MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 78d7c849e8c0ca246c289242e281cdce5606728978b8cfdaef36153e77e14072. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 78d7c849e8c0ca246c289242e281cdce5606728978b8cfdaef36153e77e14072
SHA3-384 hash: 83267f5c2d655ff022161370712550766dce03c0b77ffb469531b5f38f7b9c3c443593e3b370158f1038f089d568d709
SHA1 hash: 23af500396df298778d453013603746d930e60e5
MD5 hash: 45a917c2be3ae2438d12f52c97c65ef6
humanhash: uranus-white-low-green
File name:45a917c2be3ae2438d12f52c97c65ef6.exe
Download: download sample
Signature njrat
Create hunting rule
File size:247'808 bytes
First seen:2022-10-23 16:45:22 UTC
Last seen:2022-10-23 18:03:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:7HoBOxcN4JJTU8jFH5SbR0xxXgdaDwNMvfiJjGzIpQlyhLFbU:7HSOxcN4JJT9jFHlXgcKD
Threatray 462 similar samples on MalwareBazaar
TLSH T1193404897A80512FC098FA3EF9AE523413255F25292D82DF25C47A5C1EF2EEBDD0671C
TrID 71.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon c8e0aab2b2aab2c0 (2 x njrat, 1 x AsyncRAT)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
91.109.182.4:5050

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.109.182.4:5050 https://threatfox.abuse.ch/ioc/916153/

Intelligence

File Origin
# of uploads :
2
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
45a917c2be3ae2438d12f52c97c65ef6.exe
Verdict:
Malicious activity
Analysis date:
2022-10-23 16:46:07 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/322d8eb7-024a-4c60-bec4-4c77d9fbd9f2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323007/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.61207.26994.25185.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
DNS request
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi obfuscated packed
Link:
https://www.filescan.io/uploads/63556fccfdf6478a15afc6e9/reports/485c78c4-b438-4f9b-8458-28d8f7e1e955/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/554767fa-fe2e-4540-b2dd-52527b624ae8
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1095956
Signature
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/78d7c849e8c0ca246c289242e281cdce5606728978b8cfdaef36153e77e14072/
Threat name:
ByteCode-MSIL.Backdoor.Crysan
Create hunting rule
Status:
Malicious
First seen:
2022-10-19 19:47:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pdl4qspiydfci3bisjbofaonzzlam4ujpc4m7wxpgykt457bibza._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
00037a0cc29f3c99e88aeb57af189e291c6fe38b8b252718ec793096c4b7f463
njrat
1590b1512142d6c974828fc11958a9a5ffdb6673a584b15fda7f93768f639a54
njrat
350343f15c1e0358007718d4fe9f588d6b4c391d9feb2c4cd561d34b0921c7c6
njrat
5e8c61b17135bc249ad576d94d4ab70f0c8e4b87fb13181d2ba6b56750d897f4
njrat
da66b50a26a1b91eef2e102293a9086df408502b9aa00df5a684e2ce33ea72e1
njrat
+ 452 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/221023-t9yxgabcg5/
Behaviour
Suspicious use of AdjustPrivilegeToken
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/47a0a6c9-ed42-4628-a2f5-56395f7f74ce
Unpacked files
SH256 hash:
ac79c2b91e101937c73144091c30839f61ca283cb1816ea840daa1511b924840
MD5 hash:
09fb675bf4faca9929bfafbb0c6899da
SHA1 hash:
d990c0a9218380a398c1a38184579a77506c2b4d
Link:
https://www.unpac.me/results/cf53dad2-4a27-4ea4-ab8c-d4faee699064/
SH256 hash:
095f28e1d87ad62e2e8433395c8fd30294220167341a27f8d935284cb9537eef
MD5 hash:
82296a70167501e57f96fdeb734d2101
SHA1 hash:
bd013a38e69872917bc083f11a33d1b2d85418e8
Link:
https://www.unpac.me/results/cf53dad2-4a27-4ea4-ab8c-d4faee699064/
SH256 hash:
78d7c849e8c0ca246c289242e281cdce5606728978b8cfdaef36153e77e14072
MD5 hash:
45a917c2be3ae2438d12f52c97c65ef6
SHA1 hash:
23af500396df298778d453013603746d930e60e5
Link:
https://www.unpac.me/results/cf53dad2-4a27-4ea4-ab8c-d4faee699064/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/78d7c849e8c0ca246c289242e281cdce5606728978b8cfdaef36153e77e14072

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/323007/

Comments