MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8454dbda35354737c7f1162466738d7077c0a9af21e93c2e49c2d7a8d5084647. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8454dbda35354737c7f1162466738d7077c0a9af21e93c2e49c2d7a8d5084647
SHA3-384 hash: 97f61667178b9a7e4f9c7dd35862f7b6f36e9b0a09a39bff7f3a40b319aa40ab2d6379bc01600ec50731496e8e4b15a5
SHA1 hash: c7cf8619dd0e49a264d9d83b9a1aa0170be58469
MD5 hash: db8e94848ab1a1fc9c9fa0737f6ba95c
humanhash: october-vermont-johnny-cola
File name:transferencia bancaria.exe
Download: download sample
Signature njrat
Create hunting rule
File size:6'144 bytes
First seen:2022-10-17 19:30:14 UTC
Last seen:2022-10-17 22:12:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 96:VhryGlVRY0RVkLa1Fz+eIufDX9tBwaDzNt:VkGlk00LGFzsufxtHF
Threatray 1'381 similar samples on MalwareBazaar
TLSH T1CCC1C601A7C80736DF7707B26CB3478217B4F762A827CF6D6884524B6D22B514D62F76
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
185.216.71.242:8080

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.216.71.242:8080 https://threatfox.abuse.ch/ioc/891561/

Intelligence

File Origin
# of uploads :
2
# of downloads :
392
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/321123/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.19472.9396.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Sending an HTTP GET request to an infection source
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634dad77fdf6478a15af60d9/reports/1a509f8e-8a60-466c-becf-16e9e650c6c9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/4f05c5d9-ecac-47dd-bcda-dd87dc1360eb
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1092251
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Encrypted powershell cmdline option found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 724867 Sample: transferencia bancaria.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for URL or domain 2->49 51 7 other signatures 2->51 8 transferencia bancaria.exe 16 7 2->8         started        13 Tjhxryiim.exe 14 2 2->13         started        15 Tjhxryiim.exe 2->15         started        17 update.exe 2->17         started        process3 dnsIp4 43 185.216.71.120, 49720, 49753, 49755 CLOUDCOMPUTINGDE Germany 8->43 37 C:\Users\user\AppData\...\Tjhxryiim.exe, PE32 8->37 dropped 39 C:\Users\...\transferencia bancaria.exe.log, ASCII 8->39 dropped 55 Encrypted powershell cmdline option found 8->55 57 Creates multiple autostart registry keys 8->57 19 transferencia bancaria.exe 2 4 8->19         started        24 powershell.exe 16 8->24         started        59 Multi AV Scanner detection for dropped file 13->59 file5 signatures6 process7 dnsIp8 41 192.168.2.1 unknown unknown 19->41 35 C:\Users\user\AppData\Roaming\update.exe, PE32 19->35 dropped 53 Creates multiple autostart registry keys 19->53 26 update.exe 14 2 19->26         started        29 attrib.exe 1 19->29         started        31 conhost.exe 24->31         started        file9 signatures10 process11 signatures12 61 Multi AV Scanner detection for dropped file 26->61 33 conhost.exe 29->33         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8454dbda35354737c7f1162466738d7077c0a9af21e93c2e49c2d7a8d5084647/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 18:39:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qrknxwrvgvdtpr7rcysgm44nob34bknpehutylsjyll2rviiizdq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0c3d385c94560cc9fa56c7cab2a5401c37397820956adaa20e5b4fa6422ceb3d
njrat
1c4c51643818307480c2436301dab98c4794812abb3e94df7b133450411b66e1
njrat
22f9a7a8f42d3d3c49c8868d8013d56e54fcdcde9c020fb03bad42903f77279c
njrat
3e0bcdfffded9aaede7644824841490767cf472e2dafebdc04b090870853d8ac
njrat
467500ef0b7c20edfa4128862b5f66f30591be122744cf0217d80fb8d5ad2b84
njrat
71b55b8575963a25df831dbc936196e996ce48927577f2f4cc8a5398994b1cbd
njrat
a6abf72d95dac9ba6e6e4b53d9cbcd013846660a18ac5b9eeacb6cd87c783a2c
njrat
d9139bcd0b6b44e2f3d766d1d56377a756a0880730f7aeb03e29c964116933a4
njrat
f171eba23f65f99cd49caa4d84e1adc3429100573de5405534922bc784dd0d23
njrat
+ 1'371 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:update persistence trojan
Link:
https://tria.ge/reports/221017-x8c56adadn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
njRAT/Bladabindi
Malware Config
C2 Extraction:
money2022.ddns.net:8080
Unpacked files
SH256 hash:
8454dbda35354737c7f1162466738d7077c0a9af21e93c2e49c2d7a8d5084647
MD5 hash:
db8e94848ab1a1fc9c9fa0737f6ba95c
SHA1 hash:
c7cf8619dd0e49a264d9d83b9a1aa0170be58469
Link:
https://www.unpac.me/results/a94a15cd-97d5-4afb-b5f5-f16a1993fe41/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8454dbda3535/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/8454dbda35354737c7f1162466738d7077c0a9af21e93c2e49c2d7a8d5084647

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:CN_disclosed_20180208_c_RID2E71
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_EXE_attrib
Create hunting rule
Author:ditekSHen
Description:Detects executables using attrib with suspicious attributes attributes
Rule name:malware_Njrat_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:MAL_njrat
Create hunting rule
Author:SECUINFRA Falcon Team
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_netsh_firewall_command
Create hunting rule
Author:SECUINFRA Falcon Team
Rule name:SUSP_Reverse_Run_Key
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a Reversed Run Key

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/321123/

Comments