MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b2a751a9af69cdc119755601ee27693dd105aa1702fd5f5cd6fcf697ac47bb6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b2a751a9af69cdc119755601ee27693dd105aa1702fd5f5cd6fcf697ac47bb6
SHA3-384 hash: 597f5e9779939c3ac3dcb9703f8c4c3d367adae7b16dc1947d18869333735048f6c6d077dfb21e7d20020238d04fea23
SHA1 hash: ae29ad5e214405c8d5676e70a2391eecc55997f3
MD5 hash: cb2e6d43b795aad9492b4ff5f47054b2
humanhash: batman-oxygen-floor-lemon
File name:NEW ORDER 221021pdf.exe
Download: download sample
Signature njrat
Create hunting rule
File size:261'120 bytes
First seen:2022-10-24 19:09:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:dHxOoEvmluGhHLzdGvpk6JRTFFppAKCwRyDgvI9zm:VBap1RxFHhCmyDgglm
Threatray 516 similar samples on MalwareBazaar
TLSH T17D44D0B45FF49845FA753A389AB1C2B65FEE2BF8B409F6F002F13CA9A500676F151421
TrID 63.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Reporter James_inthe_box
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
255
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW ORDER 221021pdf.exe
Verdict:
No threats detected
Analysis date:
2022-10-24 19:12:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a43d0550-8e0e-4b03-ae1c-a76f36349596

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/323615/
Detection(s):
Win.Dropper.Formbook-9975594-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a service
Loading a system driver
Launching a process
Creating a file in the %AppData% subdirectories
Сreating synchronization primitives
Creating a window
DNS request
Creating a file
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun for a service
Forced shutdown of a system process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8c6098d0-a381-49a2-9209-8e93832021c9
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1096895
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 729538 Sample: NEW ORDER 221021pdf.exe Startdate: 24/10/2022 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 Antivirus / Scanner detection for submitted sample 2->35 37 6 other signatures 2->37 6 NEW ORDER 221021pdf.exe 5 2 2->6         started        10 NEW ORDER 221021pdf.exe 2 1 2->10         started        12 NEW ORDER 221021pdf.exe 1 2->12         started        process3 file4 25 C:\Users\user\AppData\Local\Temp\?????.sys, PE32+ 6->25 dropped 27 C:\Users\user\...27EW ORDER 221021pdf.exe.log, CSV 6->27 dropped 39 Creates autostart registry keys with suspicious names 6->39 41 Writes to foreign memory regions 6->41 43 Sample is not signed and drops a device driver 6->43 45 Injects a PE file into a foreign processes 6->45 14 CasPol.exe 2 7 6->14         started        17 fodhelper.exe 12 10->17         started        19 fodhelper.exe 10->19         started        21 fodhelper.exe 12 12->21         started        23 fodhelper.exe 12->23         started        signatures5 process6 dnsIp7 29 royaldanger.sytes.net 194.180.48.115, 4042, 49700, 49701 LVLT-10753US Germany 14->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7b2a751a9af69cdc119755601ee27693dd105aa1702fd5f5cd6fcf697ac47bb6/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-10-21 14:22:22 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmvhkgu262onyemxkvqb5ytwsporawvboax5l5onn7hws6wepo3a._file
Verdict:
malicious
Similar samples:
1bd3fa491c5de8cb9189ff8f86fd1a7e27a8140e3578f8fa9ebb23931550cc5b
njrat
84103df35fb10d7045ef98daa14a78f906287c6e9e226d7bf08753bc0722cde0
njrat
9316de8b3697c6a6f1fba5bc0b653cfb6202aa7429b5d203523a9768e9a772e9
njrat
a0b829fae3c9ce99cd60eda2fd16812b75b380b0f7adb3e56ead69e087c2d574
njrat
b0e9ac1486908cd1351af5f5cb102d16ed197dee031f9f07d996f62248fdd481
njrat
b13bc9c14764fa971ad6e5f0d4583ed0a25b4ffd7a426a2b7e28567f78c4d165
njrat
b613f08a0063de54e6ee9b6d3beb3ad93c1cfeb277304de7491321276d5ddc45
njrat
bb06bf5d8b68991bf2545a1b560b535d35ec17f870f4b53f62c31dc3d1148408
njrat
ea22f746189bf2d6ad50b7e04bf79cc153ce431f04dd2c5437632949d7eb66d0
njrat
+ 506 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked persistence trojan
Link:
https://tria.ge/reports/221024-xvc81aacaj/
Behaviour
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Sets service image path in registry
njRAT/Bladabindi
Malware Config
C2 Extraction:
royaldanger.sytes.net:4042
Unpacked files
SH256 hash:
7b2a751a9af69cdc119755601ee27693dd105aa1702fd5f5cd6fcf697ac47bb6
MD5 hash:
cb2e6d43b795aad9492b4ff5f47054b2
SHA1 hash:
ae29ad5e214405c8d5676e70a2391eecc55997f3
Link:
https://www.unpac.me/results/9908ec0c-0527-40f5-ab68-91a2cd546117/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/7b2a751a9af69cdc119755601ee27693dd105aa1702fd5f5cd6fcf697ac47bb6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/323615/

Comments