MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f24982ce7b3ff35f2f1e4b1f3221e21c6bca80f9fbe96d9c9d240173a593304. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f24982ce7b3ff35f2f1e4b1f3221e21c6bca80f9fbe96d9c9d240173a593304
SHA3-384 hash: 00adabf40a0fb6adc7908d4eef37a5c65886606a16c7eedfa3f95723e793626546135e5e1c0dae009a7f14c156761332
SHA1 hash: 70f5fe2ee4449aca1a7988ed47284f9bb8ac4823
MD5 hash: 55877230838a3e29379f10fe6cf70c66
humanhash: failed-red-princess-blue
File name:55877230838a3e29379f10fe6cf70c66.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'667'072 bytes
First seen:2023-07-20 06:56:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:MHec3FCFPecemUpNpM4lRJ7g28l1rHxDBV:MHsFLem2pMkJ7gBl1LV
Threatray 19 similar samples on MalwareBazaar
TLSH T170758D03BA5F8AB2E2891732E59B9C84C3A5D983731BD71B744E23B644033A79D46D37
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
209.25.140.212:49548

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
55877230838a3e29379f10fe6cf70c66.exe
Verdict:
Malicious activity
Analysis date:
2023-07-20 06:58:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8040f7a2-ec7e-408e-8956-04a26288afcb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/425777/
Detection(s):
SecuriteInfo.com.Variant.MSILHeracles.96835.16526.12963.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64b8dac07a9c6ddebf0bd6da/reports/d59662a8-82be-47a4-9207-b20618e29c03/overview
Verdict:
Malicious
Labled as:
MSILHeracles.Generic
Link:
https://www.hybrid-analysis.com/sample/4f24982ce7b3ff35f2f1e4b1f3221e21c6bca80f9fbe96d9c9d240173a593304
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6cdf6413-03cd-4119-8229-cee8e1e8107b
Result
Threat name:
RedLine, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276485
Signature
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses known network protocols on non-standard ports
Yara detected Costura Assembly Loader
Yara detected RedLine Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1276485 Sample: tz7hGcVIKs.exe Startdate: 20/07/2023 Architecture: WINDOWS Score: 100 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 7 other signatures 2->83 9 tz7hGcVIKs.exe 1 6 2->9         started        13 system.exe 4 2->13         started        15 system.exe 2->15         started        process3 file4 67 C:\Users\user\AppData\Roaming\system.exe, PE32 9->67 dropped 69 C:\Users\user\...\system.exe:Zone.Identifier, ASCII 9->69 dropped 71 C:\Users\user\AppData\...\tz7hGcVIKs.exe.log, ASCII 9->71 dropped 89 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->89 91 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->91 93 Injects a PE file into a foreign processes 9->93 17 tz7hGcVIKs.exe 15 21 9->17         started        21 cmd.exe 1 9->21         started        23 cmd.exe 1 9->23         started        33 2 other processes 9->33 95 Multi AV Scanner detection for dropped file 13->95 97 Machine Learning detection for dropped file 13->97 25 cmd.exe 13->25         started        27 cmd.exe 13->27         started        29 cmd.exe 13->29         started        31 cmd.exe 15->31         started        35 2 other processes 15->35 signatures5 process6 dnsIp7 73 212.ip.ply.gg 209.25.141.212, 49548, 49718, 49720 COGECO-PEER1CA Canada 17->73 75 api.ip.sb 17->75 85 Tries to harvest and steal browser information (history, passwords, etc) 17->85 37 conhost.exe 17->37         started        87 Uses ipconfig to lookup or modify the Windows network settings 21->87 39 2 other processes 21->39 41 2 other processes 23->41 43 2 other processes 25->43 45 2 other processes 27->45 47 2 other processes 29->47 49 2 other processes 31->49 51 2 other processes 33->51 53 4 other processes 35->53 signatures8 process9 process10 55 cmd.exe 43->55         started        57 cmd.exe 43->57         started        process11 59 conhost.exe 55->59         started        61 ipconfig.exe 55->61         started        63 conhost.exe 57->63         started        65 powershell.exe 57->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f24982ce7b3ff35f2f1e4b1f3221e21c6bca80f9fbe96d9c9d240173a593304/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-20 06:57:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
15 of 25 (60.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j4sjqlhhwp7tl4xr4sy7giq6ehdlzkapt67jnwoj2jabooszgmca._file
Verdict:
malicious
Similar samples:
10c3ade35a4335bd3c404789a75cc98b4b28a12468db7f8fd6e94d468e0bad7e
njrat
36dc266ad1ea8df01393368710ee6c6fd21629e833252cf0f3f63dffd908c805
njrat
6894f623dddd03e3be59b6785c21962cf71686a215e2db68f83f621b01afa7ef
njrat
7d66d00114a19baf515b19caaa434a322dd3c5f88f015e69cffc0f0257f63668
njrat
afd6fe04ebb90493a7a100c61428525c755575dac5f2cd377c549b19847fe7b5
njrat
c6f764be61e41b09c4198c7f350c40cb3b2c754390a50b335d2c310062dc777a
njrat
c806b0e3a7c2d1efb4170931ceb91efe9e2a9d677c3e9833cae188776e01f148
njrat
d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5
njrat
fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181
njrat
+ 9 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer persistence spyware stealer
Link:
https://tria.ge/reports/230720-hqx1aadc78/
Behaviour
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Reads user/profile data of web browsers
RedLine
RedLine payload
Unpacked files
SH256 hash:
b208435a3e89a81f3d4d3ff547bd3d164d3d65ba8342b92031d81841a9e721a8
MD5 hash:
2fd50707301c7f045d84b077a2c836d5
SHA1 hash:
d50229f74a123cd19e2fa03d3f34bec66e0e94e7
Link:
https://www.unpac.me/results/b5e1bc5c-0439-42ee-937d-ece876674c9f/
SH256 hash:
3af864a2f63e8d32c5fe7c5e66c05d1e6847daee6fa62cf65db5681ec27fbc08
MD5 hash:
34285db9061d1facc7a8c6c0898a08da
SHA1 hash:
352a09c8ed077f3e39eefd3e0ab5d6fc5963a0aa
Link:
https://www.unpac.me/results/b5e1bc5c-0439-42ee-937d-ece876674c9f/
SH256 hash:
b4cc00a7e79bda643af403ac6204d2392d13678c78e1ca4791d528476f951ae1
MD5 hash:
f2931b5db23530b7cf48c485288e32cb
SHA1 hash:
195a46b21a664a6d4102542adabff95db228b099
Link:
https://www.unpac.me/results/b5e1bc5c-0439-42ee-937d-ece876674c9f/
SH256 hash:
4f24982ce7b3ff35f2f1e4b1f3221e21c6bca80f9fbe96d9c9d240173a593304
MD5 hash:
55877230838a3e29379f10fe6cf70c66
SHA1 hash:
70f5fe2ee4449aca1a7988ed47284f9bb8ac4823
Link:
https://www.unpac.me/results/b5e1bc5c-0439-42ee-937d-ece876674c9f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4f24982ce7b3ff35f2f1e4b1f3221e21c6bca80f9fbe96d9c9d240173a593304

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/425777/

Comments