MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85830e6bdfb6889df4ee9fb075c9532e08f85a192c2272c79e9a0d869e267334. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85830e6bdfb6889df4ee9fb075c9532e08f85a192c2272c79e9a0d869e267334
SHA3-384 hash: b37734b611cdff88715814c79aa980aaf8c48fb76032076ad0b9ce1a5ac42947689b147637b3cf2617945eafa1cd61df
SHA1 hash: f67e8b2b66f2b0eb1b740e0114b1b8dc9746c084
MD5 hash: 998b6ed5494b22e18d353fdd96226db3
humanhash: carbon-white-arizona-kentucky
File name:998b6ed5494b22e18d353fdd96226db3.exe
Download: download sample
Signature njrat
Create hunting rule
File size:566'784 bytes
First seen:2020-07-20 09:29:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:POc61q9I6/kVdSC0Dycod+ik4g8yt1hSoD:POc6udWYrEPoD
Threatray 349 similar samples on MalwareBazaar
TLSH BEC4CFC96AA04400DAEDAFF99E628AB447357C00F5F2D30F1BD0AD9F297A793D444762
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
NjRAT C2:
xvetcons085.linkpc.net:6694

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28878/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52265.10572.24133.UNOFFICIAL
Create hunting rule

Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391234
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247992 Sample: 5w5mG1xkF4.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 12 other signatures 2->55 10 5w5mG1xkF4.exe 3 2->10         started        14 svchost.exe 2 2->14         started        16 svchost.exe 2 2->16         started        18 2 other processes 2->18 process3 file4 45 C:\Users\user\AppData\...\5w5mG1xkF4.exe.log, ASCII 10->45 dropped 61 Drops PE files to the user root directory 10->61 63 Drops PE files with benign system names 10->63 65 Injects a PE file into a foreign processes 10->65 20 5w5mG1xkF4.exe 1 4 10->20         started        23 svchost.exe 2 14->23         started        25 svchost.exe 2 16->25         started        27 svchost.exe 18->27         started        signatures5 process6 file7 43 C:\Users\user\svchost.exe, PE32 20->43 dropped 29 svchost.exe 3 20->29         started        process8 signatures9 67 Multi AV Scanner detection for dropped file 29->67 69 Machine Learning detection for dropped file 29->69 71 Drops PE files to the startup folder 29->71 73 Injects a PE file into a foreign processes 29->73 32 svchost.exe 4 5 29->32         started        process10 dnsIp11 47 xvetcons085.linkpc.net 185.244.30.201, 49717, 6694 DAVID_CRAIGGG Netherlands 32->47 41 C:\...\f049456dd69c636d9a479933c446f3b4.exe, PE32 32->41 dropped 57 System process connects to network (likely due to code injection or exploit) 32->57 59 Creates autostart registry keys with suspicious names 32->59 37 netsh.exe 3 32->37         started        file12 signatures13 process14 process15 39 conhost.exe 37->39         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85830e6bdfb6889df4ee9fb075c9532e08f85a192c2272c79e9a0d869e267334/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 09:31:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qwbq4267w2ej35hot6yhlsktfyepqwqzfqrhfr46tigynhrgom2a._file
Verdict:
malicious
Similar samples:
032f594e26c4a20fc56b06210d294f7134f6c9a51cf30b7125db4683465a6643
njrat
0698cbff335f16544c0a97a71df4f0e52ee4dbddf3cadad2ee0ac52103ea8ed2
njrat
662e6858fb2067c38af99173b7a3201a148bd9104771badd96868bccc20ec687
njrat
7ffbd591d72f33b826c40da82f5f72195ca4af6a311bb934862f3cd190d4fdad
njrat
880bba3fa9d2e255ad00cc35d53aa361bcdf739d16064d669a4b21b9a8034f73
njrat
9c33a1f6a337e39a99c4480f19e63fbaeee191defcd51c8a908e9af9da8e115c
njrat
aed6c9d200b86186575d13e40ed7231c61bba34c0159c19ca6428168019da4f9
njrat
c8d4a30dc6aa1224dd98bbb384b54e90ee845cbb0e0e591964868a0be5657897
njrat
d4f9f7cd2d03cd2a1ede00200777caac9bd3ca5c337ce6bf6e15a3ff8e53f844
njrat
ebd23b0402ce1f9f8d45a37ec77fc89381869a3399aa2d405830e7eb05299ad3
njrat
+ 339 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
persistence trojan family:njrat evasion
Link:
https://tria.ge/reports/200720-whfatjycma/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Modifies service
Adds Run key to start application
Loads dropped DLL
Drops startup file
Modifies Windows Firewall
Executes dropped EXE
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85830e6bdfb6889df4ee9fb075c9532e08f85a192c2272c79e9a0d869e267334

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 85830e6bdfb6889df4ee9fb075c9532e08f85a192c2272c79e9a0d869e267334

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/414013/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28878/

Comments