MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 16


Intelligence 16 IOCs YARA 25 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0
SHA3-384 hash: 78f9ed86dfc0f910a9d9069ee8adc6fa11f8bb8dce95792ac46b0e7760b2ad336fc2a18b82b7a6bbb90dc4946a166d3c
SHA1 hash: 55eb16719270a3bf2755f1d3435b09078838c49c
MD5 hash: adcc598af7caec5a2b261c869bf784b0
humanhash: florida-cup-floor-idaho
File name:SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319
Download: download sample
Signature njrat
Create hunting rule
File size:970'752 bytes
First seen:2024-03-28 13:28:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:n3qKdgSMzbbnNEvizbKZiiwt3Tggzbsye5HMPKZ2W0gXKXJ:naKNMDNqizCeegPsye+PKOZX
TLSH T1F5253377F832E86ECA60CC38632764EE7F2F298055E9F0B52D607566CD725029DBAC14
TrID 25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
19.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.1% (.EXE) Win32 Executable (generic) (4504/4/1)
7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 00ca80c2c2808200 (36 x njrat, 4 x AsyncRAT, 4 x Smoke Loader)
Reporter SecuriteInfoCom
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0.exe
Verdict:
Malicious activity
Analysis date:
2024-03-28 13:30:22 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/c9334480-55dd-43f1-a9ea-75e84a01d7cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for synchronization primitives
Connection attempt
DNS request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Creating a window
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling a "Do not show hidden files" option
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
bladabindi enigma lolbin obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/660570e81c5277edcec342d0/reports/2f35592b-7373-450b-9c99-8809b7776519/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e7ef12ca-eeef-4810-8940-72823f6c8663
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1417027
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autostart registry keys with suspicious names
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables zone checking for all users
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
PE file has nameless sections
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417027 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 33 supphost.ddns.net 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for dropped file 2->43 47 12 other signatures 2->47 9 SecuriteInfo.com.Trojan.Siggen10.9096.15276.30319.exe 3 7 2->9         started        14 WindowsUpdate.exe 5 2->14         started        16 WindowsUpdate.exe 4 2->16         started        18 WindowsUpdate.exe 4 2->18         started        signatures3 45 Uses dynamic DNS services 33->45 process4 dnsIp5 37 157.245.191.173, 6554 DIGITALOCEAN-ASNUS United States 9->37 31 C:\Users\user\AppData\...\WindowsUpdate.exe, PE32 9->31 dropped 57 Detected unpacking (changes PE section rights) 9->57 59 Detected unpacking (overwrites its own PE header) 9->59 61 Hides threads from debuggers 9->61 20 WindowsUpdate.exe 4 5 9->20         started        file6 signatures7 process8 dnsIp9 35 127.0.0.1 unknown unknown 20->35 29 C:\...\5a3391652b95668e76de4bdcdda5a9dd.exe, PE32 20->29 dropped 49 Antivirus detection for dropped file 20->49 51 Multi AV Scanner detection for dropped file 20->51 53 Machine Learning detection for dropped file 20->53 55 8 other signatures 20->55 25 netsh.exe 2 20->25         started        file10 signatures11 process12 process13 27 conhost.exe 25->27         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-27 02:02:00 UTC
File Type:
PE (Exe)
Extracted files:
5
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pvrd3tpl6cmsomqqdl7llq4cdsuv4kl3fgjk56obn25ujktmi6ya._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Result
Malware family:
hawkeye
Create hunting rule
Score:
  10/10
Tags:
family:hawkeye evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/240328-qq8qsagd34/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
HawkEye
Unpacked files
SH256 hash:
7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0
MD5 hash:
adcc598af7caec5a2b261c869bf784b0
SHA1 hash:
55eb16719270a3bf2755f1d3435b09078838c49c
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/d798c01f-b705-4783-a9f9-dc69d7645381/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments