MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
SHA3-384 hash: f76cdeb45c673ef100aa34228e3e069f414d434cfda9c47612d1d8b41d0acf553f2dca05fb9bbbb25f125fb00c0304b2
SHA1 hash: e627db6e46490e6dd097e17435466ebb94203534
MD5 hash: 9b434d4ef78c598e4516d53d189b8cdd
humanhash: indigo-jersey-oregon-chicken
File name:5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
Download: download sample
Signature njrat
Create hunting rule
File size:1'582'855 bytes
First seen:2020-07-29 07:11:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:ik6+c2dHb6666Kd0JgWZMI8nmIig0ihw3PiuGfczTdcfIbUEd5fPnk/:ibOb66662ocFmIn0i+36jfAT+fITM/
Threatray 47 similar samples on MalwareBazaar
TLSH 9675E013ECC20571D8B4CE32162A5DEBD16EBD183E39A61E7B4A75E877333C09722256
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Neshta
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34312/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.31721986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Creating a process with a hidden window
Deleting a recently created file
Connection attempt
Enabling autorun with the shell\open\command registry branches
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Infecting executable files
Enabling autorun with Startup directory
Result
Threat name:
njRat Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/401465
Signature
.NET source code contains very large strings
.NET source code references suspicious native API functions
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected njRat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses netsh to modify the Windows network and firewall settings
Yara detected Neshta
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252969 Sample: MqEBv1Uuhe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 81 g.msn.com 2->81 93 Malicious sample detected (through community Yara rule) 2->93 95 Detected njRat 2->95 97 Yara detected Neshta 2->97 99 11 other signatures 2->99 14 MqEBv1Uuhe.exe 10 2->14         started        17 svchost.exe 2->17         started        20 svchost.com 2->20         started        22 9 other processes 2->22 signatures3 process4 dnsIp5 77 C:\Users\user\AppData\Local\Temp\...\netr.exe, PE32 14->77 dropped 79 C:\Users\user\AppData\...\exeJoinerX.exe, PE32 14->79 dropped 25 netr.exe 4 14->25         started        89 Changes security center settings (notifications, updates, antivirus, firewall) 17->89 91 Drops executables to the windows directory (C:\Windows) and starts them 20->91 85 127.0.0.1 unknown unknown 22->85 29 svchost.exe 22->29         started        31 svchost.exe 22->31         started        33 svchost.exe 22->33         started        file6 signatures7 process8 file9 67 C:\Windows\svchost.com, PE32 25->67 dropped 69 C:\Users\user\AppData\Local\Temp\...\netr.exe, PE32 25->69 dropped 71 C:\ProgramData\Adobe\Setup\...\setup.exe, PE32 25->71 dropped 73 100 other files (32 malicious) 25->73 dropped 117 Creates an undocumented autostart registry key 25->117 119 Drops PE files with a suspicious file extension 25->119 121 Drops executable to a common third party application directory 25->121 35 netr.exe 3 6 25->35         started        signatures10 process11 file12 63 C:\Users\user\AppData\Local\...\sqls294.exe, PE32 35->63 dropped 101 Detected unpacking (changes PE section rights) 35->101 103 Detected unpacking (overwrites its own PE header) 35->103 105 Hides threads from debuggers 35->105 39 svchost.com 1 35->39         started        42 svchost.com 35->42         started        signatures13 process14 signatures15 115 Sample is not signed and drops a device driver 39->115 44 sqls294.exe 2 5 39->44         started        process16 dnsIp17 87 192.168.2.1 unknown unknown 44->87 75 C:\Users\user\AppData\Local\...\svchost.exe, PE32 44->75 dropped 123 Drops PE files with benign system names 44->123 49 svchost.com 44->49         started        file18 signatures19 process20 file21 61 C:\Windows\directx.sys, ASCII 49->61 dropped 52 svchost.exe 49->52         started        process22 dnsIp23 83 82.202.167.202, 49744, 49745, 49747 THEFIRST-ASRU Russian Federation 52->83 65 C:\...\7522053c20259d4d2a19b6cfd5a87d9f.exe, PE32 52->65 dropped 107 System process connects to network (likely due to code injection or exploit) 52->107 109 Protects its processes via BreakOnTermination flag 52->109 111 Creates autostart registry keys with suspicious names 52->111 113 Drops PE files to the startup folder 52->113 57 netsh.exe 52->57         started        file24 signatures25 process26 process27 59 conhost.exe 57->59         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 03:10:14 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjqyoref7h7bnj4kkwdtj2dff6j5whkuj456gmph62w4a32d52ma._file
Verdict:
malicious
Similar samples:
0283c0f02307adc4ee46c0382df4b5d7b4eb80114fbaf5cb7fe5412f027d165e
njrat
1954e06fc952a5a0328774aaf07c23970efd16834654793076c061dffb09a7eb
njrat
52055c63e2a063c0d4489918ff3bc7e63c9ff94bb56ad95003d8594d01bb81d2
njrat
88e03236b248d004923161c7928a1546cdffd0b6e8c30a22b1d49b05dca9b2da
njrat
8ccce2a5d01211e5db0bcc8721dbea06422c5f3133466e4945e4d301d44df3b2
njrat
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
njrat
ccae475b281127a3280a51906a2ab50248c8b7f75c34e93c5bd62ccc0fded850
njrat
e1614a878888eddb3296e856dc5f4e63a926b9e4c899cf09da12a8f477ace4cf
njrat
e7e5f0ac865dd8cec6539a3defbd09f15df7822b647fcd2e2f53555be98ad8e2
njrat
eddc999a7e76c2af01abaa813a903686f6f5b7ff94a7587c071bf2d2243b5239
njrat
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware persistence evasion
Link:
https://tria.ge/reports/200729-mtzjevhxns/
Behaviour
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Drops file in Program Files directory
Drops file in Windows directory
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
JavaScript code in executable
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
Executes dropped EXE
Modifies Windows Firewall
Modifies system executable filetype association
Modifies system executable filetype association
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Neshta
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34312/

Comments