MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6854fa9e5d8612a3323536436768fc4c75d69a98eb68b340f12b606878ab5839. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6854fa9e5d8612a3323536436768fc4c75d69a98eb68b340f12b606878ab5839
SHA3-384 hash: 780a3d305b985d6aecf786aeb28a69acc4430b241d0a3094351e5ad29cb3212b0b50ed8de36e3116627d5f7a79ea5502
SHA1 hash: 874ed7f5ccae35644c064e0d5eb6e4b603dfda7e
MD5 hash: a51f25c88d6c6934d9a916545ed5816a
humanhash: delta-sodium-speaker-hydrogen
File name:6854fa9e5d8612a3323536436768fc4c75d69a98eb68b340f12b606878ab5839
Download: download sample
Signature njrat
Create hunting rule
File size:1'124'864 bytes
First seen:2020-06-10 11:54:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:WZ8wgY3PJtxdOYMOfSxwu1BSnQgN9UtzUy6LTAU:ZdY/LOYJfqwSBzgN9PJT
Threatray 45 similar samples on MalwareBazaar
TLSH 44353347D5E9716AD895ECF8C17F1F21720E4C658AEEE0040E8C63A1B74178EE4A9EDC
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 00:47:38 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbkpvhs5qyjkgmrvgzbwo2h4jr25nguy5nulgqhrfnqgq6flla4q._file
Verdict:
malicious
Similar samples:
16d8aa3dae24ba03bbc22093b96c73b303646cd7fb9829a857177c0cbe2ca724
njrat
1b735b93727cab4992aff0f4e2905ab57f0e3189b25cc164fb422685e6af70c7
njrat
1fc92ff3532cbd0ec4cae9bbda015ed847f7687758c22ccf59e362f47e6a35cd
njrat
27f7e212954191d2fc10676ad69942421e904a5719cb2001149de2bb38c0610f
njrat
39e4366de58f4ac1d43bd7deaabb516694317397dd1f447d8f19623123083c61
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
5d4a8635a8bd54c96eb76c61ba879998437d96bc72557ef2be44183797e49149
njrat
82a92a627eea0fe47fa124940b5c020a557f5a5bcc347851e9d901a2f134ad30
njrat
e3bb8c334350185803b3863f71d6fced186b373e8768bb537e371dff11f74386
njrat
e9b2559e5ba7876b670ecced318041832ffbf732cf41eec6961059d266db7846
njrat
+ 35 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/201109-h87wnyjs26/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of NtSetInformationThreadHideFromDebugger
Modifies Windows Firewall
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments