MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 720a8936c77adfb98b77e00f28a0a7bd96bf1d8d0bd0b97fabb4ae3d6c97b56f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 720a8936c77adfb98b77e00f28a0a7bd96bf1d8d0bd0b97fabb4ae3d6c97b56f
SHA3-384 hash: 6c5d876c09c7f277fb1ed3194aaa792904b36aa714b6dd445172fbf294355696fe380d176557e1f52021b300dac4622f
SHA1 hash: c1b6bcb3d391ade5f5238b7ba21647bc4f2678bd
MD5 hash: ad2d65fe649541954221522991203254
humanhash: burger-maine-one-pasta
File name:ad2d65fe649541954221522991203254.exe
Download: download sample
Signature njrat
Create hunting rule
File size:547'327 bytes
First seen:2022-02-08 01:52:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:0RZ+IoG/n9IQxW3OBszZPAb43jBsqUrMCL:O2G/nvxW3WCa43jBLUrMCL
Threatray 1'703 similar samples on MalwareBazaar
TLSH T150C4AE02EAF2DD71C671193B8624B7215E3D7D600B64BE8F739C7568AF74880E6207A7
File icon (PE):PE icon
dhash icon 31f098b29298f031 (53 x AgentTesla, 30 x Formbook, 12 x RedLineStealer)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
141.255.150.193:1177

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
141.255.150.193:1177 https://threatfox.abuse.ch/ioc/382112/

Intelligence

File Origin
# of uploads :
1
# of downloads :
244
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/237415/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the Windows directory
Launching a process
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Creating a file in the mass storage device
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/6322/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll update.exe
Link:
https://www.filescan.io/uploads/6201ccd6c79b424d7206e832/reports/cb115b27-ef30-447d-85df-efc2517f4c51/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82b20ae6-b0c3-4aa3-8d69-e9a9c9c2d269
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/935700
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an autostart registry key pointing to binary in C:\Windows
Detected njRat
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: File Created with System Process Name
Sigma detected: Suspcious CLR Logs Creation
Sigma detected: Suspicious Svchost Process
Sigma detected: Suspicius Add Task From User AppData Temp
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 568177 Sample: UfxkgFoKez.exe Startdate: 08/02/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus detection for dropped file 2->71 73 14 other signatures 2->73 9 UfxkgFoKez.exe 3 6 2->9         started        13 Server.exe 3 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 process3 dnsIp4 45 C:\Windows\3.exe, PE32 9->45 dropped 47 C:\Windows\2.exe, PE32 9->47 dropped 83 Drops executables to the windows directory (C:\Windows) and starts them 9->83 20 2.exe 1 5 9->20         started        24 3.exe 6 9->24         started        26 notepad.exe 9->26         started        85 Antivirus detection for dropped file 13->85 87 Multi AV Scanner detection for dropped file 13->87 89 Machine Learning detection for dropped file 13->89 91 Changes security center settings (notifications, updates, antivirus, firewall) 15->91 28 MpCmdRun.exe 15->28         started        55 127.0.0.1 unknown unknown 17->55 49 C:\Users\user\AppData\...\svchost.exe.log, ASCII 17->49 dropped file5 signatures6 process7 file8 41 C:\Windows\svchost.exe, PE32 20->41 dropped 75 Antivirus detection for dropped file 20->75 77 Multi AV Scanner detection for dropped file 20->77 79 Machine Learning detection for dropped file 20->79 81 2 other signatures 20->81 30 svchost.exe 3 6 20->30         started        43 C:\Tools.exe, PE32 24->43 dropped 35 conhost.exe 28->35         started        signatures9 process10 dnsIp11 57 matthacking.duckdns.org 141.255.150.193, 1177, 49763, 49764 IELOIELOMainNetworkFR France 30->57 51 C:\Users\user\AppData\...\Java update.exe, PE32 30->51 dropped 53 C:\Users\user\AppData\Local\Temp\Server.exe, PE32 30->53 dropped 59 Antivirus detection for dropped file 30->59 61 System process connects to network (likely due to code injection or exploit) 30->61 63 Multi AV Scanner detection for dropped file 30->63 65 5 other signatures 30->65 37 schtasks.exe 1 30->37         started        file12 signatures13 process14 process15 39 conhost.exe 37->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/720a8936c77adfb98b77e00f28a0a7bd96bf1d8d0bd0b97fabb4ae3d6c97b56f/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-02-04 12:04:26 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oifisnwhplp3tc3x4ahsrifhxwll6hmnbpils75lwsxd23exwvxq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
09de50c42d342a45215b027b4b041d96fafa5348aeb71c15db3d46725c3aeaa2
njrat
10b52b26be692aea2c0365965a300d479698bdd72910592b55ea42dcb5a29e1b
njrat
56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b
njrat
6d915396aa09593693247c54c4a91feea691dc6e5f4ff234791a6193d2b5ac1b
njrat
7416875c44dab7adebe7e6809228adabe17c38abae4bf9c6d49c72fd967621e4
njrat
7d6bc9c488ef81546e89c929a34e3d067ff083599c80edad38987fd0771cfe4a
njrat
8060ecf4c1dc957aefdbfc835361541af83a9e5d6433f5abb073477c59f16e4c
njrat
91b886840c7f674d17b48e5d2264228a55fe0f28e32e102c84dad5cca49ed807
njrat
bc7cbed34a28008fed6c5c7d7fea8658d4abeb1eff5b06e06a917680d5091fcf
njrat
da6e9bd269fbd3904c007d8c19272f372211b3930567d21b977d34716317143a
njrat
+ 1'693 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:transformice persistence suricata trojan
Link:
https://tria.ge/reports/220208-cae7msbhcq/
Behaviour
Creates scheduled task(s)
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
matthacking.duckdns.org:1177
Unpacked files
SH256 hash:
47c6a61606ec81f50a290815206413ebe02de42df2fd5d297a7f301262ce6a03
MD5 hash:
7e96a3fcb236f473cf982b7f573dc2fc
SHA1 hash:
a6b64f4c513178dd7d9ae0f7da800dec79eb9216
Link:
https://www.unpac.me/results/4767056d-3f8c-4686-ad39-8cc20c615600/
SH256 hash:
a92666583e7627f57f164eed666b3ca625299c29f42b954c3babfbcf1aea1e75
MD5 hash:
08198b466a589edefc688d2c467f968a
SHA1 hash:
551fd248b95cd3d3d63c246cd519112ba49fdb1c
Link:
https://www.unpac.me/results/4767056d-3f8c-4686-ad39-8cc20c615600/
SH256 hash:
720a8936c77adfb98b77e00f28a0a7bd96bf1d8d0bd0b97fabb4ae3d6c97b56f
MD5 hash:
ad2d65fe649541954221522991203254
SHA1 hash:
c1b6bcb3d391ade5f5238b7ba21647bc4f2678bd
Link:
https://www.unpac.me/results/4767056d-3f8c-4686-ad39-8cc20c615600/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/237415/

Comments