MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51b94fffa69d6b2d5dde4e95db31331af0ade93a78cfb0329287e6d4e2402334. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51b94fffa69d6b2d5dde4e95db31331af0ade93a78cfb0329287e6d4e2402334
SHA3-384 hash: 42ac70629c2089bd9ffdea47e47af841679dc35a013949d9b17f2e743194e8bde5edc511b7270ce470a0e87c869c569f
SHA1 hash: 64ad8a7a066c7d2f2b4a8ee70504a13579dcb463
MD5 hash: 7304241e2f687a2b14be77e9d4e6a2b5
humanhash: charlie-nine-robin-montana
File name:51b94fffa69d6b2d5dde4e95db31331af0ade93a78cfb0329287e6d4e2402334
Download: download sample
Signature njrat
Create hunting rule
File size:226'068 bytes
First seen:2020-11-13 16:10:19 UTC
Last seen:2024-07-24 14:17:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:YsXRmUIMitayQcZe27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwtmpP:ZR5I2yQcZeGk7RZBGxAycKpSPX2W
Threatray 63 similar samples on MalwareBazaar
TLSH 6B245CA534AE6709D93EDBF0D2E520A087B562657216D2BA6C8153EFC051FF11F82C3E
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Bladabindi-6888152-0
Create hunting rule

Win.Packed.Bladabindi-9754048-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Running batch commands
Launching a process
Adding an access-denied ACE
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/534456
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Disable Task List ballon tips (likely to surpress security warnings)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316328 Sample: 5dG8Bd5Jho Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for dropped file 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 8 other signatures 2->91 8 5dG8Bd5Jho.exe 2 9 2->8         started        13 5dG8Bd5Jho.exe 2->13         started        15 5dG8Bd5Jho.exe 2->15         started        17 3 other processes 2->17 process3 dnsIp4 83 192.168.2.1 unknown unknown 8->83 59 C:\Users\user\AppData\Local\...\dtsh32.exe, PE32 8->59 dropped 69 3 other malicious files 8->69 dropped 101 Creates autostart registry keys with suspicious names 8->101 103 Creates multiple autostart registry keys 8->103 19 dtsh32.exe 28 6 8->19         started        23 cmd.exe 1 8->23         started        25 cmd.exe 1 8->25         started        61 C:\Users\user\AppData\...61arrator32.exe, PE32 13->61 dropped 71 2 other malicious files 13->71 dropped 27 Narrator32.exe 13->27         started        29 cmd.exe 13->29         started        31 cmd.exe 13->31         started        63 C:\Users\user\AppData\...\wevtutil32.exe, PE32 15->63 dropped 73 2 other malicious files 15->73 dropped 33 wevtutil32.exe 15->33         started        35 cmd.exe 15->35         started        37 cmd.exe 15->37         started        65 C:\Users\user\AppData\Local\...\win32u32.exe, PE32 17->65 dropped 67 C:\Users\user\AppData\...\RstrtMgr32.exe, PE32 17->67 dropped 75 4 other malicious files 17->75 dropped file5 signatures6 process7 dnsIp8 77 213.183.58.4, 5558 MELBICOM-EU-ASMelbikomasUABNL Lithuania 19->77 79 paste.ee 104.18.48.20, 49734, 80 CLOUDFLARENETUS United States 19->79 81 2 other IPs or domains 19->81 93 Antivirus detection for dropped file 19->93 95 Creates an undocumented autostart registry key 19->95 97 Machine Learning detection for dropped file 19->97 99 6 other signatures 19->99 39 schtasks.exe 19->39         started        51 3 other processes 19->51 41 conhost.exe 23->41         started        43 timeout.exe 1 23->43         started        45 conhost.exe 25->45         started        53 2 other processes 29->53 47 conhost.exe 31->47         started        55 2 other processes 35->55 49 conhost.exe 37->49         started        signatures9 process10 process11 57 conhost.exe 39->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51b94fffa69d6b2d5dde4e95db31331af0ade93a78cfb0329287e6d4e2402334/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 16:27:29 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a9b159c9210f631ce9963a5ad26bcb33f15bb0bbd3a17d080f41f8c7f294117
njrat
431ecb18d6ffeafbf69a79c32166607d24fcdafc9f4fd29b437d41b6272c07c5
njrat
45e6d88e68a7ea1b3d12298aa67358c4bd281c9d7b3bea2b6d8093f33251bc19
njrat
57f7751d3e603698a3a53a30ffc0dff8ba5591f17ecdad8a53e169585c46c041
njrat
64b7b062f8401c3f9e0ac8f3e69ac32631c63ce7b3e3739fc529fa1f4ae0c969
njrat
74730cf408bf94965b783eb01a1489939694100e01ecea7c332d3efcc30fd768
njrat
7604ab964cc40610d53feac0b1ad034c6e4e4293344670d1d2d7423e08e12a3e
njrat
af4cf51f4a1e29d76867b510c0d7fae11f20b43e2405c85986b5e957ea6f00cb
njrat
dd14a1096956425515cd7231df84a23f3b8a99aacd272d10994c592404d46ca2
njrat
fb80a3973312b0ca4905ccba10408931846a3517d6afc64cb05271da85190aba
njrat
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware
Link:
https://tria.ge/reports/201113-h9abtm77ws/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
51b94fffa69d6b2d5dde4e95db31331af0ade93a78cfb0329287e6d4e2402334
MD5 hash:
7304241e2f687a2b14be77e9d4e6a2b5
SHA1 hash:
64ad8a7a066c7d2f2b4a8ee70504a13579dcb463
Link:
https://www.unpac.me/results/8fc91e2a-fb61-4a94-845c-7cebfe416a45/
SH256 hash:
1727656d82a2d5cca836cb29bdd54c7e37cc0c2927fed7d759b339cfeda2c0cf
MD5 hash:
97adcac2514ee9757bfc77c609ca9e06
SHA1 hash:
83e60a16e5a800d4c5d1819cd1e774cb9be6a775
Link:
https://www.unpac.me/results/8fc91e2a-fb61-4a94-845c-7cebfe416a45/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments