MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 829a2c582bf462bb041609633dbb53bea1a7cdd3dab4d0075b12de6c3cbfc9aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 829a2c582bf462bb041609633dbb53bea1a7cdd3dab4d0075b12de6c3cbfc9aa
SHA3-384 hash: 8090d13b6bf5e434dcad563ea7403c22dab5dd6334ce64c6b7dbada3d16ed61cb42b231e5e46c3ee3cef6c70b990b3c9
SHA1 hash: aac89e99e515390ed519d983558ea1b0b3237d63
MD5 hash: 1a85a7298cc00813b2d740d8ed18e4f2
humanhash: jig-beer-october-bulldog
File name:829a2c582bf462bb041609633dbb53bea1a7cdd3dab4d0075b12de6c3cbfc9aa
Download: download sample
Signature njrat
Create hunting rule
File size:498'194 bytes
First seen:2020-11-15 22:53:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 6144:wAkmZywK6QN6ZGWIIAd5X6uln2JNGYgeglsYPkghpeGM3w9Yr:emJ7U6EWueDJNGYx7g9g
Threatray 280 similar samples on MalwareBazaar
TLSH 9FB4CE02BAD188B2E5720932D92967076D7A7C201F27DADAB3FC7D5DDB315816120BE3
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Rasftuby-9793767-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a file
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/538173
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318185 Sample: eGsLGFXXBy Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 13 other signatures 2->57 9 eGsLGFXXBy.exe 9 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 9 1 2->15         started        18 9 other processes 2->18 process3 dnsIp4 41 C:\Users\user\AppData\Local\Temp\dll.exe, PE32 9->41 dropped 43 C:\Users\user\...\Criar conta netflix.exe, PE32 9->43 dropped 20 dll.exe 1 5 9->20         started        24 Criar conta netflix.exe 2 9->24         started        67 Changes security center settings (notifications, updates, antivirus, firewall) 12->67 26 MpCmdRun.exe 12->26         started        49 127.0.0.1 unknown unknown 15->49 file5 signatures6 process7 file8 39 C:\Users\user\AppData\Roaming\svchost.exe, PE32 20->39 dropped 59 Antivirus detection for dropped file 20->59 61 Multi AV Scanner detection for dropped file 20->61 63 Machine Learning detection for dropped file 20->63 65 Drops PE files with benign system names 20->65 28 svchost.exe 4 5 20->28         started        33 conhost.exe 26->33         started        signatures9 process10 dnsIp11 47 hackingdnss.duckdns.org 141.255.147.124, 1177 IELOIELOMainNetworkFR France 28->47 45 C:\...\5a195f2b488f4809d33d2d703059a55b.exe, PE32 28->45 dropped 69 Antivirus detection for dropped file 28->69 71 System process connects to network (likely due to code injection or exploit) 28->71 73 Multi AV Scanner detection for dropped file 28->73 75 4 other signatures 28->75 35 netsh.exe 1 3 28->35         started        file12 signatures13 process14 process15 37 conhost.exe 35->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/829a2c582bf462bb041609633dbb53bea1a7cdd3dab4d0075b12de6c3cbfc9aa/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 22:54:34 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkncywbl6rrlwbawbfrt3o2tx2q2ptot3k2nab23clpgypf7zgva._file
Verdict:
malicious
Similar samples:
17cdfe9fa78ee6ab72302c300ba976410f3f53a697a9953c6f22cce20eaae555
njrat
42d62bb8089d2e7100cb9ab26e752f6df954000be759c26908a0b333e5412500
njrat
4b26d31be0b35cb1d89e2610aa455bcf05f29ba1c74f276839a6d79b3bd4f138
njrat
544529431b4a0b9511e81a8e2e253eb873806401a8e97920c13f3d3c703041b2
njrat
6127ad60596cdbe213fdaccf2290aa1f1b2f583982a890f1d5dd38eaac68fdc0
njrat
ae59d23d664eac76addf8b7763f63636bbca56f82c224e66b2da266e7afe8245
njrat
bf814616d20252c842d9deb1f8b998f71a14ced547c4b1a3c934b02b6eee527a
njrat
d0d7b0c01eaa5af4698c21f599a3266da87672cb27e01c954e2813c31707ccfc
njrat
e748f3e105a9370ec194134350c352b1a2c12cdf43be16e5804e4eb12ab39c13
njrat
eb37bfd04a799f257163030196f110fb6c12eea4e797bcd3e14c12b6ac789666
njrat
+ 270 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/201115-v9h1hjlrwe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
829a2c582bf462bb041609633dbb53bea1a7cdd3dab4d0075b12de6c3cbfc9aa
MD5 hash:
1a85a7298cc00813b2d740d8ed18e4f2
SHA1 hash:
aac89e99e515390ed519d983558ea1b0b3237d63
Link:
https://www.unpac.me/results/0de79f0d-4c41-4760-8f00-585b8cce6f8f/
SH256 hash:
710f604912b6de252143a56f8373d2d82b710450f4674615e759f3288fd7367e
MD5 hash:
e7ed1ae1a1b77386e733e12b27bb7aa5
SHA1 hash:
5e93aefe033c7a93eb7030ade9ead2389c9f640a
Link:
https://www.unpac.me/results/0de79f0d-4c41-4760-8f00-585b8cce6f8f/
SH256 hash:
1dcc30b96d02aa91532b6a0340fbbb7c2c365142e3a212f6a97632d30cdaa6fa
MD5 hash:
4fa818d16c99b6d23454ac930d1990be
SHA1 hash:
0ed79bcd9a9e3fefa3cef0a86e3bef8d14f5eef9
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/0de79f0d-4c41-4760-8f00-585b8cce6f8f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/829a2c582bf462bb041609633dbb53bea1a7cdd3dab4d0075b12de6c3cbfc9aa

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments