MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b2aaf907d381d79113a93c07fee81136c9a92f80a6e0f9fe131885ede71cac7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b2aaf907d381d79113a93c07fee81136c9a92f80a6e0f9fe131885ede71cac7
SHA3-384 hash: 2f0c906323e31493e04c9c588ce8d0e08993ab4d77c65597f7aa916f5c59e633c6e47d3aaa481aff3a20bed8e8064bf4
SHA1 hash: 79753aefa40e4fd3defdb19f5f16059b7c05dad2
MD5 hash: cc2a4f463539b9bac0eeb2146287b212
humanhash: kansas-lithium-item-one
File name:5B2AAF907D381D79113A93C07FEE81136C9A92F80A6E0.exe
Download: download sample
Signature njrat
Create hunting rule
File size:4'774'912 bytes
First seen:2022-02-27 02:25:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 49152:pOp6jL4AjL4AjL4AjL4AjL4AjL4AjL4AjL4AjL4AjL4AjL4AjL4AjL4AjL4AjL4m:pOp6jbbbbbbbbbbbbbbbbbUH
Threatray 242 similar samples on MalwareBazaar
TLSH T13A261247B0099712C9492B7356C3F7B823B6B65265BBD31A2F7CBB884885FBF4411836
File icon (PE):PE icon
dhash icon 8e0b196666490f8e (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
91.109.184.8:5050

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.184.8:5050 https://threatfox.abuse.ch/ioc/391105/

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/245027/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi control.exe packed razy replace.exe
Link:
https://www.filescan.io/uploads/621ae13db94fb38cb415f667/reports/4ef8e5c7-c408-4363-b167-7dcfafdc65ab/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/946812
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b2aaf907d381d79113a93c07fee81136c9a92f80a6e0f9fe131885ede71cac7/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-12-30 00:18:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
31
AV detection:
25 of 43 (58.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmvk7ed5haoxsej2spah73ubcnwjvexybjxa7h7bggef5xtrzldq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0b81cdf0c7b3ffe1fc09dcc87cb07dbd5ea662517d783f6481886720e368610e
njrat
2e1e9dc01c05b755778e10b0e6243051b3fd5265d82e1bc2017b0eca568e36bf
njrat
7fe467ef6f392039c0ce5edaadf85c19a8406a0b0b7332131e2b2ddc9f074bb6
njrat
8e38c9ed504d812b26fa8f6c5217127fdfa945da4ac74ebedbade7287fafd062
njrat
9492eb7a5698503c91c7b153d07c0f86585c00472b1ec3277aea43c1489201b4
njrat
ac42965215afb055c4135cc87288be3f2aaff848972634fbaed4c365e112af43
njrat
d32c2c7ba858b6fea5e943b58247a9c8bc8437966d7e682085ab150e18101b8e
njrat
+ 232 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata
Link:
https://tria.ge/reports/220227-cwwfrachgn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Unpacked files
SH256 hash:
b022857c17797f0d60c0edb4c0c66585d2821f82e725e4b29e6b2c237b5357be
MD5 hash:
385447cc2b694551af9710dc8d891567
SHA1 hash:
220ca5eb66f715089e59d14f3c71808f1496885d
Link:
https://www.unpac.me/results/bc246c9d-f2ba-4964-afbc-eae6fac0bfa2/
SH256 hash:
5b2aaf907d381d79113a93c07fee81136c9a92f80a6e0f9fe131885ede71cac7
MD5 hash:
cc2a4f463539b9bac0eeb2146287b212
SHA1 hash:
79753aefa40e4fd3defdb19f5f16059b7c05dad2
Link:
https://www.unpac.me/results/bc246c9d-f2ba-4964-afbc-eae6fac0bfa2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/5b2aaf907d381d79113a93c07fee81136c9a92f80a6e0f9fe131885ede71cac7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/245027/

Comments