MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
SHA3-384 hash: c99865f9dc512d065a4aeb26b13f86fffb2835d438ffec2ed3a4d329c10ecd8e51657cdca182ef3688b02dc843798a49
SHA1 hash: 85c1ab9c6fe450a83fb2cc1681b45272020ce5a6
MD5 hash: 5859e656d5735eb9a1eeae9a94a3cc16
humanhash: alpha-freddie-cat-butter
File name:ZAgNhZBG.exe
Download: download sample
Signature njrat
Create hunting rule
File size:24'064 bytes
First seen:2020-12-21 01:47:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 384:YMKFYuEEhERvoBG16Xuy0MHNw6Tg1Y+75JTFmRvR6JZlbw8hqIusZzZCw:vW4V6+yDRpcnuw
Threatray 506 similar samples on MalwareBazaar
TLSH 78B22A0E3FA98856C5BC1B7486A5965003B4D1870413EE2FCDC564CBAFB3AD91D48AF9
Reporter pmelson
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
327
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ZAgNhZBG.exe
Verdict:
Malicious activity
Analysis date:
2020-12-21 01:49:05 UTC
Tags:
rat njrat bladabindi trojan
Link:
https://app.any.run/tasks/c2e14d94-cc87-48c7-ae9e-89d95545a159

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108634/
Detection(s):
Win.Trojan.B-468
Create hunting rule

Win.Trojan.Ratenjay-1
Create hunting rule

Win.Trojan.Bladabindi-6192388-0
Create hunting rule

Win.Trojan.Generic-6417450-0
Create hunting rule

Win.Trojan.Generic-6454614-0
Create hunting rule

Win.Trojan.Generic-6454615-0
Create hunting rule

Win.Packed.Bladabindi-6804148-0
Create hunting rule

Win.Packed.Bladabindi-6917466-0
Create hunting rule

Win.Dropper.njRAT-7436651-0
Create hunting rule

Win.Packed.Generic-7672854-0
Create hunting rule

Win.Packed.Generic-7672855-0
Create hunting rule

Win.Packed.njRAT-7672853-1
Create hunting rule

Win.Packed.Generic-9795615-0
Create hunting rule

Win.Packed.Generic-9795616-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Sending a UDP request
Launching a process
Deleting a recently created file
Reading critical registry keys
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat BrowserPasswordDump Tool
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567097
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal Internet Explorer form passwords
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected BrowserPasswordDump Tool by SecurityXploded
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332630 Sample: ZAgNhZBG.exe Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 38 g.msn.com 2->38 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Multi AV Scanner detection for domain / URL 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 15 other signatures 2->48 9 ZAgNhZBG.exe 1 5 2->9         started        12 Google Chrome.exe 3 2->12         started        14 Google Chrome.exe 2 2->14         started        16 Google Chrome.exe 2 2->16         started        signatures3 process4 file5 34 C:\Users\user\AppData\...behaviorgraphoogle Chrome.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\...\ZAgNhZBG.exe.log, ASCII 9->36 dropped 18 Google Chrome.exe 6 5 9->18         started        process6 dnsIp7 40 xoruf.ddns.net 78.171.128.82, 49741, 49758, 5552 TTNETTR Turkey 18->40 32 C:\...\d8f3c9bf39e889408d972a936cea46cc.exe, PE32 18->32 dropped 50 Tries to steal Instant Messenger accounts or passwords 18->50 52 Creates autostart registry keys with suspicious names 18->52 54 Tries to harvest and steal ftp login credentials 18->54 56 4 other signatures 18->56 23 vbc.exe 3 18->23         started        26 netsh.exe 1 3 18->26         started        file8 signatures9 process10 signatures11 58 Contains functionality to steal Internet Explorer form passwords 23->58 60 Tries to harvest and steal browser information (history, passwords, etc) 23->60 28 conhost.exe 23->28         started        30 conhost.exe 26->30         started        process12
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 01:48:05 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jsi6ltr5yvfea7lpzzdo5xrx2lrdip2nw2eocwhchk5viphfunia._file
Verdict:
malicious
Similar samples:
2f5cd6b013a52c1946739554d64f35f0af679025755c2191811045833d3ce7a4
njrat
4d742fd1047a6a9d019de5deceaae8896d5cee545392b37afab84d29efdcb470
njrat
585b9a5e3aac2aa59c5741bc7f56029aeea7c00dd870dc6064f856c84bc70262
njrat
8841139a2739207235aa3d30d6b9b58bf55ec221d75e48cf254c195e0f87778b
njrat
975d36217950a31fa9591d0ad5236f8817f4f51c5d23f01e88c5684dd197cb15
njrat
a0a3915436586816ac0de5463d4c20c6bcb289326ef04999a1ef2c5f1723c86f
njrat
c2fad2f1da50fadaeb21235a2f1ab6ca135174b10c0f7e499bf9f7bb1d03daf2
njrat
ed272a73e61d3ddc0f6d70e54387bb7f07821ebbf91dfa6fde536c5c1dabfc2e
njrat
f4ae0a96fe157d059c62d52e5934283f6055e822451db81a0bb9f646e98dc310
njrat
f586880e7c2d2991e4cc097fd515c0578af818ba1f57ece0dba2c8626161d22d
njrat
+ 496 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence spyware trojan upx
Link:
https://tria.ge/reports/201221-dp5bj79tvx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Uses the VBS compiler for execution
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
njRAT/Bladabindi
Unpacked files
SH256 hash:
4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350
MD5 hash:
5859e656d5735eb9a1eeae9a94a3cc16
SHA1 hash:
85c1ab9c6fe450a83fb2cc1681b45272020ce5a6
Detections:
win_njrat_g1
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/f55420b5-54ab-446a-a380-8f34d41011f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350

(this sample)

  
Link
https://www.virustotal.com/gui/file/4c91e5ce3dc54a407d6fce46eede37d2e2343f4db688e158e23abb543ce5a350/detection
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108634/

Comments