MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df
SHA3-384 hash: dd3884bedf49557dff5cc84e48ac00d7198b3738ed2dc425f49d8f77e51b9b6d649d402a952fb675059ec2004aa07145
SHA1 hash: 6b8572889dbac9938e8552f05bf57496b6ab0367
MD5 hash: 751be7e898d61998e52402b813e391bf
humanhash: four-echo-hotel-kentucky
File name:6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df
Download: download sample
Signature njrat
Create hunting rule
File size:2'436'448 bytes
First seen:2021-09-30 07:38:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:Mh+ZkldoPK1Xav4aWGh+ZkldoPK1XadtV+Xcm:d2cPK1daWf2cPK1R3
Threatray 1'274 similar samples on MalwareBazaar
TLSH T109B58C03739D8065FEAA917F5B59B20156BD7C2500E3872F12983D6DA9F03A11E3EE63
File icon (PE):PE icon
dhash icon 3b73cb09718c5575 (2 x njrat)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193381/
Detection(s):
Win.Malware.Nymeria-6988663-0
Create hunting rule

Win.Malware.Nymeria-6988372-1
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Query of malicious DNS domain
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/adb9f6f4-18b7-4d90-b042-47490e1bcddf
Result
Threat name:
Remcos Njrat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862308
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Njrat
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494735 Sample: fNo2oNonGj Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 64 2ffahbg8eydhr96hx3x2lje2ymygt5iq.duckdns.org 2->64 86 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 14 other signatures 2->92 9 fNo2oNonGj.exe 6 2->9         started        13 wscript.exe 1 2->13         started        15 wscript.exe 1 2->15         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\IMESEARCH.exe, PE32 9->60 dropped 62 C:\Users\user\AppData\Local\...\LastFudCy.exe, PE32 9->62 dropped 96 Contains functionality to inject code into remote processes 9->96 98 Writes to foreign memory regions 9->98 100 Allocates memory in foreign processes 9->100 102 Injects a PE file into a foreign processes 9->102 17 LastFudCy.exe 4 9->17         started        21 RegSvcs.exe 2 4 9->21         started        24 IMESEARCH.exe 2 13->24         started        26 ActiveSyncCsp.exe 15->26         started        signatures6 process7 dnsIp8 56 C:\Users\user\...\ActiveSyncCsp.exe, PE32 17->56 dropped 72 Antivirus detection for dropped file 17->72 74 Multi AV Scanner detection for dropped file 17->74 76 Binary is likely a compiled AutoIt script file 17->76 84 4 other signatures 17->84 28 LastFudCy.exe 2 3 17->28         started        31 LastFudCy.exe 17->31         started        33 LastFudCy.exe 17->33         started        35 LastFudCy.exe 17->35         started        66 2ffahbg8eydhr96hx3x2lje2ymygt5iq.duckdns.org 21->66 58 C:\Users\user\AppData\Roaming\...\advpack.url, MS 24->58 dropped 78 Writes to foreign memory regions 24->78 80 Allocates memory in foreign processes 24->80 82 Injects a PE file into a foreign processes 24->82 37 LastFudCy.exe 24->37         started        40 RegSvcs.exe 24->40         started        42 ActiveSyncCsp.exe 26->42         started        44 ActiveSyncCsp.exe 26->44         started        46 8 other processes 26->46 file9 signatures10 process11 dnsIp12 68 2ffahbg8eydhr96hx3x2lje2ymygt5iq.duckdns.org 192.169.69.26, 3344, 4431, 49752 WOWUS United States 28->68 70 192.168.2.1 unknown unknown 28->70 94 Injects a PE file into a foreign processes 37->94 48 LastFudCy.exe 37->48         started        50 LastFudCy.exe 37->50         started        52 LastFudCy.exe 37->52         started        54 5 other processes 37->54 signatures13 process14
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df/
Threat name:
Win32.Trojan.AutoitInject
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 07:23:00 UTC
AV detection:
36 of 45 (80.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nuxrvgfxoga4wz24b46nhltiet65sdqvbrdnn7hob3iw67gykxpq._file
Verdict:
malicious
Similar samples:
19456465374c8499aa429b73283338bd7e5c8e162041e8dd7b43ce826d9265e4
njrat
2b554ef8cede0aaf90b2eba967599dede6795344ae5c7e876e5c3a5776894a16
njrat
2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b
njrat
4b5a4437b8b7bab10cfb32c06b5241f92b3a2e2861f56190b8b17a7028ec64c8
njrat
788439bb46a147272e39cdd6a8a8ecdc68dbb3317e4d058526d6feda09d64613
njrat
9d389c6cec94ab389a487a450ce3c2773978eda015fcfc09c9bf1d0370b84ff9
njrat
a93a71cdc90f1ab2f2c80db6f0c55b95f43bad13faff06c89f2c728cab630773
njrat
c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4
njrat
cbeec64cdd31f94e46005a27c264248f12a22102d6e8b9f4187e92fedb2db373
njrat
+ 1'264 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat suricata trojan upx
Link:
https://tria.ge/reports/210930-jgzceshacj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
autoit_exe
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Unpacked files
SH256 hash:
9a1b6544f864071063ff6352267492786443c2f3930009e39adfdd5bf1c906c8
MD5 hash:
ece006a1b6bc5becb4b4b7215c3c89fd
SHA1 hash:
2332f9f2f070d0dfa0a1c92e621c3ed02febcf3d
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/6bd5e1cd-4f74-481d-9e00-a814c2091359/
Parent samples :
c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4
ba941d09fd153b7a9c5184333bb789e321679d736db2f1f457e41e65e7d59789
f59e0f40f585fb82cde0dd687415d778c27b944d936a13a91e4b4894df738be1
bc28df3a25377a42fb70eb261ff90a7708834e60b10068cb35904d3da58ce5f6
6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df
SH256 hash:
6d7c071cc08c251fbe80504b9ce88e7f96ba07180a3abacacfd681b4af9cb8ac
MD5 hash:
6949b840094e54301ee02dc284363ae6
SHA1 hash:
55e4e962d21b370b195edd0ce1e47e0afd0df216
Link:
https://www.unpac.me/results/6bd5e1cd-4f74-481d-9e00-a814c2091359/
SH256 hash:
6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df
MD5 hash:
751be7e898d61998e52402b813e391bf
SHA1 hash:
6b8572889dbac9938e8552f05bf57496b6ab0367
Link:
https://www.unpac.me/results/6bd5e1cd-4f74-481d-9e00-a814c2091359/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6d2f1a98b771/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193381/

Comments