MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61322bfef06e7fda9e84ad05a402f63f3ece7013120081ca2d3cdbfd4cfbc807. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61322bfef06e7fda9e84ad05a402f63f3ece7013120081ca2d3cdbfd4cfbc807
SHA3-384 hash: 1bd097fbdad3d680b4e107bb6dc2a533988c22a5818aa06ef7d82d082842f1b13ccacd6d167189ed4f811ca56bf9ffb7
SHA1 hash: 89c54d4fbf67f8b9a98532eae5bfc60b18cf581a
MD5 hash: c8d3124da2597ed5622840c8129bd6f6
humanhash: rugby-texas-skylark-freddie
File name:Server.bin
Download: download sample
Signature njrat
Create hunting rule
File size:44'544 bytes
First seen:2020-07-27 06:55:00 UTC
Last seen:2020-07-27 14:11:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 768:Gpn3Uzypt/1s4bLaDyixY1Fp/5Nb0p3zKnY/iPWS5eaNWLN323g9NKXMcA58VN77:Op1JRDKkQfNsA58VIwAy9b
Threatray 21 similar samples on MalwareBazaar
TLSH F913B88F23984A21C7FCA7744911D31553F2F2874993CB5E0CFE84EA1B3BB564A9B192
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
272
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Bladabindi
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32691/
Detection(s):
Win.Worm.Njrat-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a window
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Enabling autorun with Startup directory
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/398318
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251350 Sample: Server.bin Startdate: 27/07/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Antivirus / Scanner detection for submitted sample 2->53 55 9 other signatures 2->55 8 Server.exe 2 6 2->8         started        11 Trojan.exe 3 2->11         started        13 Trojan.exe 4 2->13         started        15 2 other processes 2->15 process3 file4 37 C:\Users\user\AppData\Roaming\Trojan.exe, PE32 8->37 dropped 39 C:\Users\user\...\Trojan.exe:Zone.Identifier, ASCII 8->39 dropped 41 C:\Users\user\AppData\...\Server.exe.log, ASCII 8->41 dropped 17 Trojan.exe 2 8 8->17         started        43 C:\...\8515eb34d8f9de5af815466e9715b3e5.exe, PE32 11->43 dropped 45 8515eb34d8f9de5af8...exe:Zone.Identifier, ASCII 11->45 dropped 21 netsh.exe 11->21         started        23 netsh.exe 3 13->23         started        25 netsh.exe 3 15->25         started        process5 dnsIp6 47 81.233.44.103, 4789 TELIANET-SWEDENTeliaCompanySE Sweden 17->47 57 Antivirus detection for dropped file 17->57 59 Multi AV Scanner detection for dropped file 17->59 61 Protects its processes via BreakOnTermination flag 17->61 63 3 other signatures 17->63 27 netsh.exe 3 17->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        signatures7 process8 process9 35 conhost.exe 27->35         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61322bfef06e7fda9e84ad05a402f63f3ece7013120081ca2d3cdbfd4cfbc807/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-07-26 17:57:15 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
08c0375aa494984e77ec6a082f10b27cf45f7ca08ad1bf2c4c7d4119d41a88af
njrat
427cd95b40839381c01dc0068f8cfc034233433427c4a900764edd514e25178e
njrat
6c5e34494f32f76c2a457fe7851f9fc315893aeb6f2d0429cac255a0f7b67732
njrat
829b1692fc4e793cb91c90819394154e7cce1e0e2f5f7f2d9ee68c4cfeabdc92
njrat
a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
njrat
bccacb3d4d94bf0ffbe0b2ff26d4de7bdb0b400fbf88ad2894371c066a17480e
njrat
c5d7176d2929750e2c3706f1cf41a356e7bf132ca4fcd994796e9f913b0a2fa3
njrat
d7dd8e9fd6df14a7fe0bd6bc01c453105676db1932d1c26497a20c44d99a77e9
njrat
e131a045dc4874ee4eed8e75af0faeecaf86a80e18f13b9845a8b6f57686beec
njrat
ebda3d0f42a337880c4b2d262730986e20abcfda2b66f6d91f0ec82d5607552d
njrat
+ 11 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence evasion
Link:
https://tria.ge/reports/200727-8vsgr4mspe/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies service
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Drops startup file
Drops startup file
Modifies Windows Firewall
Executes dropped EXE
Executes dropped EXE
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61322bfef06e7fda9e84ad05a402f63f3ece7013120081ca2d3cdbfd4cfbc807

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32691/

Comments