MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a26df22cb05dc2e18cff91e23ca17faa373533c96b0aae17fc85212a9153568. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a26df22cb05dc2e18cff91e23ca17faa373533c96b0aae17fc85212a9153568
SHA3-384 hash: 2c9b32ede76d0c40e3db09f3936fdfa04d58f7492a625bfebf2e700b52d599c6b1a4a5cc338fe67136ac3254f1346f2c
SHA1 hash: d49c63a1bbb200cff28851fdcec5443063f9bb5d
MD5 hash: 76455a480bdf074578b9e8f19687e941
humanhash: mississippi-don-spring-black
File name:Meatspin.exe
Download: download sample
Signature njrat
Create hunting rule
File size:8'379'904 bytes
First seen:2021-11-28 15:46:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5d9d937853db8b666bd4b525813d7bd (41 x DCRat, 28 x njrat, 5 x RedLineStealer)
ssdeep 196608:IMRrGqRGIomlwRcwqSAGhBR3hyqavP+VONamWLsfiIOaglOHgU9G:JqPjZRcwqzGhBvxI4mWLZPagD
TLSH T19F862297EAF92124D9B40478D8FD9522699D7E3CE862E743C4C46FBB36331438B846E4
File icon (PE):PE icon
dhash icon 70e4b2b2b2b2d470 (1 x njrat, 1 x RevengeRAT)
Reporter tech_skeech
Tags:exe KeyBase NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Meatspin.exe
Verdict:
Malicious activity
Analysis date:
2021-11-28 15:39:03 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/508f8536-76de-4bf3-a973-5ecddcbf6743

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Poison-8692
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %AppData% directory
DNS request
Creating a process with a hidden window
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed poison xorist
Link:
https://www.filescan.io/uploads/61a3a478c4c5314148205531/reports/a88dea6c-4629-46f1-9cbf-da6124741394/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
KeyBase
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/456ecf1e-4c2e-44e5-a8f6-e5d9d6f7776a
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/897430
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 529908 Sample: Meatspin.exe Startdate: 28/11/2021 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 13 other signatures 2->58 9 Meatspin.exe 10 2->9         started        13 smss.exe 2 2->13         started        15 smss.exe 2 2->15         started        17 smss.exe 2 2->17         started        process3 file4 44 C:\Users\user\AppData\Local\Temp\smss.exe, PE32 9->44 dropped 46 C:\Users\user\AppData\Local\...\meatspin.exe, PE32 9->46 dropped 68 Drops PE files with benign system names 9->68 19 smss.exe 1 5 9->19         started        23 meatspin.exe 20 8 9->23         started        signatures5 process6 file7 34 C:\Users\user\AppData\Roaming\smss.exe, PE32 19->34 dropped 60 Antivirus detection for dropped file 19->60 62 Multi AV Scanner detection for dropped file 19->62 64 Machine Learning detection for dropped file 19->64 66 Drops PE files with benign system names 19->66 25 smss.exe 4 5 19->25         started        36 C:\Users\user\AppData\Local\...\mp3flt.sft, PE32 23->36 dropped 38 C:\Users\user\AppData\Local\...\mmfs2.dll, PE32 23->38 dropped 40 C:\Users\user\AppData\Local\...\mmf2d3d9.dll, PE32 23->40 dropped 42 C:\Users\user\AppData\Local\...\mmf2d3d8.dll, PE32 23->42 dropped signatures8 process9 dnsIp10 50 31.202.217.240, 25565, 49750, 49793 FORMAT-TV-ASUA Ukraine 25->50 48 C:\...\3135453d699962dfe8207d8121f308f4.exe, PE32 25->48 dropped 70 Antivirus detection for dropped file 25->70 72 Protects its processes via BreakOnTermination flag 25->72 74 Machine Learning detection for dropped file 25->74 76 4 other signatures 25->76 30 netsh.exe 1 3 25->30         started        file11 signatures12 process13 process14 32 conhost.exe 30->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a26df22cb05dc2e18cff91e23ca17faa373533c96b0aae17fc85212a9153568/
Threat name:
Win32.Trojan.VBinder
Create hunting rule
Status:
Malicious
First seen:
2021-11-28 15:47:31 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
28 of 28 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nitn6iwlaxoc4ggp7epchsqx7krxguz4s2ykvyl7zbjbfkivgvua._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:}|{eptba evasion persistence suricata trojan
Link:
https://tria.ge/reports/211128-s77wxshgbq/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)
Malware Config
C2 Extraction:
31.202.217.240:25565
Unpacked files
SH256 hash:
d1cbcc627311be3171d8afacbb72e01463eac1f37cb22af96c4f91fed98e31f6
MD5 hash:
1d17b39e2b6f34249c4c454cee8cc727
SHA1 hash:
7c707204e2305d5dac0226ca7c4353680e1002e0
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
c0d56cefb509e5600ac6b430adcaf53b81881d3fff4e62b7ede158d66d826622
MD5 hash:
4cf7bb74d8104280b7e986f4df21109d
SHA1 hash:
edc21a43136afddbf4786593e84b934d40591b74
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
a7ca5e99991386bc950f54949a6c5557f978fd057a84cc5e1ffbe0ea1d8b5215
MD5 hash:
7c46f1d4a990a29cc8096077a074f02f
SHA1 hash:
0d668d6d9417fb855d8b9aa3d47b3cb1bdd2f125
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
d653915a902b4be898af8df094de20648e0e1f98a6f464ac89e771a8fe6f7a21
MD5 hash:
fa84cf5d8db5af976c266ff98f53085b
SHA1 hash:
bec20bd226b0f7a4eaf909a13b8876a728a3659f
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
46c489a827f26f765f40281ebaaa9f86ceb3d8db896d5960b640e77b21b46270
MD5 hash:
2d615f7c5d49968dceb1bc7531e83602
SHA1 hash:
a42a6a2bf8b70f9bf35ca7a1b6e29a3f8c81a48a
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
5f36475f96505551be6e56475ea98e007bb43d69bf02b28425aa5bec57a350e4
MD5 hash:
13624bcccc1f5b446b6d5d808383764d
SHA1 hash:
78e8b81e8932cd4c7ef972d227d74c58d04c3279
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
0b03af03730769b505f1994782c8faafd6d8a575efddb211bd3c74f070518e8a
MD5 hash:
dd855b24cb1d0a087ce1bd810b01fec3
SHA1 hash:
588a4905894f71b22f0f2729173f50720daac674
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
25bdeae40388bbc87ca1b86274cda33dc666c1a76dcfd8310b318aef60d8c4c4
MD5 hash:
ab46be5efac71355c8670e2eaadbb5de
SHA1 hash:
4c79a9b84ef27289ec76028230e4c3321b0ec06c
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
261ba22b23d3466269e488d7a2546306db88f06dd12a3bf4c21807e98bd611f1
MD5 hash:
7aa15b4d69682a6eddfabdca6e42a9e8
SHA1 hash:
3e52c793a63eb46da007124c037afe4149634333
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
d2f3e2b40be4fa65f5da6567ce81df5fd1bc9ce367e0b14f332fc96cdf0912c5
MD5 hash:
ed60d74f905ff5efa2239c8173170b47
SHA1 hash:
02c86e85865d15b3fed648d0a442d027c3ba3bc1
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
SH256 hash:
6a26df22cb05dc2e18cff91e23ca17faa373533c96b0aae17fc85212a9153568
MD5 hash:
76455a480bdf074578b9e8f19687e941
SHA1 hash:
d49c63a1bbb200cff28851fdcec5443063f9bb5d
Link:
https://www.unpac.me/results/bcda411d-2dc0-4696-8911-d7bb786f40bd/
Malware family:
njRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6a26df22cb05/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/6a26df22cb05dc2e18cff91e23ca17faa373533c96b0aae17fc85212a9153568

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 6a26df22cb05dc2e18cff91e23ca17faa373533c96b0aae17fc85212a9153568

(this sample)

  
Delivery method
Distributed via web download

Comments