MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 518f22ac3dfb39779d6b21fdd230b71db39453f73b42f411009a0afe7dbbe818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 518f22ac3dfb39779d6b21fdd230b71db39453f73b42f411009a0afe7dbbe818
SHA3-384 hash: 0232c54d75f585b77f54cc5778b1f3599337ad5864171e63012c52fb3fa627049a2e78f90349e6bcc179eb7ca0bf2f4d
SHA1 hash: c25a05acb5231776456d08fad7df0e48d92931c0
MD5 hash: 3e5ba25aa4f23ceb11be209d1967e341
humanhash: table-illinois-carbon-hamper
File name:3E5BA25AA4F23CEB11BE209D1967E341.exe
Download: download sample
Signature njrat
Create hunting rule
File size:471'910 bytes
First seen:2024-02-17 19:50:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 75e9596d74d063246ba6f3ac7c5369a0 (8 x DCRat, 5 x PythonStealer, 4 x CoinMiner)
ssdeep 6144:jE+yclwQKjdn+WPtYVJIoBfRT+tkbOSeC2xDjAzQeOOg7Y55HkVSGsc:jBdlwHRn+WlYV+8T+tkKC0EEE17HkV8c
TLSH T156A4E113FAC1D0B2D03219321669CB61A6BC7C101F254BEB63D97D3DEA251D2AB317A7
TrID 40.3% (.EXE) Win64 Executable (generic) (10523/12/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
147.185.221.17:10652

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/476607/
Detection(s):
Win.Dropper.njRAT-9986242-0
Create hunting rule

Win.Dropper.Nanocore-9986456-0
Create hunting rule

Win.Malware.Bladabindi-10008357-0
Create hunting rule

Win.Packed.Babar-10012967-0
Create hunting rule

Win.Packed.Bladabindi-10017056-0
Create hunting rule

Win.Malware.Zenpak-10017873-0
Create hunting rule

Win.Malware.Zusy-10017928-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a file
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Connection attempt to an infection source
Unauthorized injection to a recently created process
Stealing user critical data
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
44caliber anti-vm anti-vm cmd config-extracted evasive explorer fingerprint fingerprint installer lolbin lolbin netsh njrat overlay packed rat setupapi sfx shdocvw shell32 stealer stealer
Link:
https://www.filescan.io/uploads/65d10e2603a1c3a7aeefbdc0/reports/ee8a5822-0451-4514-9ccc-b70647c6f0ca/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/518f22ac3dfb39779d6b21fdd230b71db39453f73b42f411009a0afe7dbbe818
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf60f6f1-6494-4d91-8926-d4fbea7a38e3
Result
Threat name:
44Caliber Stealer, Njrat, Rags Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1393956
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Yara detected 44Caliber Stealer
Yara detected Generic Downloader
Yara detected Njrat
Yara detected Rags Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1393956 Sample: qdHMT36Tn9.exe Startdate: 17/02/2024 Architecture: WINDOWS Score: 100 36 freegeoip.app 2->36 38 mary-cottage.gl.at.ply.gg 2->38 40 ipbase.com 2->40 48 Snort IDS alert for network traffic 2->48 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 56 18 other signatures 2->56 9 qdHMT36Tn9.exe 9 2->9         started        13 3.exe 3 2->13         started        15 3.exe 2 2->15         started        17 3.exe 2 2->17         started        signatures3 54 Tries to detect the country of the analysis system (by using the IP) 36->54 process4 file5 32 C:\Users\user\AppData\Local\Temp\3.exe, PE32 9->32 dropped 34 C:\Users\user\AppData\Local\Temp\1.exe, PE32 9->34 dropped 74 Found many strings related to Crypto-Wallets (likely being stolen) 9->74 19 3.exe 3 5 9->19         started        24 1.exe 14 51 9->24         started        signatures6 process7 dnsIp8 42 mary-cottage.gl.at.ply.gg 147.185.221.17, 10652, 49707, 49708 SALSGIVERUS United States 19->42 30 C:\...\9902b29d6de7130c2f409ab27fb09fa7.exe, PE32 19->30 dropped 58 Antivirus detection for dropped file 19->58 60 Multi AV Scanner detection for dropped file 19->60 62 Protects its processes via BreakOnTermination flag 19->62 72 4 other signatures 19->72 26 netsh.exe 2 19->26         started        44 freegeoip.app 172.67.160.84, 443, 49705 CLOUDFLARENETUS United States 24->44 46 ipbase.com 172.67.209.71, 443, 49706 CLOUDFLARENETUS United States 24->46 64 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 24->64 66 Machine Learning detection for dropped file 24->66 68 Tries to harvest and steal browser information (history, passwords, etc) 24->68 70 Tries to steal Crypto Currency Wallets 24->70 file9 signatures10 process11 process12 28 conhost.exe 26->28         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/518f22ac3dfb39779d6b21fdd230b71db39453f73b42f411009a0afe7dbbe818
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/518f22ac3dfb39779d6b21fdd230b71db39453f73b42f411009a0afe7dbbe818/
Threat name:
ByteCode-MSIL.Trojan.NjRAT
Create hunting rule
Status:
Malicious
First seen:
2024-02-15 02:25:35 UTC
File Type:
PE (Exe)
Extracted files:
23
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kghsflb57m4xphlleh65emfxdwzziu7xhnbpieiatifp47n35ama._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:44caliber family:njrat botnet:hacked evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/240217-yks25sad4y/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Windows Firewall
44Caliber
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/1199323175729758268/CBdP8e3cXbL0ED8xKBhMw0ikKHmITu-6CI4WjfttZm2aWGZGjp43Msrjwp8AVeEBf6T1
mary-cottage.gl.at.ply.gg:10652
Unpacked files
SH256 hash:
167b27091fcb93e2c972906b9784f6776ad14e5423485d62472dfa96090ee0ea
MD5 hash:
bab7de440d67ccefda859b89b7e6cf35
SHA1 hash:
a77e98824f24a1aade6bd1d8af8b1a109e9bb8a2
Link:
https://www.unpac.me/results/264db593-ffd2-4d7d-8ef1-821d85a530c5/
SH256 hash:
5ac29f18472f943f2eb3c256fdbfe251b04ca66afc22fcba65183b0509feb529
MD5 hash:
0ce3051b867d50aa172d1b332f156e3e
SHA1 hash:
f87defe312cb3a5efea3f845d187762e153bddab
Detections:
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_References_Browsers
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
MALWARE_Win_GloomaneStealer
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
MALWARE_Win_A310Logger
Create hunting rule
Link:
https://www.unpac.me/results/264db593-ffd2-4d7d-8ef1-821d85a530c5/
SH256 hash:
518f22ac3dfb39779d6b21fdd230b71db39453f73b42f411009a0afe7dbbe818
MD5 hash:
3e5ba25aa4f23ceb11be209d1967e341
SHA1 hash:
c25a05acb5231776456d08fad7df0e48d92931c0
Link:
https://www.unpac.me/results/264db593-ffd2-4d7d-8ef1-821d85a530c5/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/518f22ac3dfb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/518f22ac3dfb39779d6b21fdd230b71db39453f73b42f411009a0afe7dbbe818

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/476607/

Comments