MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c3d282a6a943f1b052246f5b3ceec91e400c0fdd04c22d1e44556e1150b3a5a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c3d282a6a943f1b052246f5b3ceec91e400c0fdd04c22d1e44556e1150b3a5a
SHA3-384 hash: 8a9f35e2609116fecb11b1be7034e22d83b69f3b5da4fa564b49affad8734f1d727ec337f4a4a377761e31e2e31a11e8
SHA1 hash: 0b3aae47e3546b66385cd1e67964cc02024915ae
MD5 hash: c6dd27ec86d7acfa59b221a8a05730d4
humanhash: michigan-mountain-queen-item
File name:6c3d282a6a943f1b052246f5b3ceec91e400c0fdd04c22d1e44556e1150b3a5a
Download: download sample
Signature njrat
Create hunting rule
File size:1'137'632 bytes
First seen:2021-09-23 07:07:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 80 x RedLineStealer)
ssdeep 24576:uOTzK4X5L+D5RRXqOygOvCFWXgni+3h/Q9XqAgWGD:uOTn9UrqOygOwi+3h/IXqAMD
Threatray 22 similar samples on MalwareBazaar
TLSH T1383533DAE24C37D0D2838E30117D72B9F9697F585611F07C7CA8AF923622A66153F0A7
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
314
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6c3d282a6a943f1b052246f5b3ceec91e400c0fdd04c22d1e44556e1150b3a5a
Verdict:
Malicious activity
Analysis date:
2021-09-23 07:33:05 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/c399003c-745b-499f-8bc1-18b5dc3afceb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
EnigmaStub
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190627/
Detection(s):
Win.Dropper.Enigmaprotector-9102419-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dce2ae4c-fd48-4893-96ff-374040ee4179
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856346
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488781 Sample: ejRwI3EnEm Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for dropped file 2->43 45 17 other signatures 2->45 8 ejRwI3EnEm.exe 1 6 2->8         started        12 Service Post-Prefinding Windows Host.exe 3 2->12         started        14 Service Post-Prefinding Windows Host.exe 2 2->14         started        16 Service Post-Prefinding Windows Host.exe 2 2->16         started        process3 file4 31 Service Post-Prefinding Windows Host.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\ejRwI3EnEm.exe.log, ASCII 8->33 dropped 35 Service Post-Prefi...exe:Zone.Identifier, ASCII 8->35 dropped 53 Detected unpacking (changes PE section rights) 8->53 55 Detected unpacking (overwrites its own PE header) 8->55 57 Tries to evade analysis by execution special instruction which cause usermode exception 8->57 18 Service Post-Prefinding Windows Host.exe 2 6 8->18         started        59 Hides threads from debuggers 12->59 signatures5 process6 dnsIp7 37 46.219.69.11, 5959 FREENET_LLCUA Ukraine 18->37 27 C:\...\381f184ce9f69f0b69a36a609a19af0a.exe, PE32 18->27 dropped 29 381f184ce9f69f0b69...exe:Zone.Identifier, ASCII 18->29 dropped 47 Protects its processes via BreakOnTermination flag 18->47 49 Creates autostart registry keys with suspicious names 18->49 51 Hides threads from debuggers 18->51 23 netsh.exe 1 3 18->23         started        file8 signatures9 process10 process11 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c3d282a6a943f1b052246f5b3ceec91e400c0fdd04c22d1e44556e1150b3a5a/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 21:56:04 UTC
AV detection:
32 of 45 (71.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nq6sqktksq7rwbjci323htxmshsabqh52bgcfupeivlocfilhjna._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c
njrat
4322b25b29f160a08e809764a5dd86deda2289623331867004f85a905ce47769
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
798eab01e5d7f1c78e3f7db514f3611ae85e468405af144245f55c8f2657c6d9
njrat
7fb40d2c4011f9aa66d25183702ac6872fff070ff9c7433fab6d3785ebc95f4c
njrat
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
njrat
a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d
njrat
b83c0954a3138f4c18e4f6a5182768b5a1efbb13c69dcf01d63eb81f63456eda
njrat
d162aea95889e147b96c2ab4da7cf27ec2538abd149a08f96d993fb7a41b002f
njrat
+ 12 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210923-hx8qcsfff8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
6c3d282a6a943f1b052246f5b3ceec91e400c0fdd04c22d1e44556e1150b3a5a
MD5 hash:
c6dd27ec86d7acfa59b221a8a05730d4
SHA1 hash:
0b3aae47e3546b66385cd1e67964cc02024915ae
Link:
https://www.unpac.me/results/0529f01b-a7ac-4798-aee4-638d7dc4f192/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6c3d282a6a943f1b052246f5b3ceec91e400c0fdd04c22d1e44556e1150b3a5a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190627/

Comments