MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67e66644ba3666cda9f16e669e5beb2469dfebc3bf750d1eb26dd87672a03eff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67e66644ba3666cda9f16e669e5beb2469dfebc3bf750d1eb26dd87672a03eff
SHA3-384 hash: ade5a87317f7de0beae36636b058d56c8bfe8ef47480fa81b4dadcc0fdcc5cc18bd96eeeccf18e9a5149a6802b51220a
SHA1 hash: b18e0a2acd6bd87bb0b3e926058bc609eea6d839
MD5 hash: f32e7d2da8606cc223fe28b867af2aaf
humanhash: mars-harry-five-illinois
File name:67e66644ba3666cda9f16e669e5beb2469dfebc3bf750d1eb26dd87672a03eff
Download: download sample
Signature njrat
Create hunting rule
File size:227'652 bytes
First seen:2020-11-13 15:17:04 UTC
Last seen:2024-07-24 15:18:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:YsXRmUIMiteqQbZe27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwBm0:ZR5IqqQbZeGk7RZBGxAycKpSPX2j
TLSH E9245CA534AE6709D93EDBF0D2E520A087B562657216D2BA6C8153EFC051FF11F82C3E
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Bladabindi-6888152-0
Create hunting rule

Win.Packed.Bladabindi-9754048-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Running batch commands
Adding an access-denied ACE
DNS request
Launching a process
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/67e66644ba3666cda9f16e669e5beb2469dfebc3bf750d1eb26dd87672a03eff/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-13 15:17:52 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware
Link:
https://tria.ge/reports/201113-pnqtljnkcs/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Unpacked files
SH256 hash:
67e66644ba3666cda9f16e669e5beb2469dfebc3bf750d1eb26dd87672a03eff
MD5 hash:
f32e7d2da8606cc223fe28b867af2aaf
SHA1 hash:
b18e0a2acd6bd87bb0b3e926058bc609eea6d839
Link:
https://www.unpac.me/results/daba616f-85cb-46ee-925d-6d57ffd9b812/
SH256 hash:
8d36523c3497a55bec68581e9ebd086937041ae8b08333714579e4d0613f32f4
MD5 hash:
274b30068e67778e7456136912e20a9a
SHA1 hash:
668d1d93131b809b36533ee3878d2fbf89bc4640
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/daba616f-85cb-46ee-925d-6d57ffd9b812/
Parent samples :
ae0bb2188564cf0be10c593014185c8d3070d7a0c1ac697289e16f44a94ea9bf
f260d2bd2faf0070541f6bf9fb54409c93542ac63fd1b867f26e2b8bb9c79683
8b796fbdda7bc3af7953460a939ca68f12b5a89f7308063d529306e85186b613
eef2aeb3969d6fb07824f3a707a9793e7a7df7177dae7c8a49a646042357cb72
522e738ca2b5cce42335ee991ee4a860946959bdc511601ca79bc3641e175982
9f813bdb1243bf3e32cccd51693ad9b7cb7cac64488d57361e27123e34f50637
c310041057c61f3ba5d7e208fe29c10e3fbc19c15382d35ae3ffca726de740f7
a775aa0cd648d35b6ee27abf0e3d5613ced39881933e2e47a9e85570994c4471
5d0809147bf64d10f4dd6a4dda843236c28cb615bc292e8aa55ecffd641ecf5b
da7a459f4c1ab50aad169d8f9de72842bc435c51a56222dde71dc884a49c69ed
6fb76ff6232bf40b4038357cf3dd6bfc5ba0074f5b967f9bdfb6ed174716ce6d
4c4c295c7c05c0e6310405e7c13d339177584d4aace8dcfb050dd2a8b2f20ddb
9fcac2cf17c2ba26a84eeba9e33a1b2e7596dd47797c1cdf3f2b8cf5d6a1e2a0
5d3a038b03d34a823e521cfa703a4be74239ce1a262352648d4a05272b1794b7
1366597cdaa79ecba85924576b320da134bc36af87e55bdafc1567a0e4dfac58
b8c0a74ae7032711bf6cba469ab3acc3b449ffa0eb06553b94cb72c88702b480
c53777452d448f4fdaa1402df21addddc91212f822f96f2f13d151eba6484776
afe31e0a4370e2cf1c65b2e8e3240b36ff78a6b53591f2b58975f31c51819a91
ef352eac885284748d693da2c13f1d0de8ebb37690edac253dc5ba2ef8b7e034
7c50be459a225b193787f95dcf9df17040bce012a976aa0d331cabf2057a5dc9
0be126377c4c1e964a48d29c93777e4721fde808c4f493fecefcaa756fef04bb
7604ab964cc40610d53feac0b1ad034c6e4e4293344670d1d2d7423e08e12a3e
431ecb18d6ffeafbf69a79c32166607d24fcdafc9f4fd29b437d41b6272c07c5
45e6d88e68a7ea1b3d12298aa67358c4bd281c9d7b3bea2b6d8093f33251bc19
4d0b222eb1fb0f8eff816b7b9515d3ee5d2477caf50e8f3100775914d98b3da0
ed5ddfee65c3f6a4460cc0df1ce9cc315aca290b635c079c3a23ec778a740736
ae9737ae6a42cb6df2c9f0fe0e95f3c71ebe416c2066ed01678e8fe93ede0d64
715b982e68ba71b962e694ab87e386a1b527d0ebeff3f6aced8badeba8a6a4d5
469f24e0e7b4effd12619297c22d0c3438d74359700f056ffb73f332e7f132d1
620c5624f6cba50cccf87ac71db3a403aeff574293d8f9d9db0ef6f2324194a5
1ddb36c08dc8281daaa61db30622c10aafe22ce74d57a120dfd68876c12ee0eb
a4c557f62eeee8d90d0536dc2c2c19fd15cb0ee77acbb0a1712255718e449336
cfa87db4ec71f808e7b4c75e91e78f9e41c9e18b49ffc1c7f86efbbf1f774920
d294f0307b2a951f12b879a7ed51bb42b89ac8e300c2cb3aab607601aa2663ea
2bccb08ad6826c1c43d2f17662ec80f4522eaeb9d1c3378b4b04b55eebcf510b
6555c6326fa0b15ae7a79a097cdc2c4fff83c3dc1774e6fa930b0f872f4ea12e
dc177d359dab235b049e352c44b66df001d24423b5be423299ca51596a4ef407
59bd5cd505abfbbfa179000812546405d0f81191bdb7656ef5cb04f41da84594
adb8a2adf73efdc0edd4e6ca9578c11e06f54a266b0f3760e4e42f5690a8dedd
69991a160f4e611ecbb9b471ddaf4eb771f1079b742e5c9ab1b96a1b47be5824
f3ab7b0f14524b29001843987c2623fb1bd50d5a3b0e0299b66073a7e32b1954
66ab390ad4d41c2ab0c356cce9ecdabc25d201133c9940102a231126692f8c2c
d09b8bd7afac11b175a8b7a8e914ae0bc6d029b4a3da1d43cd93642c5014e0f6
c2cd8fbc6d1dd494eb1835cacbac4a6380d7d633cb16725a8623858720850f89
67e66644ba3666cda9f16e669e5beb2469dfebc3bf750d1eb26dd87672a03eff
af587c42c113a6ada5ff3efb1e420083d8837f8c9e9af191b0e3612bfe983a3b
215aa27fb9204bc61a5c78c04c88b93f5753a87bab5916b05bcde1489195f620
39c4855ba040354ede0f2310cf6f53d279dd2eb4bf880c2af387c4337231f423
17d98a7809ebce6c45283b6612dfa6a76449a5ce1936d266052ef5a0daba6aba
b5d6f752632f2580013753c4b8c1bb606b7ecff9a2def27aa63e8c1d159ff029
359befcfa905259c92b85b52cd76583fa29afd1f9db65a6fa0d74cf545eca416
0ac85217c0d9160cbadcb08a6e3bd67ef33e21d7953ef4d151c1034b684c8c3c
ec007c8e1d3eff0ea195a14ffd738ae75682c599be0d0eb2b8c2a3f53f3cf7bb
4e0d4259a61aa9e2b5a757b2a30921ae339db3133ce4c6a82703d888447f764b
81e99b7eced21488cba79c5629609ddd1e2f2ec19dfbc8cd2cabfa227c64a454
5b3c373b0510e82659a5ad61c6216c5bedc0b976b4dcfc70d7a816aa7ab48912
ad26f3fc69988d25cb139d58508fc4179c1eb74b4fbbe107b1546fed90826f50
9cc56fc0be5cda9026b4690aac95958dbf47aede3778ef1f2ca5f731d0725bfa
e1f3196de43d520cf6dd77c3da924611a16072ed5a3ce3635f868fa2e8f98e95
fbdb9064cbd73c082bc28cb5e0feba72d9650a77bc4ed6e3bb3ea3292b877d26
a6e3c2896dca05b30509204fcbdebeba6bac0d532885223c8b1231556d090318
0b45ec54b1f826b2fa2435641ab3fec987f79d2e6d51d5f62d775a130240c9a7
f833bc41b10af2a39fd6dd2c7110f6b985f62d2b48877944ffea1b22aca7135a
113787ead4b84ee2470eb093c04fb255ca8e19d28e6aa917715af88d8445b2c8
62c383f13dbaf92d5ef3c13562159ce09b34a28eb0890c21fc1dc60b7f72e70f
5f2ee5eadbdfdf968377e2c6e59dfc231d80bb70f70315123be088ef3379303a
165a67e06e500ee045201cd1b8b69590818f675778d7cc63c0e88dc2f90d45da
73cf14ba8f82a22fa4b4b7eac472402694d6627e8dca87aab539f86b5b29b330
c37e302a34b0f7d9612fe035de8997ff1ba4c484752343b568e8a56e37ebaa44
f1f1f5abdd9c67fa5cc2978bf2ab96877677f68f355212d95fc59a2868106013
43b916bb0a763cc21f2ea6f024a487a3b64871e503834e36e69a967aab57ade0
7eb4927982f1215ec8031e88b8446f664ae7cf00f70aed9fcea66a825a166164
5921e303d3116f1fc51290b7240d46b2e777259f1f34bae181b8597bf56455d1
1f8f75da2e357c96253a6b8f542f9f8b05cadbc2889cd9ec2bc34f6dd869002a
eeed040e65a02ee46a6f96cb5a9fcc6c3f5105cf7d2683033185dc5914986739
22d821e2efa90bc9d03000f9fac7f5da07bedf73029c6abbf465ee01331ddee4
a0f3cf58d766d8fd9cb4e3dd039301f7d23c5b842355af81d9f7806285fdabd3
e649cbb817a27e62206a17a21f4572dcb20715722a8cf342c3d3cac4d34844bb
39f0f1efef09f55c07be71d8907de6893a687f2c2b903244e839138c1eb2b9d1
1d91cf0fdc2926cd56d050f247bb94580090de0b3faf010079cdb232b48da95f
57eb8408f83634e72aa1b2346835ad80a7bdae804fe4adf5239ed1c7f0c28bd1
95e114d89730e67a05f9d4d72c94a9e3672f8a22bf00c9c35610824346621a99
2dbaa0995d858b0d3001fbd86893b5e9e4e3af0f42d272e441facd3657c227ff
7a03fe067b3483e72e9f75a6e19192d471e387f4413186c87c81fc52c1e0d6f6
7050e97744b56887bf6eb62ddc1182f406d97b11e37d2bb3378e6886b4d2cc6a
c76dff7fb13cd1cae2a39d89293bf2e2e60fa4eefd2103229d6898ddab216e88
5b36ac5ee034c22487b508e1abdfd727358f48547cd44e9b97a30f46c8acfb72
8800e4e49a32f19984d012bfaee13e78d3822a20e8eefa3647c95702bac8c6c6
4fb18c226288c21a85362cff5ce18d36b2763d5016dd93763a51adc252111e4c
aee1c70039b8b79245942ad7c58cecb6e66872e890e3df0900cf2fb8c0bc2c81
f4a11d639c632ffe98fc7b8eeb1e3ab3e55c5e09f2b19dd954e3d08097376c29
80cf0a6ae977700f2ef2471c3c0d4e00c915adefd601e7dc27b1a24d23f3b3eb
590d444011e9899f3bc5fcb9524cdfd14c0846769fe1b13b6c890e3c9578753e
0a7053467cdd1d2315b04ff0959d7e71944800329b65dc2cf410309eeb3cac31
39d30771fd94402b82342039576ed15b60151629fd494f314433a208221c11f6
e61610581a1b4bdaa94b70076840318862fe4bcf9e7fe3d85cb4a83ae4f43e48
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67e66644ba3666cda9f16e669e5beb2469dfebc3bf750d1eb26dd87672a03eff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments