MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b
SHA3-384 hash: 327d5c759787c5db6851451d360225be66d8dafa391d33971c76789d377a517cca070af9a6dc6725a89eda1afd4b45b2
SHA1 hash: dfa2c6932c334883995ebdcdb2ffaddb65264f60
MD5 hash: 97315a68b07a037396f793482dcb17f0
humanhash: artist-hydrogen-carbon-robin
File name:56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b
Download: download sample
Signature njrat
Create hunting rule
File size:1'338'368 bytes
First seen:2021-08-30 07:11:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep 24576:2nsJ39LyjbJkQFMhmC+6GD9PDWHSb4NhfkbRPzeZBOBZ6ielDz8:2nsHyjtk2MYC5GDY84TOEuBkhNz8
Threatray 808 similar samples on MalwareBazaar
TLSH T14555B022F6D18473D1321A3D8D6BA3A5583ABE502F34794F77E82E4C9F3928179252D3
dhash icon 84b4b494d48eacec (1 x njrat, 1 x RedLineStealer)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
478
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b
Verdict:
Malicious activity
Analysis date:
2021-08-30 07:21:38 UTC
Tags:
installer rat njrat bladabindi
Link:
https://app.any.run/tasks/623051fc-c110-4737-8660-8389bfdf916f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183622/
Detection(s):
PUA.Win.Packer.D1s1g-5
Create hunting rule

PUA.Win.Packer.D1s1g-1
Create hunting rule

PUA.Win.Packer.D1s1g-2
Create hunting rule

Win.Malware.Delf-6899401-0
Create hunting rule

Win.Trojan.Emotet-9850453-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Moving a recently created file
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Modifying an executable file
Deleting a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process with a hidden window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Creating a file in the mass storage device
Launching the process to change the firewall settings
Infecting executable files
Enabling autorun by creating a file
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bf9105ca-f6f0-4b65-8b89-a95463d896e9
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841328
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Creates autostart registry keys with suspicious names
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to ADO stream file operations
Document contains an embedded VBA with functions possibly related to HTTP operations
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Drops PE files to the document folder of the user
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473759 Sample: jauLb41BdE Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 75 Malicious sample detected (through community Yara rule) 2->75 77 Antivirus detection for dropped file 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 13 other signatures 2->81 10 jauLb41BdE.exe 1 6 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 2->16         started        18 9 other processes 2->18 process3 dnsIp4 55 C:\Users\user\...\._cache_jauLb41BdE.exe, PE32 10->55 dropped 57 C:\ProgramData\Synaptics\Synaptics.exe, PE32 10->57 dropped 59 C:\ProgramData\Synaptics\RCX4AE2.tmp, PE32 10->59 dropped 61 C:\...\Synaptics.exe:Zone.Identifier, ASCII 10->61 dropped 107 Contains functionality to detect sleep reduction / modifications 10->107 21 ._cache_jauLb41BdE.exe 13 10->21         started        25 Synaptics.exe 488 10->25         started        109 Query firmware table information (likely to detect VMs) 14->109 111 Changes security center settings (notifications, updates, antivirus, firewall) 16->111 65 127.0.0.1 unknown unknown 18->65 file5 signatures6 process7 dnsIp8 49 C:\Users\user\AppData\Local\...\urok.sfx.exe, PE32 21->49 dropped 91 Multi AV Scanner detection for dropped file 21->91 28 cmd.exe 21->28         started        69 freedns.afraid.org 50.23.197.95, 49709, 80 SOFTLAYERUS United States 25->69 71 docs.google.com 172.217.16.142, 443, 49706, 49707 GOOGLEUS United States 25->71 73 2 other IPs or domains 25->73 51 C:\Users\user\DocumentsIVQSAOTAQ\~$cache1, PE32 25->51 dropped 93 Antivirus detection for dropped file 25->93 95 Drops PE files to the document folder of the user 25->95 97 Machine Learning detection for dropped file 25->97 file9 signatures10 process11 process12 30 urok.sfx.exe 28->30         started        34 conhost.exe 28->34         started        file13 63 C:\Users\user\AppData\Local\Temp\...\urok.exe, PE32 30->63 dropped 113 Multi AV Scanner detection for dropped file 30->113 36 urok.exe 30->36         started        signatures14 process15 file16 45 C:\Users\user\AppData\Roaming\svchost.exe, PE32 36->45 dropped 47 C:\Tools.exe, PE32 36->47 dropped 83 Antivirus detection for dropped file 36->83 85 Multi AV Scanner detection for dropped file 36->85 87 Machine Learning detection for dropped file 36->87 89 Drops PE files with benign system names 36->89 40 svchost.exe 36->40         started        signatures17 process18 dnsIp19 67 192.168.8.174, 1644 unknown unknown 40->67 53 C:\...\e706c362819b2b8298ebedae1f9efe49.exe, PE32 40->53 dropped 99 Antivirus detection for dropped file 40->99 101 Multi AV Scanner detection for dropped file 40->101 103 Protects its processes via BreakOnTermination flag 40->103 105 5 other signatures 40->105 file20 signatures21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b/
Threat name:
Win32.Backdoor.DarkComet
Create hunting rule
Status:
Malicious
First seen:
2021-08-15 03:29:21 UTC
File Type:
PE (Exe)
Extracted files:
102
AV detection:
41 of 46 (89.13%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
0fbdb66d81f97c74640af563b58b4d93872ed48a0397754b5c51a5c76d32900c
njrat
26274dd1baa5be91bd6bdb0db48895d89da2a78e6fac273257557de473adc841
njrat
4e5add107e83a073bd97b795409f41a1e0d1b26b8ebecae38f2e1f805a8cdde6
njrat
5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7
njrat
8c857d02af8759783d34e85f94b4f3a61a8ec6bf687b5d80668814025107466f
njrat
9a9f7ea8a021b5c4e7984076bfe6f0ab42bddb7b50fa18ef0da17c12e8ef95e1
njrat
b484b76186c0e9c0d4f8719978a2235d0f580088562df853c837e296b1d837ed
njrat
bd0d884649509aece899372e0bea6f6dbe833b463e35206753dae69a0bc60632
njrat
ff97bd0b382bcd07b0e71fd6249426a1d1246c52b07edd238eaa64136db737df
njrat
+ 798 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/210830-zn7d8jmthj/
Behaviour
Modifies registry class
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
05948bd9390e71fc8cf7bc5bcde97f99b1efb800916281c95a58bc74437bae54
MD5 hash:
b8e356486d1d3be1e110d1cec6ed1d28
SHA1 hash:
48891d7234ce7c4ea1bb9310291de040e532f940
Link:
https://www.unpac.me/results/8abeaae1-50b4-4130-bd55-0bc68e07bd68/
SH256 hash:
dfe4fc16dcb543f2bb5dc794c58c66b3f397627f21482ee3119d6991ce2645fd
MD5 hash:
64163efcc9ac2c2bd80f1324ec512cc1
SHA1 hash:
88496ee9a6ae507d208489b3778bd578a686422e
Link:
https://www.unpac.me/results/8abeaae1-50b4-4130-bd55-0bc68e07bd68/
Parent samples :
8f255f2f7f73513fc2fc55f04a0c1ceb17b024853720bc359227f33e69a60085
9b4c9c84d6ddc0ef3a817f2b7ea0a126297ccfbaf459f8014da7231523e9a27f
SH256 hash:
56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b
MD5 hash:
97315a68b07a037396f793482dcb17f0
SHA1 hash:
dfa2c6932c334883995ebdcdb2ffaddb65264f60
Link:
https://www.unpac.me/results/8abeaae1-50b4-4130-bd55-0bc68e07bd68/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/56f435a5987f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183622/

Comments