MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d69eb9285086812a64cb999341efa04b2f5b1e1dc0998e1cfd486a044cc0b3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d69eb9285086812a64cb999341efa04b2f5b1e1dc0998e1cfd486a044cc0b3
SHA3-384 hash: b77773173bed777307fc2edf3543208c0623e5c0967bbc74573761dc272d0b75126cd220dcea76f2f682ff254183b349
SHA1 hash: 11b6c0adb6f7a27f6ac0910a5550b7a76f303ad8
MD5 hash: 2e1ecf15364d767079e435604436884c
humanhash: asparagus-maine-venus-wisconsin
File name:85d69eb9285086812a64cb999341efa04b2f5b1e1dc0998e1cfd486a044cc0b3
Download: download sample
Signature njrat
Create hunting rule
File size:1'729'766 bytes
First seen:2021-09-23 06:57:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:i2G/nvxW3Wwbs1qPpvRHdCvUB0hIW7i9qJhZjVyvM16IcWxsk+1awnCrqP:ibA3M1iNg80+W29qJhZjVyU1g11awn46
Threatray 1'206 similar samples on MalwareBazaar
TLSH T14E85AD60F64AE22FDC92473C883751B0C6A62CF14EB7895726453EFF4632258D91EB2D
File icon (PE):PE icon
dhash icon 84a099c8e8e4344e (1 x njrat)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
85d69eb9285086812a64cb999341efa04b2f5b1e1dc0998e1cfd486a044cc0b3
Verdict:
Malicious activity
Analysis date:
2021-09-23 08:02:13 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/53770e88-3ee2-4b2d-9951-5a90d7b86507

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/190610/
Detection(s):
SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d663b739-36d7-4683-bc8c-8b9bd5febdf1
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856366
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 488800 Sample: sESb3oCh2f Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 80 pleintemps.ddns.net 2->80 82 parapluie.ddns.net 2->82 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for dropped file 2->98 100 Antivirus / Scanner detection for submitted sample 2->100 102 8 other signatures 2->102 15 sESb3oCh2f.exe 1 13 2->15         started        18 svchost.exe 2->18         started        21 svchost.exe 2->21         started        24 12 other processes 2->24 signatures3 process4 dnsIp5 78 C:\Users\user\AppData\...\svchost3.sfx.exe, PE32 15->78 dropped 26 cmd.exe 1 15->26         started        92 Changes security center settings (notifications, updates, antivirus, firewall) 18->92 28 MpCmdRun.exe 18->28         started        84 parapluie.ddns.net 21->84 94 System process connects to network (likely due to code injection or exploit) 21->94 86 127.0.0.1 unknown unknown 24->86 88 192.168.2.1 unknown unknown 24->88 90 2 other IPs or domains 24->90 file6 signatures7 process8 process9 30 svchost3.sfx.exe 12 26->30         started        34 conhost.exe 26->34         started        36 conhost.exe 28->36         started        file10 74 C:\Users\user\AppData\Local\...\svchost3.exe, PE32 30->74 dropped 114 Multi AV Scanner detection for dropped file 30->114 116 Machine Learning detection for dropped file 30->116 38 svchost3.exe 13 30->38         started        signatures11 process12 file13 68 C:\Users\user\AppData\...\svchost2.sfx.exe, PE32 38->68 dropped 106 Machine Learning detection for dropped file 38->106 42 cmd.exe 1 38->42         started        signatures14 process15 process16 44 svchost2.sfx.exe 12 42->44         started        48 conhost.exe 42->48         started        file17 72 C:\Users\user\AppData\Local\...\svchost2.exe, PE32 44->72 dropped 112 Machine Learning detection for dropped file 44->112 50 svchost2.exe 13 44->50         started        signatures18 process19 file20 66 C:\Users\user\AppData\...\svchost.sfx.exe, PE32 50->66 dropped 104 Machine Learning detection for dropped file 50->104 54 cmd.exe 50->54         started        signatures21 process22 process23 56 svchost.sfx.exe 54->56         started        60 conhost.exe 54->60         started        file24 70 C:\Users\user\AppData\Local\...\svchost.exe, PE32 56->70 dropped 108 Machine Learning detection for dropped file 56->108 110 Drops PE files with benign system names 56->110 62 svchost.exe 56->62         started        signatures25 process26 file27 76 C:\Users\user\AppData\Local\...\svchost.exe, PE32 62->76 dropped 118 Antivirus detection for dropped file 62->118 120 Machine Learning detection for dropped file 62->120 122 Drops PE files with benign system names 62->122 signatures28
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85d69eb9285086812a64cb999341efa04b2f5b1e1dc0998e1cfd486a044cc0b3/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-21 15:20:00 UTC
AV detection:
19 of 45 (42.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxlj5ojikcdicktezomzgqppubfs6wy6dxajtdq47vegubcmyczq._file
Verdict:
malicious
Similar samples:
40e593b8ec5b014b56d4b1c2572b11385ee2151ddb73dc7ee8a2ef4a7fb1bae8
njrat
4e591ca9530450eca3c227d9292c3496d54d022c83d8b9c5372d91b97fed3203
njrat
76b87f4f61c849a8af46ebdcb899a0bea036b18f6b473bed34562212eab16b93
njrat
a2fa84e5ecfde2e65cb13ae7b13be29c2bdca0b01e746cc6e015c92ed36c087a
njrat
b13fbd200b38f02c0278e54483e641a2cfb41acd1a90bed78ac8791d0c1cf5b2
njrat
bf86597d2d10ad8d82f0af8b53cf72757094322e79e92180092aa60341b90034
njrat
c310aca2959669fdb69fdec4c1336353d84b7ae9b8767a1086be3591b4af32f0
njrat
e2efc9d3d3132046d0567a2198ed10a65fb764b1091d399323f7029e0f22b73f
njrat
+ 1'196 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210923-hrhlzsfee8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
73b485ca63d31db53a01562de2a7fbbe0fc9f67bfabbedc7eb6313f5de834e44
MD5 hash:
c144418190031efe4f99e94eff5b06b1
SHA1 hash:
14c3c7e6b0ded5ea575adf9d12e2a1968cc16db7
Link:
https://www.unpac.me/results/7811fdbc-6751-43e7-9d2b-dc6f8101872d/
SH256 hash:
1153bedc6acb9a799f214b11ea5a89c783438978e1104e5b2f4d817ac3abe4d4
MD5 hash:
e4d4a57e8422b5659f3a7a09f73d4ad1
SHA1 hash:
876271ded081c82e51d2e913025dccbd348fd504
Link:
https://www.unpac.me/results/7811fdbc-6751-43e7-9d2b-dc6f8101872d/
SH256 hash:
85d69eb9285086812a64cb999341efa04b2f5b1e1dc0998e1cfd486a044cc0b3
MD5 hash:
2e1ecf15364d767079e435604436884c
SHA1 hash:
11b6c0adb6f7a27f6ac0910a5550b7a76f303ad8
Link:
https://www.unpac.me/results/7811fdbc-6751-43e7-9d2b-dc6f8101872d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85d69eb9285086812a64cb999341efa04b2f5b1e1dc0998e1cfd486a044cc0b3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190610/

Comments