MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7291762d6b4a2222d054eb69fc32be59d4f43b248c90848730ffb14e03665ba0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7291762d6b4a2222d054eb69fc32be59d4f43b248c90848730ffb14e03665ba0
SHA3-384 hash: 6d158718112f05502dd7114048114378179b8047f634f159af5055e1a08bdebb311a4598a1bc480a76c364e0052f4cae
SHA1 hash: 216d891c8b4047cce508ad53f67977ca43d70a42
MD5 hash: 24eb38424df3661a28771e2149f625ae
humanhash: network-dakota-cardinal-pennsylvania
File name:24eb38424df3661a28771e2149f625ae.exe
Download: download sample
Signature njrat
Create hunting rule
File size:96'768 bytes
First seen:2023-02-14 18:03:58 UTC
Last seen:2023-02-14 19:43:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'647 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 1536:2nJyPg2f/LfpIu4TUyjroZ9ABcMv2pGofaCDeP3scTfVL4:2ncg23VgHBR9y3AfVc
Threatray 2'849 similar samples on MalwareBazaar
TLSH T12493ED1225EF149DF3B78AB22FE5F5FFCA69E923150A70BA318117468736D02AD02375
TrID 61.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.1% (.SCR) Windows screen saver (13097/50/3)
8.9% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 414545c0d4c05503 (37 x njrat, 3 x AsyncRAT, 1 x RedLineStealer)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
154.177.64.164:5552

Intelligence

File Origin
# of uploads :
2
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
24eb38424df3661a28771e2149f625ae.exe
Verdict:
Malicious activity
Analysis date:
2023-02-14 18:05:36 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/9baf7fc8-7365-462d-8a0c-0c753a1eb424

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/365930/
Detection(s):
PUA.Win.Packer.NETCrypter-6309687-2
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Sending a custom TCP request
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7291762d6b4a2222d054eb69fc32be59d4f43b248c90848730ffb14e03665ba0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/355eed6e-64bc-42e5-b29a-02ce276a5dd0
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1174707
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 807511 Sample: rwDxGEITfA.exe Startdate: 14/02/2023 Architecture: WINDOWS Score: 100 31 veprex.hopto.org 2->31 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 5 other signatures 2->43 9 rwDxGEITfA.exe 1 5 2->9         started        13 server.exe 2 2->13         started        15 server.exe 2 2->15         started        17 server.exe 3 2->17         started        signatures3 process4 dnsIp5 35 192.168.2.1 unknown unknown 9->35 27 C:\Users\user\AppData\Local\Temp\server.exe, PE32 9->27 dropped 29 C:\Users\user\AppData\...\rwDxGEITfA.exe.log, ASCII 9->29 dropped 19 server.exe 4 2 9->19         started        file6 process7 dnsIp8 33 veprex.hopto.org 197.35.204.242, 49683, 49684, 49685 TE-ASTE-ASEG Egypt 19->33 45 Antivirus detection for dropped file 19->45 47 Multi AV Scanner detection for dropped file 19->47 49 Machine Learning detection for dropped file 19->49 51 3 other signatures 19->51 23 netsh.exe 3 19->23         started        signatures9 process10 process11 25 conhost.exe 23->25         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7291762d6b4a2222d054eb69fc32be59d4f43b248c90848730ffb14e03665ba0/
Threat name:
ByteCode-MSIL.Trojan.Bulz
Create hunting rule
Status:
Malicious
First seen:
2023-02-09 23:38:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
28 of 39 (71.79%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=okixmllljircfucu5nu7ymv6lhkpiozersiijbzq76yu4a3gloqa._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
22cd2928145df3e4a40db97a5e6ec531a5f18720d6c44122067abeba33efe7e7
njrat
4429abcc87b519e564fb443eac261da3f2976056c87a61a55c177c46c72cd474
njrat
585b9a5e3aac2aa59c5741bc7f56029aeea7c00dd870dc6064f856c84bc70262
njrat
b017cdb6f137cd3e72e7524470ebf2ff2712cc5f78db58d6eb87b15b4a84184f
njrat
b1bdc2d7698615f452b9719b25429d90e688878e5b01b08ad32a164e755493a3
njrat
b81f300ef1dfaa7f5c3d2bc0fa57a5bd74537eccfea550ddf44be4a30c39714e
njrat
+ 2'839 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion persistence trojan
Link:
https://tria.ge/reports/230214-wnk5laee5x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
veprex.hopto.org:5552
Unpacked files
SH256 hash:
4a03486bc1ab67b78c4c173343d6cda9ca18f9ea79846ffe175dd42a37925e9d
MD5 hash:
0fe18fa1f9f9e8393f40ebd56f0e7be7
SHA1 hash:
2801373d740901add7350e50bee4ca003abc4ec6
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/cd837080-50a8-4fc0-a82b-1cbe313eb749/
SH256 hash:
7291762d6b4a2222d054eb69fc32be59d4f43b248c90848730ffb14e03665ba0
MD5 hash:
24eb38424df3661a28771e2149f625ae
SHA1 hash:
216d891c8b4047cce508ad53f67977ca43d70a42
Link:
https://www.unpac.me/results/cd837080-50a8-4fc0-a82b-1cbe313eb749/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7291762d6b4a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/7291762d6b4a2222d054eb69fc32be59d4f43b248c90848730ffb14e03665ba0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/365930/

Comments