MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 751ace582785df8de0f428cc1d076dd0093cd89305b76c456fb959e418706331. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	751ace582785df8de0f428cc1d076dd0093cd89305b76c456fb959e418706331
SHA3-384 hash:	9ddc8db91a233575ed4529776224023b31e6e7d9a1b8174846c55f13cffbf3c4a035230b05a4f13147fad811d7545b63
SHA1 hash:	b71c475301f3d5a08a6b09d3d50c10d07fbbadbe
MD5 hash:	3ac6cf6423f5a3f7064057b75a3c647c
humanhash:	arkansas-grey-uncle-fruit
File name:	751ace582785df8de0f428cc1d076dd0093cd89305b76c456fb959e418706331
Download:	download sample
Signature	njrat Create hunting rule
File size:	225'960 bytes
First seen:	2020-11-14 17:59:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	3072:YsXRmUIMitNqQQse27vc6Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwlmI:ZR5IZqQQseG47RZBGxAycKpSPX2r
Threatray	60 similar samples on MalwareBazaar
TLSH	81245DA534AE6709D93EDBF0D2E520A087B562657216D2BA6C8153EFC051FF11F82C3E
Reporter	seifreed
Tags:	NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Packed.Bladabindi-6888152-0

Win.Packed.Bladabindi-9754048-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file

Creating a process from a recently created file

Launching cmd.exe command interpreter

Creating a process with a hidden window

Running batch commands

Launching a process

Adding an access-denied ACE

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Launching a service

Using the Windows Management Instrumentation requests

Connection attempt

Setting a single autorun event

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/536119

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Changes the view of files in windows explorer (hidden files and folders)

Connects to a pastebin service (likely for C&C)

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Disable Task List ballon tips (likely to surpress security warnings)

Found strings related to Crypto-Mining

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/751ace582785df8de0f428cc1d076dd0093cd89305b76c456fb959e418706331/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2020-11-14 18:00:01 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Result

Malware family:

n/a

Score:

10/10

Tags:

persistence

Link:

https://tria.ge/reports/201114-97ye3pbx2n/

Behaviour

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Deletes itself

Executes dropped EXE

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

751ace582785df8de0f428cc1d076dd0093cd89305b76c456fb959e418706331

MD5 hash:

3ac6cf6423f5a3f7064057b75a3c647c

SHA1 hash:

b71c475301f3d5a08a6b09d3d50c10d07fbbadbe

Link:

https://www.unpac.me/results/9564d40d-4254-407c-99d6-e9c8976b3a87/

SH256 hash:

40bc45c9e3d2fd9a2500e3eb77b749a10c154a34273d4093afc4cffe3c995bb7

MD5 hash:

24143ff14c6f0e7195f25c0f0f158131

SHA1 hash:

2770b4567781f562f2d9dc05f2e284f811fe4351

Detections:

win_njrat_w1

win_njrat_g1

Link:

https://www.unpac.me/results/9564d40d-4254-407c-99d6-e9c8976b3a87/

Parent samples :

c441878a00ef723f678d49b8c42642553a305b5f187afd568162f6f88bdef2ac
afb97e26a48bac9d1fed6313101f0046e741c63aa511389d6d8e4498a4294703
094a4107934ec7b611c501e3235e3b85cc4616ee9bdb8e1264bebb12c3d0d90e
09f3dbf5da2aad1287b6a7b627edfc4e1d115249320385114e967414ce44e752
5635f53cc6c6b4937c31176e0888b9e7eb75b4c75b831327814f5be2c7aefa8c
c6205517e8d96bdef8b86628b0fea0f5e8e680fd56f3b6d83365e0b342eb03ab
53795ee37d419aeaf540b78881f30d53d47a5d5b83f83b45fba9b5bacdf8bdc8
1a9b159c9210f631ce9963a5ad26bcb33f15bb0bbd3a17d080f41f8c7f294117
74730cf408bf94965b783eb01a1489939694100e01ecea7c332d3efcc30fd768
e73d6c91f6f097477ffa6afdb0fc5b182ccda5889d16b277c16e4c8aec5268db
af4cf51f4a1e29d76867b510c0d7fae11f20b43e2405c85986b5e957ea6f00cb
17d400bcc325645f1673300b4a82213df9464f0c6232f7b19c35c26ad1313f0e
92e202cf535ab9a1ed4d04555623a772e06e99f9c64842c0110c4e3cb93d97fb
fb80a3973312b0ca4905ccba10408931846a3517d6afc64cb05271da85190aba
2aab2c226afa316a1bf2acf61a425dbe741007b6712b5ef0c8f969bb1cc39717
a96c325c0ea8731f69e015dae013fa912c3e15c8527512c50c34e18b6a090bcd
c00fd22d257e8a65cb878efbdc108118643f57568171aafc8e4502fb401a1311
904d9f6964340d12f7ed21e8e2b26111a5a6e2a812efc54455bab64be2dc9251
8a0c72d91e7c3e6735978764073ae810fa5f53d844a7f3faa781d7bbf8f89444
8e5b0427bc2c06b0e6faaa6fca1e9f13b391a0e6d2c7d888050040317f6b0a5e
c0120e42466459db8e3dfbae5eb19625962c141007b5160c6ae4f0d36c52416f
e8172a5f011b4e9ab72819168cdc5c32e2e5d14a0d16a9a138e55e5799a1e792
0ef2c247f4f84c13faec72e1f66af9d195a882d5b9393e38cb7240aa5cb2fdf8
d5bcd52402cd0e4a4b2866fe618200dde5ff24126ba06fae5d0c56a0c4920970
42b66b282d766420a98488b24be4bd800dea9e3cb1f269901593e8894a0a565e
96c74934f5dfb4c055192ed0f8be284bfd3d1cb1f00e56e4d50b5e2eca176be6
81dddd82c94ac0706ea58646bc1251950f3ed794cc9fcd93ab81157a4103d9e7
464e18204c62fb556867fa884488d776fc22f423f11bab4fdc45226aebe5f2cf
a94f31783794e540f8a479dd0372d9af8ee3e8616bb4c3579a830fcbcc72be88
5fc0a6037edc8b1dcdf7680d3702ce9f68b2bbc7184782e60c2cfe898c84fdaf
39f7ec8176dae9b386844975c0f3c2da28f7187db97fa5b0ed2686f7920fce5c
5dd32541779e850c3a23207dc90a534dccc57dcdee4731f372c493645620cd8c
81958ab5856c7f0c874daa3f9e0b7891cabd260eca20ef854021bf27e13ef0f5
3b446a4db0e7adab5ae5d6221e7f4ed144ed424d0ded94075543e1f328d0df1f
fcc0c07b0d1e2c89094de8c1ff72f2ddd48efbf217d5be86506690ce95574770
c7e01ebbe202f072bcaaf614d8b8a42fc49616ffaf3f485c22dbf6391ce72c34
ed999dbcfb1d1e6999420df2fd3981927862c7b924ace32f72a58b272601d662
17bf57a945264d016da0c8ffd6db5f7afe00e3a55b7e58de53dad3c78632a813
9e35122f36dc988e827979f4d143b40978c3e2d9711543fb5933702e6d7bb2c6
004ff33a352c945002502e3b8be08c3bc5fb2900e3cda0d09c9c1ee83882bbd4
cdf3c63a92c375d97abefdb7599d8a70f126108e4ad662105ce86bc984e4a71b
98153a3652c0fc9d2f62de830c9d962cd4687967b64ef0089838594ebeaf3cfb
4ce8e1e5398097aaf6a0bb4bf4af948a65a9c1a469605b6764a07da6b9d1533c
896970f29db569a86d7140e4ef9e1834dee6af5d9caded74b887358fa469c817
88dde5acdfb88e3ca859c3c2dcb28337610d49644fc55d82621440aac427b470
751ace582785df8de0f428cc1d076dd0093cd89305b76c456fb959e418706331
f62de9cf7e53e790f80a6101fd93d941e147e43f8b9422d88a51b6213cd62c8e
996fb97f3d1725822ab85fa396ca26d30ca07636a7b344eba3cf48bcec16933b
eb88aee0cbde04e5190348d7e5896f918e3295be94329d125b1f5a3716d6deaf
e2bb3c392435da3fcebf3b348c1b401152e8bc542a9136c5694a12f04079aac2
f9ce6571bce027e45f59a181e2e5e2a214302206984eac717ae712c69e77dead
2a6adf66a4f2311e307403a517d15dad299f6f61fe97b8c07bff6fe8f42c070c
b55e720e758380f2f8eeac13e99fcb926dfb107949ea5796bce4d433139c8aea
6daf2c4ebb9d86c1d154cd78731e2ea51bbca900c417474c404c5924fc5a676e
7b02062649aa81cfdb1d3320741b0cff7f5e4fa3ff6ca11d108d81dba94f1021
14c225cf0f5de88075080455878a2dca9660d28f55ef9eaaabc53794d9c5f603
9fcb80b61e29b947b6b4c5d3237bbe8167be4031a8bd58a350e57c9678c590d7
da77c22aa40d46a98b836ff2e92c62f41c848f2ca989890ac190ca8feea8433d
b2d3cf2e51f8d7df76362ff9113eea91da3a4afd55ea047913eb4e6628641f76
633c74a49fe7abfb37e8ae06bd7330f70245d7800544007ec624db5160311363
038b1c67b5540fc422003c506811021e951df993d77b5601c619701237a8d04c
f4468e165945e48506b09965c7b2704c36759a916fcb49d79ed7379526a1f361
3aa9a8e3533892806a45d2f3e2e22d1b84a769e5c2fe159db78854eb07fc71ce

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NJRat

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/751ace582785df8de0f428cc1d076dd0093cd89305b76c456fb959e418706331

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample