MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6064b14a4a3ebeb7fdadfcc8b07a100818ada8f6697741011daadb9897c3a487. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6064b14a4a3ebeb7fdadfcc8b07a100818ada8f6697741011daadb9897c3a487
SHA3-384 hash: 1d3e2232bbb524ae6a6abee25c014f2612b6e3c8f9de20aa5cabb45b65d5e415a2bcbfc53757e59bf2fbdd05e8015fbe
SHA1 hash: 3a77b2c1d6c7810f259981f42a1bad4953d05bfe
MD5 hash: 1d76d020ecf691ea9c6584417925674b
humanhash: mango-queen-quebec-march
File name:6064B14A4A3EBEB7FDADFCC8B07A100818ADA8F669774.exe
Download: download sample
Signature njrat
Create hunting rule
File size:3'421'696 bytes
First seen:2022-04-27 17:31:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:hy3JcY/9DLY/9DLY/9DLY/9DLY/9DLY/9DLY/9D2Y/9D96Y/9DLY/9DLY/9DLY/2:ycEEEEEED86EEEE0n
Threatray 405 similar samples on MalwareBazaar
TLSH T133F512377658862BEA0652F2E5DF8A150FB01EE16D67E31E39D0B28C0537B0F416CE66
TrID 69.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.9% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f9fc96cae0d87182 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
91.109.188.5:5050

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.188.5:5050 https://threatfox.abuse.ch/ioc/536876/

Intelligence

File Origin
# of uploads :
1
# of downloads :
486
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
6064b14a4a3ebeb7fdadfcc8b07a100818ada8f6697741011daadb9897c3a487.exe
Verdict:
Malicious activity
Analysis date:
2022-04-27 17:40:13 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/a5016728-0867-4e4d-a14e-1aa793e72a9c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/267292/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi control.exe packed replace.exe wacatac
Link:
https://www.filescan.io/uploads/62697df02b32b1c37c66e290/reports/57b510a5-faef-4678-b36e-2951af3cd186/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ed4cacd3-824d-47c8-bf70-231d742aca8d
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/984262
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6064b14a4a3ebeb7fdadfcc8b07a100818ada8f6697741011daadb9897c3a487/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-05-25 06:51:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
35
AV detection:
23 of 42 (54.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mbslcsskh27lp7nn7tela6qqbamk3khwnf3ucai5vlnzrf6dusdq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0ad5771ab84889b68b251e5c841897b898e0486e8f13bb0c923c2db653a0c9c3
njrat
0b81cdf0c7b3ffe1fc09dcc87cb07dbd5ea662517d783f6481886720e368610e
njrat
125e065a5c11e10344ddc8ea6ba20a423a25903539a028fff1dfef3280dd23c1
njrat
1754083e0d13347475732a3d6318f7751877965d537766ec5ab2c905520365c3
njrat
6064b14a4a3ebeb7fdadfcc8b07a100818ada8f6697741011daadb9897c3a487
njrat
a418d42bd0343460ebca4a5613f041089de955c47a0f73d4b01c162f7fb88201
njrat
b34995ccc278079c90c5b876aec791c11bb42bad62105f284c4177b5c2b38dbe
njrat
bf60761b6dde56e007538e10e5b6946f63356c9f6c3c8cb5b2f2e16e055383aa
njrat
+ 395 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat suricata trojan
Link:
https://tria.ge/reports/220427-v39wtsehh6/
Behaviour
Suspicious use of AdjustPrivilegeToken
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
milla.publicvm.com:5050
Unpacked files
SH256 hash:
ddb5aa276ac25317e63dc0a234f69950c782ab42a12734f388ed2a58f923684c
MD5 hash:
49d4a951033d38a9d030c0264f45b260
SHA1 hash:
e6c2df0dc361d5abdaecd36e8187db98ff3b6c19
Link:
https://www.unpac.me/results/91886af6-73a6-45eb-a19f-1f489d453672/
SH256 hash:
6064b14a4a3ebeb7fdadfcc8b07a100818ada8f6697741011daadb9897c3a487
MD5 hash:
1d76d020ecf691ea9c6584417925674b
SHA1 hash:
3a77b2c1d6c7810f259981f42a1bad4953d05bfe
Link:
https://www.unpac.me/results/91886af6-73a6-45eb-a19f-1f489d453672/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6064b14a4a3e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/6064b14a4a3ebeb7fdadfcc8b07a100818ada8f6697741011daadb9897c3a487

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/267292/

Comments