MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50a0f7a4caa6bf6e5763e7d102ca2755ba37e8047d97a3bd9986c8f5b02e78da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50a0f7a4caa6bf6e5763e7d102ca2755ba37e8047d97a3bd9986c8f5b02e78da
SHA3-384 hash: 86da40426c13565dc9513481672ca9161cef390fce9937a56975663238cd5629dd5f28a74f1974fee3b8262fed816d85
SHA1 hash: 13d3ddb0522ee0d3b378a4d57a047699a0336d5e
MD5 hash: 00fb790999d31006cb8506e2d067fc3e
humanhash: california-red-muppet-california
File name:00fb790999d31006cb8506e2d067fc3e.exe
Download: download sample
Signature njrat
Create hunting rule
File size:2'608'417 bytes
First seen:2022-07-10 07:20:16 UTC
Last seen:2022-07-10 07:30:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b4070734502a100c8f90bbd445995533 (11 x CryptOne, 5 x DCRat, 2 x njrat)
ssdeep 49152:SBEvcaf4Vp2xuEzpfc1YEwxTQ/75AoYlQvZl2bPIWRK4u000Ewewzg:yEvfApiuEt1lxTcJb2zIp00PwZzg
Threatray 1'932 similar samples on MalwareBazaar
TLSH T1A0C52303F9D149F1F5620C31A93A6B318DB9B8341F128ACFB3AC592DDB312D29675672
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0ccb2f0f0b2ccf0 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
179.235.50.235:27010

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
179.235.50.235:27010 https://threatfox.abuse.ch/ioc/823207/

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
https://www.sendspace.com/file/lvq195
Verdict:
Malicious activity
Analysis date:
2022-07-03 20:03:51 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/ce387996-edf9-4520-b36e-d8d707819365

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/285851/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader21.28154.14353.10157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows directory
Creating a process from a recently created file
Moving a file to the Windows directory
Enabling the 'hidden' option for recently created files
Creating a file
Sending a custom TCP request
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Unauthorized injection to a system process
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/24823/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
bladabindi greyware meterpreter njrat overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/62ca7e1c11764e36f82b026d/reports/dbb8dfa7-5104-43f5-a33e-5d73f9591aa5/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25dda4ac-daff-43f9-9fca-3efd7f3dfd1b
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1027923
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Detected njRat
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops fake system file at system root drive
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 660418 Sample: bMAkFWJUCe.exe Startdate: 10/07/2022 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 13 other signatures 2->56 9 bMAkFWJUCe.exe 5 2->9         started        13 taskhost.exe 3 2->13         started        15 taskhost.exe 2 2->15         started        17 taskhost.exe 2 2->17         started        process3 file4 38 C:\Windows\diamondupdate.exe, PE32 9->38 dropped 40 C:\Windows\Diamond Loader.exe, PE32 9->40 dropped 66 Drops executables to the windows directory (C:\Windows) and starts them 9->66 19 diamondupdate.exe 1 5 9->19         started        23 Diamond Loader.exe 9->23         started        signatures5 process6 file7 34 C:\Windows\taskhost.exe, PE32 19->34 dropped 58 Antivirus detection for dropped file 19->58 60 Multi AV Scanner detection for dropped file 19->60 62 Machine Learning detection for dropped file 19->62 64 Drops executables to the windows directory (C:\Windows) and starts them 19->64 25 taskhost.exe 2 9 19->25         started        36 C:\Windows\BgasrIS.exe (copy), PE32 23->36 dropped signatures8 process9 dnsIp10 48 ajxpadrin.ddns.net 179.235.50.235, 27010, 49738 CLAROSABR Brazil 25->48 42 C:\taskhost.exe, PE32 25->42 dropped 44 C:\...\c245d1bf714df928920e13f7565dcff6.exe, PE32 25->44 dropped 46 C:\autorun.inf, Microsoft 25->46 dropped 68 Antivirus detection for dropped file 25->68 70 Multi AV Scanner detection for dropped file 25->70 72 Creates autorun.inf (USB autostart) 25->72 74 6 other signatures 25->74 30 netsh.exe 1 3 25->30         started        file11 signatures12 process13 process14 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50a0f7a4caa6bf6e5763e7d102ca2755ba37e8047d97a3bd9986c8f5b02e78da/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-07-07 08:24:50 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kcqppjgku27w4v3d47iqfsrhkw5dp2aepwl2hpmzq3eplmbopdna._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0e29156381dd95e3a986aa7aec1ce6738a9e4cf588427a481968a6ab681d2714
njrat
5613785f0f57fc6fa19e13180cf8bdc58677aefc33fcfc80d26378ee0d96d232
njrat
5ccee64d7cda44cac1e1ebe9be61d2888c2d28dfa0c8cf0e255fe8b153cad342
njrat
c27c8f029c0ce21a116cdb60c78676cac7ea9dd38aab8bf5c394075b407d6f5e
njrat
c4e8a78d7af808b4fe0fa7d8c7da2b2e6a364264621ccf520578c9d5d05baa5a
njrat
cf0f62c6105ceec3db23af296678feed3ea95d14ff032223d5397c7351cfc9e0
njrat
e3c8e66188c83c50326a1fee642e7b80d2a1ef4e624e1a8738a468a9695d3717
njrat
e5e11e02cec3f28ad19cabe5f684bc74f5e616d291e4e241dcd586552a33b5d5
njrat
+ 1'922 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:pointblank evasion persistence suricata trojan
Link:
https://tria.ge/reports/220710-h6m51sdaa7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops autorun.inf file
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
Malware Config
C2 Extraction:
ajxpadrin.ddns.net:27010
Unpacked files
SH256 hash:
4c2c60c366ff7f6e11c64d1cc5c7bae33d9c6df14db3cb17cfdde8eca4228726
MD5 hash:
8f1714ddfcec4043e7531c5cd72d8f33
SHA1 hash:
e0fe1d0c4ffe6dbfd67dcf708a8575b994db4bfa
Detections:
win_njrat_g1
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/d60e3286-3284-4d55-bdc2-fcc99b5d99e8/
SH256 hash:
0f44ff8bde6bb9f5f6a8022ea59711085428de668b9d7edb436e200ae27927d6
MD5 hash:
81e808233603be68be6590154f7899b1
SHA1 hash:
778d14ff80007c1b5aafddd6af85d4534a9b78f4
Link:
https://www.unpac.me/results/d60e3286-3284-4d55-bdc2-fcc99b5d99e8/
SH256 hash:
48b72021befd33e5836f9c80b67b864a58157f3ab9b2e0f9dca72b75ea0ce016
MD5 hash:
9ebe2be324b31cfa855795fbdd3c2853
SHA1 hash:
ee6365c691701ed6a0571cc65edebb77ae17e8a8
Link:
https://www.unpac.me/results/d60e3286-3284-4d55-bdc2-fcc99b5d99e8/
SH256 hash:
50a0f7a4caa6bf6e5763e7d102ca2755ba37e8047d97a3bd9986c8f5b02e78da
MD5 hash:
00fb790999d31006cb8506e2d067fc3e
SHA1 hash:
13d3ddb0522ee0d3b378a4d57a047699a0336d5e
Link:
https://www.unpac.me/results/d60e3286-3284-4d55-bdc2-fcc99b5d99e8/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50a0f7a4caa6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/50a0f7a4caa6bf6e5763e7d102ca2755ba37e8047d97a3bd9986c8f5b02e78da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:suspicious_sfx_files_size_rule
Create hunting rule
Author:Razvan.A.B
Description:Detects suspicious files containing sfx

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/285851/

Comments