MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9
SHA3-384 hash: 4c964918412204ae2791c55bced023c2e6649d5d59ac748709f4336f07f97a8566146490bcb7aa436cb790cdec6ba8af
SHA1 hash: bd714c54c874280963f49d9c9b0965afb676368b
MD5 hash: 25c689e345e4f8112008edeeb50e5b54
humanhash: sad-asparagus-oklahoma-dakota
File name:6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9
Download: download sample
Signature njrat
Create hunting rule
File size:5'193'216 bytes
First seen:2021-02-28 07:13:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 55e15040841c41b4d97f17e36639394c (1 x njrat)
ssdeep 98304:Hmwr+UzzhhiiR/QyObjiguZfsQBb1hYaK2BRMbxuYhXDq5h9eBc:GKzhhiiiLbo9yN2oxrhXD2T
Threatray 63 similar samples on MalwareBazaar
TLSH 0836237342650186F5E6C83ED13BBEF530FA031B4A81AC78B5E7A9C628699E1D713D43
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
125
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b
Verdict:
Suspicious activity
Analysis date:
2021-02-28 09:11:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6923a78c-72a1-48b5-a6d5-5431e8dd2655

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119847/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a window
Searching for the window
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621048
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected njRat
Detected VMProtect packer
Drops PE files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359517 Sample: T9Ku6E3LDK Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 9 other signatures 2->45 8 T9Ku6E3LDK.exe 3 10 2->8         started        12 Java update.exe 3 2->12         started        process3 file4 31 C:\Users\user\AppData\...\Server.sfx.exe, PE32 8->31 dropped 53 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 8->53 55 Tries to detect debuggers by setting the trap flag for special instructions 8->55 57 Tries to detect virtualization through RDTSC time measurements 8->57 59 Hides threads from debuggers 8->59 14 Server.sfx.exe 8 8->14         started        18 notepad.exe 8->18         started        signatures5 process6 file7 35 C:\Users\user\AppData\Local\Temp\Server.exe, PE32 14->35 dropped 69 Multi AV Scanner detection for dropped file 14->69 71 Machine Learning detection for dropped file 14->71 20 Server.exe 1 5 14->20         started        signatures8 process9 file10 29 C:\Users\user\AppData\Local\...\Inject32.exe, PE32 20->29 dropped 47 Antivirus detection for dropped file 20->47 49 Multi AV Scanner detection for dropped file 20->49 51 Machine Learning detection for dropped file 20->51 24 Inject32.exe 1 5 20->24         started        signatures11 process12 dnsIp13 37 127.0.0.1 unknown unknown 24->37 33 C:\Users\user\AppData\...\Java update.exe, PE32 24->33 dropped 61 Antivirus detection for dropped file 24->61 63 Multi AV Scanner detection for dropped file 24->63 65 Machine Learning detection for dropped file 24->65 67 Drops PE files to the startup folder 24->67 file14 signatures15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9/
Threat name:
Win32.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 20:34:17 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=n3brigs655x4gmjgqghkjio6zbjvqurykssum5kd3b7aff3t2x4q._file
Verdict:
suspicious
Similar samples:
1b8b57fdccb30974af01938df1c16ade299d684fdf12278d7e1c4c036605a0c1
njrat
20aa773ce4d4e0709faeba02937cc789c114e726f6336c1dcd6c206f00514af2
njrat
28f39e656758b6c40db049e40bbfe958a7a20a754ea6531ccca3e4fdb8dcc66a
njrat
30f453098353ecf9291b6e48dc70bfb264c6602db206e8e99d4e9d86c4666fd8
njrat
3485a54aaddd3a9993a458638d67aca67ef59723547f0519c1e7b2d7555e0670
njrat
8f2357461e61502b9c25c60017ff806638e7342479a9ddc46dcfd4eb633d14b4
njrat
9896e2dcaf28cc3945b4756d02dd0783a498e2b44559997ffa4fb1d413260ed1
njrat
c2a645b457a4ba814aa0c116f2a501176531ce29d32a695c45c5022d6aabb271
njrat
c6d93ae492f6a2b687c64cc388cf0a483f44428b843c5b384c156f018a2cf63c
njrat
eb086d6c54841616485b2ad99ed2e2e2ebc21f01e6c5a58611ac914f70b5042f
njrat
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/210228-jrfel1h4he/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
252795b24c0dabe9d0fca60833faca602cc60e0757f0eae8536a2a5c70a9a43c
MD5 hash:
92fdab908d9711e7a36872207f0a6a67
SHA1 hash:
b356e253edaf807059b1ea4a15d8b26e4a8e4c0e
Link:
https://www.unpac.me/results/64483398-92f6-4ae1-9c51-1c93d89c5e39/
SH256 hash:
0844f16e4087d92a57c5fae7d2d6c7a98443863cabdcb41cc581033731d7c2d2
MD5 hash:
063002186570994d1cb0a8beeac21921
SHA1 hash:
6ef06954587fb08657b107dffd6805fd2824a21f
Link:
https://www.unpac.me/results/64483398-92f6-4ae1-9c51-1c93d89c5e39/
SH256 hash:
ef11ea54a367fc2db44eb618e3f76723303d489b76f000b7c525487a14cac26b
MD5 hash:
113f15f862e8a1b0a2ad69d7c5704c42
SHA1 hash:
b626d94399770cb5c9fd4bdca9c340a19e24f8b0
Link:
https://www.unpac.me/results/64483398-92f6-4ae1-9c51-1c93d89c5e39/
SH256 hash:
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9
MD5 hash:
25c689e345e4f8112008edeeb50e5b54
SHA1 hash:
bd714c54c874280963f49d9c9b0965afb676368b
Link:
https://www.unpac.me/results/64483398-92f6-4ae1-9c51-1c93d89c5e39/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with VMProtect.
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119847/

Comments