MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5bf23d17dde3b16d144bb5f163de6668e8417ca0413ea3c452c98471ea4b5a07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	5bf23d17dde3b16d144bb5f163de6668e8417ca0413ea3c452c98471ea4b5a07
SHA3-384 hash:	25e97dafbb95bbf3670da0171effedd33c8c1b59edcea08e475dec913562a1e74e9a9e5d1cf0dbb2f2630b9e26d35bfd
SHA1 hash:	4bbca8de8ff9f1a6ce6427a082e072826df6d2fe
MD5 hash:	56e36007e69bf07cfd244cb8d4ea1768
humanhash:	idaho-oscar-july-montana
File name:	5bf23d17dde3b16d144bb5f163de6668e8417ca0413ea3c452c98471ea4b5a07
Download:	download sample
Signature	njrat Create hunting rule
File size:	218'028 bytes
First seen:	2021-02-28 07:05:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:NNTPPR/nHf11Ic29P6sOQUngn0J7L15il28uoZ1s6KAQxdbVrn87c+3nVcXODCQx:/Rv0Vkfngn09L1alVM2RH
Threatray	13 similar samples on MalwareBazaar
TLSH	44247CDE3BD8CC41D161BBB8172696F05E37ED182642E3A2E8A1753F983F7493856603
Reporter	JAMESWT_WT
Tags:	NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5bf23d17dde3b16d144bb5f163de6668e8417ca0413ea3c452c98471ea4b5a07

Verdict:

Malicious activity

Analysis date:

2021-02-28 09:38:26 UTC

Tags:

rat njrat bladabindi

Link:

https://app.any.run/tasks/d4ed4864-2d33-464c-a337-7cf746d14df7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/119755/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Sending a UDP request

Creating a process with a hidden window

Creating a window

Connection attempt

Launching the process to change the firewall settings

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/621234

Signature

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/5bf23d17dde3b16d144bb5f163de6668e8417ca0413ea3c452c98471ea4b5a07/

Threat name:

ByteCode-MSIL.Trojan.Johnnie

Status:

Malicious

First seen:

2021-02-26 07:57:00 UTC

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat evasion trojan

Link:

https://tria.ge/reports/210228-eswrk4ntqe/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Modifies Windows Firewall

njRAT/Bladabindi

Unpacked files

SH256 hash:

50c4057560f42b2cb6aaf2c93185234565379e9eaac89a55784e38b591a92602

MD5 hash:

00259f318fe59bf0a422278aa55b51f4

SHA1 hash:

e38f909c5640435b49d072612973b65a7623cc9f

Detections:

win_njrat_w1

win_njrat_g1

Link:

https://www.unpac.me/results/ba0639af-16f4-4a6f-98ef-27819a66b990/

Parent samples :

5bf23d17dde3b16d144bb5f163de6668e8417ca0413ea3c452c98471ea4b5a07
7bb2d03443f9d9cbd077e00e6641bba83adc53d9cb733eb8d07fe933d74b7038
bbc467be402fa10957b329f79484dd0dfbf30ca52ed4275f0fa2085807786f5a
6e16130863853ebf7591d38237a24a6b2689eb4c40f04d51f18d730d6e03cb97

SH256 hash:

572ac1807d7bf08e3a25837a27bc08af7abffb4e8c1016801e24ab81c9c79925

MD5 hash:

ebff06526552f2a2ff20b2c5b6acd976

SHA1 hash:

de4740f162722aa8c6a05a1fe111b1357d8b591a

Link:

https://www.unpac.me/results/ba0639af-16f4-4a6f-98ef-27819a66b990/

SH256 hash:

5bf23d17dde3b16d144bb5f163de6668e8417ca0413ea3c452c98471ea4b5a07

MD5 hash:

56e36007e69bf07cfd244cb8d4ea1768

SHA1 hash:

4bbca8de8ff9f1a6ce6427a082e072826df6d2fe

Link:

https://www.unpac.me/results/ba0639af-16f4-4a6f-98ef-27819a66b990/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/5bf23d17dde3b16d144bb5f163de6668e8417ca0413ea3c452c98471ea4b5a07

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/119755/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample