MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 544c4cb23628837e74f41ee8a4d738c21ea59c72e83e97b8a39f2cbbfff110c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 544c4cb23628837e74f41ee8a4d738c21ea59c72e83e97b8a39f2cbbfff110c0
SHA3-384 hash: 2fb344cbeceea9435a98f96da14c7f6ab9912a826585544907302d17501b138d110149361a3fdc135415c39daf91d7e4
SHA1 hash: 0b5654a24293b26b156e53e036ea7b73bea5354c
MD5 hash: eb223fba96baa9a5c7d57c7957b472f1
humanhash: angel-zulu-paris-lake
File name:544c4cb23628837e74f41ee8a4d738c21ea59c72e83e97b8a39f2cbbfff110c0
Download: download sample
Signature njrat
Create hunting rule
File size:453'632 bytes
First seen:2021-02-28 07:19:18 UTC
Last seen:2021-02-28 09:00:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:5uodJGrIe7pBBIE+SH6vwoDLZ8svV4M5cdDwmiC:sjcLOsd4MqdDwmiC
Threatray 440 similar samples on MalwareBazaar
TLSH AAA4D8B395C89E88F3FD937882281140EFE6D86B9BD2EA8E3E4551143C7A5579F90331
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
163
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
544c4cb23628837e74f41ee8a4d738c21ea59c72e83e97b8a39f2cbbfff110c0
Verdict:
Malicious activity
Analysis date:
2021-02-28 08:33:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/240e8fd1-b558-48af-bb31-b10e02ea0dbf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119889/
Detection(s):
SecuriteInfo.com.Variant.Bulz.104963.28071.29824.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Enabling the 'hidden' option for analyzed file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Creating a process with a hidden window
Creating a window
DNS request
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/620971
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/544c4cb23628837e74f41ee8a4d738c21ea59c72e83e97b8a39f2cbbfff110c0/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 23:31:50 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krgezmrwfcbx45hud3ukjvzyyipklhds5a7jpofdt4wlx77rcdaa._file
Verdict:
malicious
Similar samples:
0e49ced6331da16deb263cc7cbfdc8a6a3433a71f5c67cb64c7980a18faec884
njrat
4500ccf59d93041b081e3ba5e60be483ab84f9e08f1f00045f6c6a0138e8b787
njrat
60939dd4c12a90d44e021e79be83dc3339139ee922759a0b1055ab558b2a814f
njrat
6259ecedb1761b7412454f7dbc6ac1571701e276c49213e8a9b8fe70e03c546d
njrat
ce1608cdb307cecf3b38f233b388214717da84bf2a04caf67ab656aeedf5e871
njrat
d6b1f8c5ddef7568c1985b99db389b4671d6cf3a4004866d93620553da133992
njrat
dc8a2332c245f1019a3c08c53f649f0bf1ea42fad18c90fea68ac4aa1eb387aa
njrat
e929f1289f145ca3b34a7970ad5ee02c90851d95ae3142ee0e09a76a4ac7d234
njrat
f02f557a59201bb4072b6c3b572a1b19797b8c537554dd0f79f85c8dd4746109
njrat
ff06c54cab0bdcb0cea8c47f5ef001b2fc917ba857a0d14308ab7211408ba608
njrat
+ 430 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/210228-ka2ew7rw5a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
0be2a6d544e293d539d6ccf2d8065e74292bedf9099b548d8963e8c97e76722e
MD5 hash:
4dae5ffa0a0586c8e4ebc6eef8b1991d
SHA1 hash:
d14aefb75a985c2f95ba287d4801c19d609e63f8
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/260e4c80-479a-419b-a509-1800cb7c2343/
SH256 hash:
544c4cb23628837e74f41ee8a4d738c21ea59c72e83e97b8a39f2cbbfff110c0
MD5 hash:
eb223fba96baa9a5c7d57c7957b472f1
SHA1 hash:
0b5654a24293b26b156e53e036ea7b73bea5354c
Link:
https://www.unpac.me/results/260e4c80-479a-419b-a509-1800cb7c2343/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/544c4cb23628837e74f41ee8a4d738c21ea59c72e83e97b8a39f2cbbfff110c0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119889/

Comments