MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64b7b062f8401c3f9e0ac8f3e69ac32631c63ce7b3e3739fc529fa1f4ae0c969. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64b7b062f8401c3f9e0ac8f3e69ac32631c63ce7b3e3739fc529fa1f4ae0c969
SHA3-384 hash: 9440ad330f40dfb3f36ef37a7d9a5e20b324a29143c9752e0e80aa9be3a99c2474cf3005b32dd74583f6a8e0c791e470
SHA1 hash: 3fb185d1d02fa9f9e7422e165f6d7a3c93565e61
MD5 hash: 4fd16ec9f813f1763740687203f2d93b
humanhash: nevada-early-mockingbird-alaska
File name:64b7b062f8401c3f9e0ac8f3e69ac32631c63ce7b3e3739fc529fa1f4ae0c969
Download: download sample
Signature njrat
Create hunting rule
File size:227'760 bytes
First seen:2020-11-09 21:58:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:YsXRmUIMit3qQJZe27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwlmM:ZR5IDqQJZeGk7RZBGxAycKpSPX2/
Threatray 11 similar samples on MalwareBazaar
TLSH BE245CA534AE6709D93EDBF0D2E520A087B562657216D2BA6C8153EFC051FF11F82C3E
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Bladabindi-6888152-0
Create hunting rule

Win.Packed.Bladabindi-9754048-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Running batch commands
Adding an access-denied ACE
DNS request
Launching a process
Sending an HTTP GET request
Enabling the 'hidden' option for recently created files
Sending a custom TCP request
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/527550
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 312866 Sample: hFs3ZIoyjV Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 85 Malicious sample detected (through community Yara rule) 2->85 87 Antivirus detection for dropped file 2->87 89 Antivirus / Scanner detection for submitted sample 2->89 91 8 other signatures 2->91 8 hFs3ZIoyjV.exe 2 8 2->8         started        12 hFs3ZIoyjV.exe 2->12         started        14 hFs3ZIoyjV.exe 2->14         started        16 5 other processes 2->16 process3 dnsIp4 59 C:\Users\user\AppData\...\loghours32.exe, PE32 8->59 dropped 69 3 other malicious files 8->69 dropped 101 Creates autostart registry keys with suspicious names 8->101 103 Creates multiple autostart registry keys 8->103 19 loghours32.exe 26 6 8->19         started        23 cmd.exe 1 8->23         started        25 cmd.exe 1 8->25         started        61 C:\Users\user\AppData\...\luainstall32.exe, PE32 12->61 dropped 71 2 other malicious files 12->71 dropped 27 luainstall32.exe 12->27         started        29 cmd.exe 12->29         started        31 cmd.exe 12->31         started        73 3 other malicious files 14->73 dropped 33 AppointmentActivation32.exe 14->33         started        35 cmd.exe 14->35         started        37 cmd.exe 14->37         started        77 192.168.2.1 unknown unknown 16->77 63 C:\Users\user\AppData\...\mfc120chs32.exe, PE32 16->63 dropped 65 Windows.Internal.S...gationsBroker32.exe, PE32 16->65 dropped 67 C:\Users\user\AppData\Local\...\KBDNE32.exe, PE32 16->67 dropped 75 6 other malicious files 16->75 dropped file5 signatures6 process7 dnsIp8 79 213.183.58.4, 5558 MELBICOM-EU-ASMelbikomasUABNL Lithuania 19->79 81 paste.ee 104.18.48.20, 49747, 80 CLOUDFLARENETUS United States 19->81 83 3 other IPs or domains 19->83 93 Antivirus detection for dropped file 19->93 95 Machine Learning detection for dropped file 19->95 97 Creates autostart registry keys with suspicious names 19->97 99 3 other signatures 19->99 39 schtasks.exe 19->39         started        51 2 other processes 19->51 41 conhost.exe 23->41         started        43 timeout.exe 1 23->43         started        45 conhost.exe 25->45         started        53 2 other processes 29->53 47 conhost.exe 31->47         started        55 2 other processes 35->55 49 conhost.exe 37->49         started        signatures9 process10 process11 57 conhost.exe 39->57         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64b7b062f8401c3f9e0ac8f3e69ac32631c63ce7b3e3739fc529fa1f4ae0c969/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-09 22:38:50 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
15071bdf001b79677f38d1b651cca6f927e70b6c66157f66ac657072d723f573
njrat
57f7751d3e603698a3a53a30ffc0dff8ba5591f17ecdad8a53e169585c46c041
njrat
661f94e6edb8ac51fd9b7831a45102586aec2fb596ca799c709b806784ff0785
njrat
7b8c7be74749118c2a7a7b2f5c41928d6c06bdaa681f722f2881c217327bf638
njrat
8edd45d95ae4f7ab272e2227ec7171aa0d484a98fd9c5c954b083e9eb4b947d1
njrat
b6d839d0fd381a0996c85002c76a763ecb400e44f81fee8d61efe80da6275a81
njrat
c061b5ba7a5e9af64dd8b3f76ef80237e1ba2f0ae9e3848633224d70dc9dfe62
njrat
c53777452d448f4fdaa1402df21addddc91212f822f96f2f13d151eba6484776
njrat
c6205517e8d96bdef8b86628b0fea0f5e8e680fd56f3b6d83365e0b342eb03ab
njrat
dd14a1096956425515cd7231df84a23f3b8a99aacd272d10994c592404d46ca2
njrat
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware
Link:
https://tria.ge/reports/201109-ln1xyjgzw2/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Modifies visiblity of hidden/system files in Explorer
Modifies WinLogon for persistence
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64b7b062f8401c3f9e0ac8f3e69ac32631c63ce7b3e3739fc529fa1f4ae0c969

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments