MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5d4a8635a8bd54c96eb76c61ba879998437d96bc72557ef2be44183797e49149. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 4


Intelligence 4 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5d4a8635a8bd54c96eb76c61ba879998437d96bc72557ef2be44183797e49149
SHA3-384 hash: 58eb486a9dd720a355c38374038fdb4d7d118cdcbaaa9c09ac2797d67d98437ba0b4a84ba19491ea4887e86d012ed237
SHA1 hash: b2de62f0537a78d13a1dd9a9e2034b88d044abee
MD5 hash: c3b23483c06f76fefd5488888d71e3d6
humanhash: connecticut-uranus-salami-low
File name:5d4a8635a8bd54c96eb76c61ba879998437d96bc72557ef2be44183797e49149
Download: download sample
Signature njrat
Create hunting rule
File size:1'200'128 bytes
First seen:2020-06-17 08:59:12 UTC
Last seen:2020-06-25 10:44:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:+ZZPJ4y9ugi9joTTAMBJ0SattxcN5qoSU82fqkSs/O+u7kUL1f8AIGlGZ:IPmjoPA8JJajgqd6/SdoUp8nQo
Threatray 27 similar samples on MalwareBazaar
TLSH 06453343469ECDBEE9386EB50C15854E491D63B8EF07AE22078319BCDF6EDDA3148076
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19250/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43349562.25458.23866.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 19:32:52 UTC
File Type:
PE (Exe)
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lvfimnnixvkms3vxnrq3vb4ztbbx3fv4ojkx54v6iqmdpf7esfeq._file
Verdict:
suspicious
Similar samples:
16d8aa3dae24ba03bbc22093b96c73b303646cd7fb9829a857177c0cbe2ca724
njrat
1b735b93727cab4992aff0f4e2905ab57f0e3189b25cc164fb422685e6af70c7
njrat
1fc92ff3532cbd0ec4cae9bbda015ed847f7687758c22ccf59e362f47e6a35cd
njrat
27f7e212954191d2fc10676ad69942421e904a5719cb2001149de2bb38c0610f
njrat
39e4366de58f4ac1d43bd7deaabb516694317397dd1f447d8f19623123083c61
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
6854fa9e5d8612a3323536436768fc4c75d69a98eb68b340f12b606878ab5839
njrat
82a92a627eea0fe47fa124940b5c020a557f5a5bcc347851e9d901a2f134ad30
njrat
d6f0bfa0aa9e2b9004d36f51fff20f947adbaa6bbb7fffdde1fc37d105fa7257
njrat
e9b2559e5ba7876b670ecced318041832ffbf732cf41eec6961059d266db7846
njrat
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion
Link:
https://tria.ge/reports/200624-cw6h2jzrle/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run entry to start application
Loads dropped DLL
Drops startup file
Modifies Windows Firewall
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_Honker__builder_shift_SkinH
Create hunting rule
Author:Florian Roth
Description:Sample from CN Honker Pentest Toolset - from files builder.exe, shift.exe, SkinH.exe
Reference:Disclosed CN Honker Pentest Toolset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19250/

Comments