MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 545ff8494719a0184cdd307001a48f3d234b7549b413f15779e8edaa5b5e4955. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 545ff8494719a0184cdd307001a48f3d234b7549b413f15779e8edaa5b5e4955
SHA3-384 hash: 4d8101d35d11ef1b1f76b0bc9f7278988f497788b269dfff7149bfe3a835c837d1a732ed8d58e8afa62f21fb419986bd
SHA1 hash: 2e0ad930b99fcad1c54d8d42c2b71846a3c709fa
MD5 hash: 87223f01642c0c9e6f0aa3bc58539d7e
humanhash: helium-single-golf-south
File name:file.exe
Download: download sample
Signature njrat
Create hunting rule
File size:306'704 bytes
First seen:2023-06-01 10:20:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:5LPtFW58StHOvjec3mC0XB2mEdokzVa5XMKKtJJU3hwsgboh3:5L8tuvi8R0x2mEdokzViXsJU3hws5h3
Threatray 1'494 similar samples on MalwareBazaar
TLSH T18764BF5833A8B9AFD3ABC139E8EC2E159770B467570BE323199310E65D2D742BD046E3
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter abuse_ch
Tags:exe NjRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
309
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2023-06-01 10:21:35 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/aae95d5d-1924-4928-b69b-3baf95aab23e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/394333/
Detection(s):
Win.Packed.Formbook-9980347-1
Create hunting rule

Win.Packed.Cerbu-9993871-0
Create hunting rule

Win.Dropper.Formbook-9993903-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/64787112b9bd75d40def8875/reports/5f097920-f095-4e4c-9cbf-546a8393b47d/overview
Verdict:
Malicious
Labled as:
Trojan.E1CAE469
Link:
https://www.hybrid-analysis.com/sample/545ff8494719a0184cdd307001a48f3d234b7549b413f15779e8edaa5b5e4955
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
dotRunpeX
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c1498d59-0fcd-4502-9b61-4c0f10658b39
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1246697
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Disables UAC (registry)
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Njrat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 879717 Sample: file.exe Startdate: 01/06/2023 Architecture: WINDOWS Score: 100 92 Snort IDS alert for network traffic 2->92 94 Multi AV Scanner detection for domain / URL 2->94 96 Found malware configuration 2->96 98 14 other signatures 2->98 10 file.exe 1 5 2->10         started        14 svchost.exe 3 2->14         started        16 svchost.exe 2->16         started        18 2 other processes 2->18 process3 file4 76 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 10->76 dropped 78 C:\Users\user\AppData\Local\...\file.exe.log, CSV 10->78 dropped 110 Drops PE files with benign system names 10->110 20 cmd.exe 1 10->20         started        22 cmd.exe 1 10->22         started        112 Multi AV Scanner detection for dropped file 14->112 114 Machine Learning detection for dropped file 14->114 116 Writes to foreign memory regions 14->116 25 powershell.exe 14->25         started        27 aspnet_wp.exe 14->27         started        29 ilasm.exe 14->29         started        35 4 other processes 14->35 80 C:\Windows\Temp\vj1y5tpa.inf, Windows 16->80 dropped 118 Injects a PE file into a foreign processes 16->118 82 C:\Windows\Temp\oo1ktivh.inf, Windows 18->82 dropped 120 Adds a directory exclusion to Windows Defender 18->120 31 powershell.exe 18->31         started        33 MpCmdRun.exe 18->33         started        37 5 other processes 18->37 signatures5 process6 signatures7 39 svchost.exe 5 5 20->39         started        44 conhost.exe 20->44         started        46 timeout.exe 1 20->46         started        100 Uses schtasks.exe or at.exe to add and modify task schedules 22->100 48 conhost.exe 22->48         started        50 schtasks.exe 1 22->50         started        52 conhost.exe 25->52         started        54 conhost.exe 31->54         started        56 conhost.exe 33->56         started        process8 dnsIp9 84 192.168.2.1 unknown unknown 39->84 74 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 39->74 dropped 102 Writes to foreign memory regions 39->102 104 Adds a directory exclusion to Windows Defender 39->104 106 Disables UAC (registry) 39->106 108 2 other signatures 39->108 58 AddInProcess32.exe 39->58         started        62 powershell.exe 17 39->62         started        64 ServiceModelReg.exe 39->64         started        66 15 other processes 39->66 file10 signatures11 process12 dnsIp13 86 3.124.67.191, 17491, 49702, 49706 AMAZON-02US United States 58->86 88 3.126.224.214, 17491, 49713 AMAZON-02US United States 58->88 90 2 other IPs or domains 58->90 122 Protects its processes via BreakOnTermination flag 58->122 124 Uses netsh to modify the Windows network and firewall settings 58->124 126 Modifies the windows firewall 58->126 68 netsh.exe 58->68         started        70 conhost.exe 62->70         started        signatures14 process15 process16 72 conhost.exe 68->72         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/545ff8494719a0184cdd307001a48f3d234b7549b413f15779e8edaa5b5e4955/
Threat name:
ByteCode-MSIL.Trojan.Dotrunpex
Create hunting rule
Status:
Malicious
First seen:
2023-06-01 10:21:07 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
3
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krp7qskhdgqbqtg5gbyadjephuruw5kjwqj7cv3z5dw2uw26jfkq._file
Verdict:
malicious
Similar samples:
0118ff85ec2075d5a4f006c5baec65212ae5b921ca00fdb66859687836b8efef
njrat
584c7bd597822f806b5fd30ee9c07a9d09f2fd1d9195e462a33656f3778ef1f4
njrat
64c33ae79784c3af1e39f89e4bbb1754b1b683c56b53a02ffead97315a173fcc
njrat
682f46b161401fb00f263cb29ec705cde9ab8de124ea372800b841e9b36349fd
njrat
a38ee725e23f1acc01722da5a54cbf1cd76937271509f08a9c795fc3a0301f2b
njrat
a58ee92cdb05c92453c009c0792676ce815af1298cbbe9f36407d4933b8b942e
njrat
c615b57a74eefbaa313b34fcd75289db5d298d50640f242200044f4a9e7bbe80
njrat
de80076c4c1d002abd45622a0e79f3f823560d66ef4ef66055ab1a88341d16a7
njrat
fb8fdb08cf7984a3bac0cc7daeea3790a92306467543cf556945fc479a165dd8
njrat
+ 1'484 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion persistence trojan
Link:
https://tria.ge/reports/230601-mdncjadg25/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Modifies Windows Firewall
Sets service image path in registry
UAC bypass
Windows security bypass
njRAT/Bladabindi
Malware Config
C2 Extraction:
7.tcp.eu.ngrok.io:17491
Unpacked files
SH256 hash:
545ff8494719a0184cdd307001a48f3d234b7549b413f15779e8edaa5b5e4955
MD5 hash:
87223f01642c0c9e6f0aa3bc58539d7e
SHA1 hash:
2e0ad930b99fcad1c54d8d42c2b71846a3c709fa
Link:
https://www.unpac.me/results/66d1a21c-acdc-49d5-865a-b782d0a5b46e/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/545ff8494719/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/545ff8494719a0184cdd307001a48f3d234b7549b413f15779e8edaa5b5e4955

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/394333/

Comments