MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417
SHA3-384 hash: 452f84b24b33a16d3fd9b2e38b1baebc3bdf42ffe75b8d1ec1a3c3ff43637692475132cef1047bd6f3da6384f7d39af4
SHA1 hash: f4617afd24c07a057b91b1f52e66a4167580bdb1
MD5 hash: bed701af2601f7d0b9e02578f8a7d190
humanhash: harry-delaware-dakota-nine
File name:4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417
Download: download sample
Signature njrat
Create hunting rule
File size:1'436'124 bytes
First seen:2021-09-22 13:18:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:eNcBtkZXdsDwEx1JXCFX2NPMmx6AGeRVVNxLNd9p7EmELXUkDauELAW:5eYNtFx6AGKvp7EmELXUkWrMW
Threatray 23 similar samples on MalwareBazaar
TLSH T1E8652202B6C6C4B2E53329360939A7107D3DBD605F25DE6EB3E4391ECA305D1A625BB3
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
306
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7d858d325c067fb66472fc149041de01c544a21575b873db54478758a3977b54
Verdict:
Malicious activity
Analysis date:
2021-09-22 13:13:36 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/1f343de8-ac12-42e7-b91b-ce7632a8df0f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190209/
Detection(s):
SecuriteInfo.com.PUA.Tool.BtcMine.2110.19075.28917.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fae9bf75-7123-468b-8ad3-b4c8d2db7c8c
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/855927
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected njRat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488360 Sample: JUxjBiwM59 Startdate: 22/09/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 18 other signatures 2->46 9 JUxjBiwM59.exe 8 2->9         started        12 Bluetooth Modul Network.exe 3 2->12         started        15 Bluetooth Modul Network.exe 2 2->15         started        17 Bluetooth Modul Network.exe 2 2->17         started        process3 file4 36 C:\Users\user\...\Server_protected.exe, PE32 9->36 dropped 19 Server_protected.exe 1 5 9->19         started        62 Hides threads from debuggers 12->62 signatures5 process6 file7 32 C:\Users\user\...\Bluetooth Modul Network.exe, PE32 19->32 dropped 48 Antivirus detection for dropped file 19->48 50 Multi AV Scanner detection for dropped file 19->50 52 Detected unpacking (changes PE section rights) 19->52 54 4 other signatures 19->54 23 Bluetooth Modul Network.exe 2 5 19->23         started        signatures8 process9 dnsIp10 38 37.1.222.208, 39567, 49735, 49738 SCALAXY-ASNL Ukraine 23->38 34 C:\...\b518fb17ecc4608757ddae1e7cf86645.exe, PE32 23->34 dropped 56 Protects its processes via BreakOnTermination flag 23->56 58 Creates autostart registry keys with suspicious names 23->58 60 Hides threads from debuggers 23->60 28 netsh.exe 1 3 23->28         started        file11 signatures12 process13 process14 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 10:59:21 UTC
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jvc3qiimdi7ogbpjvxhz67qflnlcy3ejo7qscb4cvgsxcvisgqlq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c
njrat
4322b25b29f160a08e809764a5dd86deda2289623331867004f85a905ce47769
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
798eab01e5d7f1c78e3f7db514f3611ae85e468405af144245f55c8f2657c6d9
njrat
7fb40d2c4011f9aa66d25183702ac6872fff070ff9c7433fab6d3785ebc95f4c
njrat
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
njrat
a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d
njrat
b83c0954a3138f4c18e4f6a5182768b5a1efbb13c69dcf01d63eb81f63456eda
njrat
d162aea95889e147b96c2ab4da7cf27ec2538abd149a08f96d993fb7a41b002f
njrat
+ 13 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210922-qkjjpsfcfl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
1910622c0fb9c86c96b51fdc30293a2521364601bfdec2251f46015ae54f7dc1
MD5 hash:
acf7ff93889bc3bf4afd2e6755a8a173
SHA1 hash:
466c6b83c5eb42e906405d130e32ab7465349462
Link:
https://www.unpac.me/results/dadcb048-969b-4d8a-b7f5-178bfc645954/
SH256 hash:
4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417
MD5 hash:
bed701af2601f7d0b9e02578f8a7d190
SHA1 hash:
f4617afd24c07a057b91b1f52e66a4167580bdb1
Link:
https://www.unpac.me/results/dadcb048-969b-4d8a-b7f5-178bfc645954/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4d45b8210c1a3ee305e9adcf9f7e055b562c6c8977e1210782a9a57155123417

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190209/

Comments