MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
SHA3-384 hash: 3ed96ddf391bce0a5893109169e07cb33eb9bb7dd16225ca25fd9a3527c605bf18eb79c66c91f9d6755ab94d5a9c05fb
SHA1 hash: 6a199cb43cb4f808183918ddb6eadc760f7cb680
MD5 hash: 1b99f0bf9216a89b8320e63cbd18a292
humanhash: california-bulldog-twenty-lion
File name:1b99f0bf9216a89b8320e63cbd18a292
Download: download sample
Signature njrat
Create hunting rule
File size:1'334'272 bytes
First seen:2024-10-16 22:20:24 UTC
Last seen:2024-12-18 10:27:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:J64p16BppRskYGC/cJUE7P6nxhpBaTn+CC6YtGz:JzpEBrRb4MonrpATDcUz
Threatray 2'005 similar samples on MalwareBazaar
TLSH T13455BDCB6E5646B6C39CE635C5A7372C072BD9793BE3AE0DE54F2E941B3236D5800182
TrID 56.5% (.EXE) Win64 Executable (generic) (10522/11/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
File icon (PE):PE icon
dhash icon 0270e8cee1d8c400 (7 x XWorm, 7 x AsyncRAT, 3 x njrat)
Reporter zbetcheckin
Tags:64 exe NjRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
478
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1b99f0bf9216a89b8320e63cbd18a292
Verdict:
Malicious activity
Analysis date:
2024-10-16 22:22:21 UTC
Tags:
susp-powershell purecrypter netreactor xworm remote evasion telegram
Link:
https://app.any.run/tasks/500730f3-db4b-46d0-b94e-e5eb51fbcda5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win64.PWSX-gen.23977.4542.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67103c50707bcd8537fc1328
Tags:
Bladabindi Powershell Gumen
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
net_reactor packed packed
Link:
https://www.filescan.io/uploads/67103c5086e544592426cc3a/reports/9f9c4372-77ae-4371-a3a5-b439a04b17a8/overview
Verdict:
Malicious
Labled as:
MSIL/TrojanDownloader.Agent_AGen
Link:
https://www.hybrid-analysis.com/sample/5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
Malware family:
Formbook
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/43e67a91-fac2-46f6-9175-e4f7493b23a7
Result
Threat name:
StormKitty, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1535423
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Antivirus detection for dropped file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the document folder of the user
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected StormKitty Stealer
Yara detected Telegram RAT
Yara detected Telegram Recon
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1535423 Sample: b39wW3jYKO.exe Startdate: 17/10/2024 Architecture: WINDOWS Score: 100 37 ip-api.com 2->37 51 Suricata IDS alerts for network traffic 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 17 other signatures 2->57 8 b39wW3jYKO.exe 3 31 2->8         started        13 OneDrive.exe 3 2->13         started        15 OneDrive.exe 2->15         started        signatures3 process4 dnsIp5 39 104.219.239.11, 49809, 49841, 6969 DATAWAGONUS United States 8->39 29 C:\Users\user\Documents\OneDrive.exe, PE32+ 8->29 dropped 31 C:\Users\user\AppData\Local\Temp\arndry.exe, PE32 8->31 dropped 33 C:\Users\...\OneDrive.exe:Zone.Identifier, ASCII 8->33 dropped 59 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->59 61 Drops PE files to the document folder of the user 8->61 63 Encrypted powershell cmdline option found 8->63 69 3 other signatures 8->69 17 arndry.exe 14 2 8->17         started        21 powershell.exe 23 8->21         started        65 Multi AV Scanner detection for dropped file 13->65 67 Machine Learning detection for dropped file 13->67 file6 signatures7 process8 dnsIp9 35 ip-api.com 208.95.112.1, 49832, 80 TUT-ASUS United States 17->35 41 Antivirus detection for dropped file 17->41 43 Machine Learning detection for dropped file 17->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->45 47 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 17->47 23 WerFault.exe 22 16 17->23         started        49 Loading BitLocker PowerShell Module 21->49 25 WmiPrvSE.exe 21->25         started        27 conhost.exe 21->27         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357/
Threat name:
Win64.Backdoor.Xworm
Create hunting rule
Status:
Malicious
First seen:
2024-10-11 17:26:20 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
15
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kj26hw3co3s7boc674ghwauc6vrgqzdhm2yvm25i66l6norksnlq._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
1d7c6ed697ee011ad969d1d7c706d88a962584f87d543fcc77ee358c5bfb4509
njrat
4ad418db066d291782cc25d1348249f04138029a065201a2514c0976fbcd31dc
njrat
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
njrat
6e7b2e847d48024e32a6b4537a3f9cbef99b94cf4f906e4554ae0675780e4413
njrat
80b80e15f605f0b8740e1989e505280394d746e8a8ee37cdb9b009d745e42da0
njrat
error
njrat
+ 1'995 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:stormkitty family:xworm discovery persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/241016-19mmrszckm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Contains code to disable Windows Defender
Detect Xworm Payload
StormKitty
StormKitty payload
Xworm
Malware Config
C2 Extraction:
104.219.239.11:6969
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0e8d196f-6e52-4c03-b1c6-c1d59ae29fda
Unpacked files
SH256 hash:
5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357
MD5 hash:
1b99f0bf9216a89b8320e63cbd18a292
SHA1 hash:
6a199cb43cb4f808183918ddb6eadc760f7cb680
Link:
https://www.unpac.me/results/cbdfc1cf-e09d-4934-a08f-edc562ef9f36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 5275e3db6276e5f0b85eff0c7b0282f56268646766b1566ba8f797e6ba2a9357

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3238540/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments


Avatar
zbet commented on 2024-10-16 22:20:25 UTC

url : hxxp://185.215.113.16/inc/OneDrive.exe