744EB7BA916C6971A342
TrID	48.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 16.4% (.EXE) Win64 Executable (generic) (10523/12/4) 10.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 7.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	74c4c6463e92db18 (1 x njrat)
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
141.255.147.246:55795

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
141.255.147.246:55795	https://threatfox.abuse.ch/ioc/536747/
141.255.147.246:5522	https://threatfox.abuse.ch/ioc/536748/

Intelligence

File Origin

# of uploads :

# of downloads :

447

Origin country :

n/a

Vendor Threat Intelligence

Detection:

RedLine

Link:

https://www.capesandbox.com/analysis/267200/

Detection(s):

Win.Malware.Bulz-9880537-0

Win.Packed.Bulz-9883367-0

Win.Packed.Generickdz-9885340-0

Win.Packed.Bulz-9891195-0

Win.Trojan.Redline-9938775-1

Win.Dropper.njRAT-7436651-0

Win.Packed.Generic-7672854-0

Win.Packed.Generic-7672855-0

Win.Packed.njRAT-7672853-1

Win.Packed.Generic-9795615-0

Win.Packed.Generic-9795616-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Packed.Bladabindi-6804148-0

Win.Trojan.B-468

Win.Trojan.Ratenjay-1

Win.Trojan.Bladabindi-6192388-0

Win.Packed.Bladabindi-6917466-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Сreating synchronization primitives

Creating a process from a recently created file

Creating a window

Creating a process with a hidden window

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Searching for the window

Sending a custom TCP request

Reading critical registry keys

Unauthorized injection to a recently created process

Launching the process to change the firewall settings

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Sending a TCP request to an infection source

Stealing user critical data

Enabling autorun by creating a file

Sending an HTTP POST request to an infection source

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bladabindi control.exe overlay packed redline shell32.dll

Link:

https://www.filescan.io/uploads/626911212b32b1c37c64e601/reports/79560977-02d2-48d9-a732-557a06b935b5/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

RedLine stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f546b88a-2446-47eb-88d5-0a1ff1d08f8d

Result

Threat name:

njRat RedLine

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/983965

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Detected njRat

Detected unpacking (overwrites its own PE header)

Drops PE files to the startup folder

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses dynamic DNS services

Uses known network protocols on non-standard ports

Uses netsh to modify the Windows network and firewall settings

Yara detected Njrat

Yara detected RedLine Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4b4a624f6ed9e08abee909ae1ba1d8cd9cedb2adc4fea2e9866eb1958be63119/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2022-04-25 08:42:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 26 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jnfget3o3hqivpxjbgxbxioyzwoo3mvnyt7kf2mgn2yzlc7ggemq._file

Verdict:

malicious

Label(s):

njrat

Result

Malware family:

redline

Score:

10/10

Tags:

family:njrat family:redline botnet:payypal botnet:virus novo discovery evasion infostealer persistence spyware stealer suricata trojan

Link:

https://tria.ge/reports/220427-lr7gwsfadl/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Checks computer location settings

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Modifies Windows Firewall

RedLine

RedLine Payload

njRAT/Bladabindi

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Malware Config

C2 Extraction:

ck10.duckdns.org:55795
ck10.duckdns.org:5522

Unpacked files

SH256 hash:

4b4a624f6ed9e08abee909ae1ba1d8cd9cedb2adc4fea2e9866eb1958be63119

MD5 hash:

0d7512b8f1f15d8d36167dbae6f75562

SHA1 hash:

d8bb8c0d2d2212e13e18479b50713e420f1f035c

Link:

https://www.unpac.me/results/c7415392-1871-4bbf-afc7-fd458d19a8eb/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b4a624f6ed9e08abee909ae1ba1d8cd9cedb2adc4fea2e9866eb1958be63119

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/267200/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample