MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7ec25d04e1d0a9c9482018473509d14dded166514af2b3351fcdc0af8ad56a91. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 18


Intelligence 18 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7ec25d04e1d0a9c9482018473509d14dded166514af2b3351fcdc0af8ad56a91
SHA3-384 hash: 8c34c8c3009a64a3a758ba8947775836594524148bee07001065e4675fac0c57c620dcf7911900ae8dffb6c662230aef
SHA1 hash: 33eee9b31d498f7eee8ab831c69d768bd002bd7e
MD5 hash: 6e3688e7abad80c91379f44602c19b5f
humanhash: purple-nebraska-apart-bluebird
File name:Botkiller.exe
Download: download sample
Signature njrat
Create hunting rule
File size:208'896 bytes
First seen:2024-07-30 06:49:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 3072:zr8WDrCP+EZm0jNJmG2F00EfqADbugtWlHn86JM/iN8vLfW:Pu40BJmGa0HiibeH86r
TLSH T1EE144B9AB7868A30D57D0D75D0EF563003B2AE435933E6CA3E84389D9E122E25D4C7DB
TrID 67.8% (.EXE) Win32 Executable Borland Delphi 6 (262638/61)
14.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.6% (.EXE) Win32 Executable Delphi generic (14182/79/4)
3.3% (.SCR) Windows screen saver (13097/50/3)
2.7% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter lontze7
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
427
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
Botkiller.exe
Verdict:
Malicious activity
Analysis date:
2024-07-30 06:51:10 UTC
Tags:
netreactor stealer rat njrat bladabindi
Link:
https://app.any.run/tasks/6307e628-5f72-416c-a2f7-dddcc0866536

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66a88d1f9d47c7700ac5f2dd
Tags:
Encryption Execution Generic Network Spreading Static Stealth Delf Neshta
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the Windows directory
Modifying an executable file
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Searching for the window
Unauthorized injection to a recently created process
Enabling autorun with the shell\open\command registry branches
Launching a tool to kill processes
Infecting executable files
Verdict:
Malicious
Labled as:
Virus.Neshta
Link:
https://www.hybrid-analysis.com/sample/7ec25d04e1d0a9c9482018473509d14dded166514af2b3351fcdc0af8ad56a91
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ca1d5a36-c5fe-4a4a-8774-2fd67c192fa7
Result
Threat name:
Neshta, Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1484512
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS)
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample is not signed and drops a device driver
Yara detected Neshta
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1484512 Sample: Botkiller.exe Startdate: 30/07/2024 Architecture: WINDOWS Score: 100 55 45.83.207.67 CLOUVIDERClouvider-GlobalASNGB Netherlands 2->55 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for dropped file 2->63 65 9 other signatures 2->65 11 Botkiller.exe 5 2->11         started        signatures3 process4 file5 43 C:\Windows\svchost.com, PE32 11->43 dropped 45 C:\Users\user\AppData\Local\Temp\chrome.exe, PE32 11->45 dropped 47 C:\Users\user\AppData\Local\...\Botkiller.exe, PE32 11->47 dropped 49 150 other malicious files 11->49 dropped 69 Creates an undocumented autostart registry key 11->69 71 Drops PE files with a suspicious file extension 11->71 73 Drops or copies MsMpEng.exe (Windows Defender, likely to bypass HIPS) 11->73 75 2 other signatures 11->75 15 Botkiller.exe 4 6 11->15         started        signatures6 process7 file8 51 C:\Users\user\AppData\Roaming\Botkiller.exe, PE32 15->51 dropped 53 C:\Users\user\AppData\...\Botkiller.exe.log, ASCII 15->53 dropped 57 Drops executables to the windows directory (C:\Windows) and starts them 15->57 19 svchost.com 1 15->19         started        23 taskkill.exe 1 15->23         started        25 taskkill.exe 1 15->25         started        signatures9 process10 file11 41 C:\Windows\directx.sys, ASCII 19->41 dropped 67 Sample is not signed and drops a device driver 19->67 27 Botkiller.exe 4 19->27         started        29 conhost.exe 23->29         started        31 conhost.exe 25->31         started        signatures12 process13 process14 33 taskkill.exe 1 27->33         started        35 taskkill.exe 27->35         started        process15 37 conhost.exe 33->37         started        39 conhost.exe 35->39         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7ec25d04e1d0a9c9482018473509d14dded166514af2b3351fcdc0af8ad56a91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7ec25d04e1d0a9c9482018473509d14dded166514af2b3351fcdc0af8ad56a91/
Threat name:
Win32.Virus.Neshuta
Create hunting rule
Status:
Malicious
First seen:
2024-07-29 11:25:54 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 24 (100.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p3bf2bhb2cu4ssbadbdtkcorjxpnczsrjlzlgni7zxak7cwvnkiq._file
Verdict:
malicious
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:neshta family:njrat discovery persistence spyware stealer trojan
Link:
https://tria.ge/reports/240730-hlx5gszake/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
Reads user/profile data of web browsers
Neshta
njRAT/Bladabindi
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ff7046e8-086c-4aaf-84c1-a7b506c91021
Unpacked files
SH256 hash:
1adf26633c17278c9b930529b164637a8942cbb1f3267afafec63b56de51dd96
MD5 hash:
a668cb93c16026b6ee15b96dbd13d64f
SHA1 hash:
878b50a51f28a78ab4350d0c8b327c8172301de6
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/80c39c74-3378-4e78-a5c8-3301aa2b08c4/
SH256 hash:
7ec25d04e1d0a9c9482018473509d14dded166514af2b3351fcdc0af8ad56a91
MD5 hash:
6e3688e7abad80c91379f44602c19b5f
SHA1 hash:
33eee9b31d498f7eee8ab831c69d768bd002bd7e
Detections:
win_neshta_auto
Create hunting rule
MAL_Malware_Imphash_Mar23_1
Create hunting rule
MAL_Neshta_Generic
Create hunting rule
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/80c39c74-3378-4e78-a5c8-3301aa2b08c4/
Malware family:
Amadey
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7ec25d04e1d0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7ec25d04e1d0a9c9482018473509d14dded166514af2b3351fcdc0af8ad56a91

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:MAL_Malware_Imphash_Mar23_1
Create hunting rule
Author:Arnim Rupp
Description:Detects malware by known bad imphash or rich_pe_header_hash
Reference:https://yaraify.abuse.ch/statistics/
Rule name:MAL_Neshta_Generic
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MAL_Neshta_Generic_RID2DC9
Create hunting rule
Author:Florian Roth
Description:Detects Neshta malware
Reference:Internal Research
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:Njrat
Create hunting rule
Author:botherder https://github.com/botherder
Description:Njrat
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:win_neshta_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:autogenerated rule brought to you by yara-signator

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 7ec25d04e1d0a9c9482018473509d14dded166514af2b3351fcdc0af8ad56a91

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3060211/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::GetDriveTypeA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetFileAttributesA
kernel32.dll::FindFirstFileA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA

Comments