MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57f7751d3e603698a3a53a30ffc0dff8ba5591f17ecdad8a53e169585c46c041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57f7751d3e603698a3a53a30ffc0dff8ba5591f17ecdad8a53e169585c46c041
SHA3-384 hash: d581449a03bcfc56a6980fef203e397cb53e2d6c3e9d47dcba2abf667db4f476eb37a168535a6b129d13eb619b212ab3
SHA1 hash: 4d85ae093a2debe548751da9663fae3f78cffac8
MD5 hash: a87870238e81da9579107cac4bacd998
humanhash: east-berlin-bulldog-blue
File name:57f7751d3e603698a3a53a30ffc0dff8ba5591f17ecdad8a53e169585c46c041
Download: download sample
Signature njrat
Create hunting rule
File size:227'724 bytes
First seen:2020-11-09 21:58:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:YsXRmUIMitWqQSse27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwlmE:ZR5I6qQSseGk7RZBGxAycKpSPX2H
Threatray 13 similar samples on MalwareBazaar
TLSH B2245CA534AE6709D93EDBF0D2E520A087B562657216D2BA6C8153EFC051FF11F82C3E
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Bladabindi-6888152-0
Create hunting rule

Win.Packed.Bladabindi-9754048-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Running batch commands
Adding an access-denied ACE
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/527559
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312871 Sample: 9aOdmRUC59 Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 6 other signatures 2->70 8 9aOdmRUC59.exe 2 8 2->8         started        12 BioIso32.exe 2->12         started        14 BioIso32.exe 2->14         started        16 BioIso32.exe 2->16         started        process3 file4 50 C:\Users\user\AppData\Local\...\BioIso32.exe, PE32 8->50 dropped 52 C:\Users\...\BioIso32.exe:Zone.Identifier, ASCII 8->52 dropped 54 C:\Users\user\AppData\...\BioIso32.exe.config, XML 8->54 dropped 56 C:\Users\user\AppData\...\9aOdmRUC59.exe.log, ASCII 8->56 dropped 80 Creates autostart registry keys with suspicious names 8->80 82 Creates multiple autostart registry keys 8->82 18 BioIso32.exe 26 6 8->18         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        signatures5 process6 dnsIp7 58 213.183.58.4, 5558 MELBICOM-EU-ASMelbikomasUABNL Lithuania 18->58 60 paste.ee 104.18.49.20, 443, 49758, 49759 CLOUDFLARENETUS United States 18->60 62 pastebin.com 104.23.99.190, 443, 49742, 49743 CLOUDFLARENETUS United States 18->62 72 Antivirus detection for dropped file 18->72 74 Machine Learning detection for dropped file 18->74 76 Creates autostart registry keys with suspicious names 18->76 78 3 other signatures 18->78 26 InstallUtil.exe 18->26         started        28 InstallUtil.exe 18->28         started        30 schtasks.exe 18->30         started        32 InstallUtil.exe 18->32         started        34 conhost.exe 22->34         started        36 timeout.exe 1 22->36         started        38 conhost.exe 24->38         started        signatures8 process9 process10 40 conhost.exe 26->40         started        42 WerFault.exe 26->42         started        44 conhost.exe 28->44         started        46 dw20.exe 28->46         started        48 conhost.exe 30->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57f7751d3e603698a3a53a30ffc0dff8ba5591f17ecdad8a53e169585c46c041/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 22:38:47 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
15071bdf001b79677f38d1b651cca6f927e70b6c66157f66ac657072d723f573
njrat
64b7b062f8401c3f9e0ac8f3e69ac32631c63ce7b3e3739fc529fa1f4ae0c969
njrat
661f94e6edb8ac51fd9b7831a45102586aec2fb596ca799c709b806784ff0785
njrat
7b8c7be74749118c2a7a7b2f5c41928d6c06bdaa681f722f2881c217327bf638
njrat
8edd45d95ae4f7ab272e2227ec7171aa0d484a98fd9c5c954b083e9eb4b947d1
njrat
c061b5ba7a5e9af64dd8b3f76ef80237e1ba2f0ae9e3848633224d70dc9dfe62
njrat
c53777452d448f4fdaa1402df21addddc91212f822f96f2f13d151eba6484776
njrat
c6205517e8d96bdef8b86628b0fea0f5e8e680fd56f3b6d83365e0b342eb03ab
njrat
dd14a1096956425515cd7231df84a23f3b8a99aacd272d10994c592404d46ca2
njrat
e85dd1e7ab0b26928c8f917ff0849e745d975c97a9391171ea7218983e441eb3
njrat
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware
Link:
https://tria.ge/reports/201109-11rbnqdw7j/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57f7751d3e603698a3a53a30ffc0dff8ba5591f17ecdad8a53e169585c46c041

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments