MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7721280dd1b071f1d61b5db72d4765395673dd55a4a8e4fd59c2ee8b42548aad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7721280dd1b071f1d61b5db72d4765395673dd55a4a8e4fd59c2ee8b42548aad
SHA3-384 hash: 7919701fd425118c5bde90b1252c247b49560a4c35a3142e16e46980f8eaa88ee2aa9dd285f76ff4e70f95684f6712b1
SHA1 hash: bd55f18104a746c31e2d3c46d2df1e1aca3fc7a7
MD5 hash: 2b4810b156c5265143b96dfebd78ab8d
humanhash: montana-bakerloo-red-south
File name:IBCITITMMXXX103CHRE00702H000001.exe
Download: download sample
Signature njrat
Create hunting rule
File size:194'048 bytes
First seen:2020-07-05 16:06:16 UTC
Last seen:2020-08-02 07:32:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:8ffki2bOg43R/kIRVQRjG744+SNQWO9ekMs09u1U3zRQf:0v/gER/kBRyc4+9HpUzR
Threatray 465 similar samples on MalwareBazaar
TLSH 8B14F519EB6AAC22C98D0E7A823745D8D33EDB4B6413D70F7AC4F5381D122AD5B943E1
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
Malspam distributing njrat:

HELO: correo.cajamar.com
Sending IP: 62.201.4.99
From: Noureddine Ballout <nballout@creditl.com>
Subject: FW:Swift_IBCITITMMXXX103CHRE00702H000001
Attachment: IBCITITMMXXX103CHRE00702H000001.xlsm

NjRAT payload URL:
http://hasteemart.com/IBCITITMMXXX103CHRE00702H000001.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
144
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/20738/
Detection(s):
SecuriteInfo.com.Variant.Barys.55600.4549.17949.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Connection attempt
Unauthorized injection to a recently created process by context flags manipulation
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7721280dd1b071f1d61b5db72d4765395673dd55a4a8e4fd59c2ee8b42548aad/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-05 16:08:05 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4qsqdorwby7dvq3lw3s2r3fhflhhxkvusuoj7kzylxiwqsurkwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03a8582db8f34154ed1e18821d8d7e2df2148ce0c36b06ed7fb91f387e3f0aa6
njrat
16fcaf343d6c5ec3c546339a522c47b7e44f0684ff50a7acf49d8439e2956a93
njrat
1f71b476b9450a59fc8b76f1c3e0ddb8eab1dcd34a0cb451b1d1d2f1aa882ab2
njrat
3dedd27d28463b27df577e2f0dad58c1a0f295dbbcb1f132eea1632080dc4508
njrat
52f5a6edefd196a3396c1bb0c499a2d02868361aca19824bdde34e4003357f0c
njrat
8424b5a86327251f934d4e4526de3d48b942c0953a866f84de2d7bb19a5fbc04
njrat
a26b0b8ed3e9a7159a68553861239c8ba255afcf36fc645d33bc3a36b7849496
njrat
a9568b036d4f3245151a68d35ac9e295dadc54d8b8528896b285497157bf2f35
njrat
f1d4585edb3d3af338467aaead97a3fbb58216c3174603e63af9cbbba8aeb885
njrat
fad51611a2053587275ec40318c63e952f1dedd82753010ef3716999cc41c9d7
njrat
+ 455 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
trojan family:njrat evasion persistence
Link:
https://tria.ge/reports/200705-kmh3f7x4f6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Modifies service
Adds Run entry to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:win_njrat_g1
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Excel file xlsm ace3a764ec8da4bfed78cbbf5d6facb8612178967feb186ef1f6a32f4cf85fce

njrat

Executable exe 7721280dd1b071f1d61b5db72d4765395673dd55a4a8e4fd59c2ee8b42548aad

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/407969/
  
Dropped by
MD5 1b8ea7e30bf66c89d5260ee521560dfd
  
Dropped by
SHA256 ace3a764ec8da4bfed78cbbf5d6facb8612178967feb186ef1f6a32f4cf85fce
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/20738/

Comments