MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f
SHA3-384 hash: 0bbc4bdac6ed30c6c324e8036b121caa6d71ab18f26b4d17a1277a77e2256d1fa8e2520ec6162f9451f8d000bd32a401
SHA1 hash: c9a74a07f6b75adc8dcac1359b1e242f88cfa346
MD5 hash: 4e3aec325ba5bc1606d59c8965df4a5b
humanhash: quebec-sierra-seventeen-papa
File name:6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f
Download: download sample
Signature njrat
Create hunting rule
File size:1'344'465 bytes
First seen:2021-08-30 07:11:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:OhvJVJdMKxPfHNC5SE8+s0fvQKqiUyDDa1GpHmS0VlNth4oe1pMxl35UIql:23d9ns5SE8Z0fQ/spGxzLR4pMxpOLl
Threatray 1'006 similar samples on MalwareBazaar
TLSH T199552201FCC1A5B1D661097549196B1166BE7D201F20CFAFB3946E2EEE700D1AB32BB7
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
514
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f
Verdict:
Malicious activity
Analysis date:
2021-08-30 07:52:03 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/ec4a864e-8b9d-42e0-83fb-a103cc0548f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183623/
Detection(s):
Win.Malware.Rasftuby-9864353-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.37098799.28291.25939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% directory
Sending a UDP request
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Connection attempt
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/743d0e92-7124-461e-b18e-081bd373eedc
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/841327
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 473758 Sample: 4867D296no Startdate: 30/08/2021 Architecture: WINDOWS Score: 100 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 8 other signatures 2->75 14 4867D296no.exe 13 2->14         started        17 svchost.exe 1 2->17         started        19 svchost.exe 2->19         started        21 5 other processes 2->21 process3 file4 67 C:\Users\user\AppData\...\CheatEngine3.1.exe, PE32 14->67 dropped 23 cmd.exe 1 14->23         started        process5 process6 25 CheatEngine3.1.exe 13 23->25         started        29 conhost.exe 23->29         started        file7 63 C:\Users\user\...\CheatEngine2.sfx.exe, PE32 25->63 dropped 83 Multi AV Scanner detection for dropped file 25->83 31 cmd.exe 1 25->31         started        signatures8 process9 process10 33 CheatEngine2.sfx.exe 12 31->33         started        37 conhost.exe 31->37         started        file11 57 C:\Users\user\AppData\...\CheatEngine2.exe, PE32 33->57 dropped 77 Multi AV Scanner detection for dropped file 33->77 39 CheatEngine2.exe 13 33->39         started        signatures12 process13 file14 61 C:\Users\user\...\CheatEngine1.sfx.exe, PE32 39->61 dropped 81 Multi AV Scanner detection for dropped file 39->81 43 cmd.exe 1 39->43         started        signatures15 process16 process17 45 CheatEngine1.sfx.exe 12 43->45         started        49 conhost.exe 43->49         started        file18 65 C:\Users\user\AppData\...\CheatEngine1.exe, PE32 45->65 dropped 85 Multi AV Scanner detection for dropped file 45->85 51 CheatEngine1.exe 45->51         started        signatures19 process20 file21 59 C:\Users\user\...\CheatEngine0.sfx.exe, PE32 51->59 dropped 79 Multi AV Scanner detection for dropped file 51->79 55 cmd.exe 51->55         started        signatures22 process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2021-08-15 07:03:16 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
21 of 46 (45.65%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n23llo7g3ekutwqpcl5wfwrknptdocbzdew6n4nsdnv25kluswhq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1d64d3eb1c28bda9e53ed296e9a84092b655deb5fb27aac6ee6d99c65ee6f118
njrat
64730c6f60dd679aea8d9e2f7e9d7ee6c8a3983afc347a9e00fcf32caeeaab9d
njrat
8500f1744e517dfa7e8f0e08aeea29ca2625695ee2b90653a007edd1be838f54
njrat
8b3d0f667e789aada31ebcff914bf61e811d33c9faf6205424e3b27bad4ffebb
njrat
a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca
njrat
b75c96558da89e3f3935a90cfd0494db199fce26cbd387985f5d16b3bebe857b
njrat
e7cc1a50c3ab054c7c102301d32b802813f0651154f585ac315d0778a81501c8
njrat
f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d
njrat
f7ecb9c84f5daf63ea888403a57ff94757d5178c11705ccccf00748fe88fc18f
njrat
+ 996 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210830-xhm29f3h1a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
f725ccdcca78b62292970203faee7340e42a8c3cd6288efb47c0f387dac250e0
MD5 hash:
783aa869fe89245e57c953ccf04592f6
SHA1 hash:
d912ea8c3a84f00c2af3310d7f795dfa7e3beb64
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/7b5ab5dc-689f-464c-b42c-0fbbed026976/
Parent samples :
a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca
6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f
SH256 hash:
6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f
MD5 hash:
4e3aec325ba5bc1606d59c8965df4a5b
SHA1 hash:
c9a74a07f6b75adc8dcac1359b1e242f88cfa346
Link:
https://www.unpac.me/results/7b5ab5dc-689f-464c-b42c-0fbbed026976/
Malware family:
njRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6eb6b5bbe6d9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183623/

Comments