MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5553c4917346dd771d2a2c7c5d3c586786bfb3d1b8557521a0f8395f2bd94dae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5553c4917346dd771d2a2c7c5d3c586786bfb3d1b8557521a0f8395f2bd94dae
SHA3-384 hash: dce1cd1e7a53871db20a395e139256f2d41f93ec8adb127c297ceeb1d2ea5bb9f73598bc4670fa05ca7bc7e644a85797
SHA1 hash: ccd9c1bd42667db87a7dd86e6a60d55f1ce0d64f
MD5 hash: f94a4829ba666dcc7243d6febb22c09f
humanhash: social-echo-twelve-dakota
File name:5553c4917346dd771d2a2c7c5d3c586786bfb3d1b8557521a0f8395f2bd94dae
Download: download sample
Signature njrat
Create hunting rule
File size:374'053 bytes
First seen:2020-11-14 18:29:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:kaLbjXLSGvRMcbiJiLJCQqUdVVbfkVy8mLILAx0lrutZj2x2P:kExvJbiJiLMQ/Vb8VyLILASlibaMP
Threatray 534 similar samples on MalwareBazaar
TLSH 5B84AE02F9D148B2D42209FD56297700BB3578341F74F98BA3E0CD5AB931DD36AF5AA2
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Emotet-9790742-0
Create hunting rule

Win.Dropper.NetWire-9792487-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Launching a process
Creating a file
Enabling the 'hidden' option for files in the %temp% directory
Creating a process with a hidden window
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535071
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316635 Sample: 3ihQ1dzhGF Startdate: 14/11/2020 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected Njrat 2->43 45 8 other signatures 2->45 10 3ihQ1dzhGF.exe 3 11 2->10         started        process3 file4 27 C:\Users\user\AppData\Local\...\matter.exe, PE32 10->27 dropped 13 wscript.exe 1 10->13         started        process5 process6 15 matter.exe 3 5 13->15         started        file7 29 C:\Users\user\AppData\Local\Temp\matter.exe, PE32 15->29 dropped 33 Antivirus detection for dropped file 15->33 35 Multi AV Scanner detection for dropped file 15->35 37 Machine Learning detection for dropped file 15->37 19 matter.exe 2 4 15->19         started        signatures8 process9 dnsIp10 31 193.161.193.99, 49257, 49724, 49725 BITREE-ASRU Russian Federation 19->31 47 Antivirus detection for dropped file 19->47 49 Multi AV Scanner detection for dropped file 19->49 51 Machine Learning detection for dropped file 19->51 23 netsh.exe 1 3 19->23         started        signatures11 process12 process13 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5553c4917346dd771d2a2c7c5d3c586786bfb3d1b8557521a0f8395f2bd94dae/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:34:52 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvj4jelti3oxohjkfr6f2pcym6dl7m6rxbkxkina7a4v6k6zjwxa._file
Verdict:
malicious
Similar samples:
0be50f5dccff35823a1735e676485141e3194cd4027cc0518c86f743284dce44
njrat
139440ea99f0fdb275e96e8b749b64ca0528468f3b243bee6ada39b6db6327ac
njrat
14ba5f94a671a38e16b5166ebca44ddacd6fde3226015676f9c369c992b5d2f8
njrat
2b942243439c92b4921032a08567d76c0baff766661083fe8f6a9ab66966926d
njrat
2e71e2197518ae4077d0968f2f666635d9a1f822802aca08f092f488629d900b
njrat
72186f2bd535a54efe912025ee41ff582ea5eeeb08709988e7e89e3822dbf391
njrat
af21243da675a515c8e2ca9d00b5628c1201125b1a29d46a9df0cb0b63769942
njrat
b2a9afcf53b4804d0d6b525b0480c1e01f72a151c536d2436e1ae2017d7bcccb
njrat
eccc7b043b9cdcd8a3766cde17f331e63a6be6f7fb7a99e5cc7f6863406c299e
njrat
f2292fec01b4672cf1bd05d2022e7ab814c53378e900cf7679b3917fe317965b
njrat
+ 524 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201114-q838l6l8xn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies service
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
d0dce491fdf1fe028231d926ecdb48069b01327a47a9becb832462ac189d97a8
MD5 hash:
8d6e2b23f4cee3c20741899dded12f29
SHA1 hash:
265ede0b5eb0f39ed78bfa585239cc5f32dffaf5
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/f246b0f5-7e7a-41ed-baaf-d6f52c31b955/
Parent samples :
d955c191cd93fda7011c207646af6060c86ac97aefaf555a7c914124f3eaaccd
5553c4917346dd771d2a2c7c5d3c586786bfb3d1b8557521a0f8395f2bd94dae
SH256 hash:
5553c4917346dd771d2a2c7c5d3c586786bfb3d1b8557521a0f8395f2bd94dae
MD5 hash:
f94a4829ba666dcc7243d6febb22c09f
SHA1 hash:
ccd9c1bd42667db87a7dd86e6a60d55f1ce0d64f
Link:
https://www.unpac.me/results/f246b0f5-7e7a-41ed-baaf-d6f52c31b955/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5553c4917346dd771d2a2c7c5d3c586786bfb3d1b8557521a0f8395f2bd94dae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments