MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5f4be5b1118b3a61f72cf7a9647d5542fd52d470be2eec3470f53351a4c9f6ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5f4be5b1118b3a61f72cf7a9647d5542fd52d470be2eec3470f53351a4c9f6ae
SHA3-384 hash: 5f350ba3a986d7f003c344ad628210872469691a76316d0b579d61fa8f55f0fd40fed37ddfef2d03c9d212f9ee50f1df
SHA1 hash: d2325be5d84bd947e8fd4129e31fe75235fa5bd5
MD5 hash: 3db880f713f61cb4e2d8db8bd6a5d110
humanhash: maine-minnesota-fifteen-spring
File name:PaymentDetailsSlip340999.exe
Download: download sample
Signature njrat
Create hunting rule
File size:790'016 bytes
First seen:2022-03-26 11:01:13 UTC
Last seen:2024-07-24 14:57:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:PSzHrOsFpjJFHaQ3TsskGSSO5p+WW0YFyZ7n:PEHrOMpjDHaQ34sLmbYFyZT
Threatray 386 similar samples on MalwareBazaar
TLSH T167F4198D57F81A5BD03D57B09822699083F0EDB67A22C3AD3DC0F8CD6E717D486522A7
File icon (PE):PE icon
dhash icon c4bada9ae8cca4c8 (13 x Formbook, 6 x AgentTesla, 5 x AveMariaRAT)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
185.140.53.176:7678

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.176:7678 https://threatfox.abuse.ch/ioc/453999/

Intelligence

File Origin
# of uploads :
2
# of downloads :
437
Origin country :
n/a
Vendor Threat Intelligence
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258030/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Сreating synchronization primitives
Creating a process with a hidden window
Launching the process to change the firewall settings
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/623ef2b7a19c649412931a1e/reports/73105aa6-e54b-4741-a3e1-c40e32bbfa21/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OutSteel
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a9ffd64e-9b45-462d-b8e8-1472c605c656
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965076
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/5f4be5b1118b3a61f72cf7a9647d5542fd52d470be2eec3470f53351a4c9f6ae/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-03-26 11:02:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=l5f6lmirrm5gd5zm66uwi7kvil6vfvdqxyxoyndq6uzvdjgj62xa._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
203ad3028bb58a9c55b2e7a55ca52d49b5f91e6259b864f0d8d53de4caf43f80
njrat
2585845349d420cec529b285a268b989ba28f135aa5332d3ce9122bbf53b5ce4
njrat
3612932b02e0e97ec1ddac955833b9e572ca1c2d93fdc12c47e4ac6021459bc9
njrat
776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097
njrat
b23fac3382a51f1910438bce97a602ced4b5509fe28f323cde76a60914d83c8d
njrat
cb8d5adf6f6c6d0da4112ec3216aa856dc0cdf75caaae4c0dfc8049d57900cef
njrat
cdadc76f61382593d88182fc8d09eb68d39c5ecddc5c13e8c45341615bc91b21
njrat
ec744aeae689c95f44a24eb398e65c3a722595de5504db84b2e41488f30a7510
njrat
+ 376 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:mercy_@2022 evasion persistence suricata trojan
Link:
https://tria.ge/reports/220326-m46xkagder/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Modifies Windows Firewall
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
185.140.53.176:7678
Unpacked files
SH256 hash:
c611a6ceb263401ed18ff93961bd6d0cdf8757e48d8e76b13943e85b9d3b5a0b
MD5 hash:
f9b293305bd04eee511c0ffd0e7f29d7
SHA1 hash:
fd981a9537a903422311f582defc1c8fd97248af
Link:
https://www.unpac.me/results/24ee3dae-13e9-4a6b-b634-005c6211ab7c/
SH256 hash:
7d170109f352f251d7ac012882e005b059b0db5ecce7520acf7be2ba8f13792a
MD5 hash:
72403055ee098f50bcc8a238fdbef878
SHA1 hash:
eb5ed9b38f5a23bb00b221acf3f7233aa2e9299d
Link:
https://www.unpac.me/results/24ee3dae-13e9-4a6b-b634-005c6211ab7c/
SH256 hash:
f4f263514346ddca8d7a838aff4e439799c2bd0a2879c4426bcaf5b83460f0e6
MD5 hash:
55f4ae47a8c3e409939d37eabe669870
SHA1 hash:
999f1a288b323bd0e22cb6b3caeb0dbe6e47a35c
Link:
https://www.unpac.me/results/24ee3dae-13e9-4a6b-b634-005c6211ab7c/
SH256 hash:
f1baa7d047ba0676511cdc22401c09423071bdec7bf389143cca553578de1825
MD5 hash:
fa05de66d447475f606fbb891635446e
SHA1 hash:
485dafce059a8144b6764079d08d5e70c41fa3e6
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/24ee3dae-13e9-4a6b-b634-005c6211ab7c/
SH256 hash:
2d3d79965afb82c0bbda90e352e0b6df2f5653b3c35b25e7d3ea57b41c2db350
MD5 hash:
4f55afaccba1ec55a219fe3d6cec6e88
SHA1 hash:
05faf20a5ffc39c76dd84d73015ccf95ea31d19f
Link:
https://www.unpac.me/results/24ee3dae-13e9-4a6b-b634-005c6211ab7c/
SH256 hash:
5f4be5b1118b3a61f72cf7a9647d5542fd52d470be2eec3470f53351a4c9f6ae
MD5 hash:
3db880f713f61cb4e2d8db8bd6a5d110
SHA1 hash:
d2325be5d84bd947e8fd4129e31fe75235fa5bd5
Link:
https://www.unpac.me/results/24ee3dae-13e9-4a6b-b634-005c6211ab7c/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5f4be5b1118b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5f4be5b1118b3a61f72cf7a9647d5542fd52d470be2eec3470f53351a4c9f6ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258030/

Comments