MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 869f916839342a43032ac51d3574f7a9c057f73e319f8033c6338094376cab11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 8

Intelligence 8 IOCs YARA 5 File information Comments

SHA256 hash:	869f916839342a43032ac51d3574f7a9c057f73e319f8033c6338094376cab11
SHA3-384 hash:	89b7ffef9bd3f99f97db1545b12d28f9284ce39c7d1ebdf282ece847171d7c6a5cda1bcfca99ab57ae7fea9f01510221
SHA1 hash:	3723eb2cac33a0aec0ff33ab7f9b20a0c548eb50
MD5 hash:	9d32c457183204349684109b5c9c2efa
humanhash:	mars-video-fifteen-ack
File name:	869f916839342a43032ac51d3574f7a9c057f73e319f8033c6338094376cab11
Download:	download sample
Signature	njrat Create hunting rule
File size:	1'178'120 bytes
First seen:	2020-11-10 11:18:13 UTC
Last seen:	2024-07-24 18:23:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:52GE30hWsNlLO/gKzuRANMmHa37aWtDv395E:A307otuRAWYa371DvnE
Threatray	9 similar samples on MalwareBazaar
TLSH	1945BE4273D1C071FFAA96735B2AF61146BD6D790123C41F13A83DBAAD711B1263DA23
Reporter	seifreed
Tags:	NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Autoit-8000278-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a process with a hidden window

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Launching the process to change the firewall settings

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

njRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/529749

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

AutoIt script contains suspicious strings

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Detected njRat

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/869f916839342a43032ac51d3574f7a9c057f73e319f8033c6338094376cab11/

Threat name:

Win32.Hacktool.Generic

Status:

Suspicious

First seen:

2020-11-10 11:22:36 UTC

AV detection:

37 of 48 (77.08%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=q2pzc2bzgqvegazkyuotk5hxvhafp5z6ggpyam6ggoajin3mvmiq._file

Verdict:

unknown

njrat

38bdd57bd48d6b9f1179088787b216489adff1d6d0f1539b17d3ddae7ebdba13

njrat

41bec111ff242fd9555f0ab0f6516ee25a4609dc6be77f174e5e6bb7c77fa03a

njrat

aa01a5cbb5ef80f3ddb3eb2b14e72dfeb89d3d9ac7bbc344aa90044103e8ed48

njrat

bf05b86e2e3913b902481201edc5caf2a622307e67238a1c933d558bca530dea

njrat

e2695beeb0ae037fe0c7d7fec7c6bc47e581e1a86daf8475da557b15f15e1290

njrat

e3b157b5110690b5eed5835181ba2f122cd7873408ab3beef2eba3709d787b5a

njrat

e9830ef956d6736a6553db30a9b62f758657b24458e2061bc967864ab4a729f9

njrat

faac20b4eb48fed177876058cd253bd70619ec13de84de62a933ab9e483ecf4f

njrat

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat evasion persistence trojan

Link:

https://tria.ge/reports/201110-p4qen3btaa/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Executes dropped EXE

Modifies Windows Firewall

njRAT/Bladabindi

Unpacked files

SH256 hash:

869f916839342a43032ac51d3574f7a9c057f73e319f8033c6338094376cab11

MD5 hash:

9d32c457183204349684109b5c9c2efa

SHA1 hash:

3723eb2cac33a0aec0ff33ab7f9b20a0c548eb50

Link:

https://www.unpac.me/results/8d81867b-763a-4ffe-85d5-972c42873ced/

SH256 hash:

540601cebaa24f199932322590f6084667ab3f7245924c74234f17adeb76a37f

MD5 hash:

0623a978c4595f76ec438afaa8164107

SHA1 hash:

05fa6bf7119767462174b42da8c419e404bfa3e1

Detections:

win_njrat_w1

win_njrat_g1

Link:

https://www.unpac.me/results/8d81867b-763a-4ffe-85d5-972c42873ced/

Parent samples :

0c3d29652f673f9b41240038596e57ffb280e3ba0c5e519be3aead68ebd398e8
42a140cd4f88d3fd5db132a7ca258148031b917bb1207bd1570e53f800c55cb8
4c14d8137e225d03bcc84f9296d86ab32c67b2fefe72049abf6f4e431acf70e0
a584da6092123600c08e861ac0f14cd0ea41b95e4cd058b37ec70fc8dcf542d0
869f916839342a43032ac51d3574f7a9c057f73e319f8033c6338094376cab11
7c4e3cb6cdc2fd013561f3b657d7d660e5bb3d2f10b701c4dddbdea4fdd49e61
2bcfe505fb789c4ff8642b74897b70027367570c63680f2d77509543f6e4433d
60e0af6395d28a899bbb2d9b7a61761d9cf1de85ddca77a114dca46054b0e8cd
d30b0d89c5e93b5bee54918d04d57370f1625455d7859f4061c47f13b9a779aa
1ecde0b85ddc9e37bdc3004b732f73d2dd12f0e101f91ebda16cbbf30ddd4a9d
57590a0d56dc1a2ddc1f73db742f4106f4cbb6e2f247020c5d4e12d78b1775d2
c964e9d4711c1cf0fb66db61b717b4215c5916355aed5fa44613d2f3251ccdf5
045323a02bf0cd8ffa742ba71963d87aa8c00eba637dad7c86757f0656e296a5
46650f8381483afc61f1bed735c56dfa6deace36bd272c123ab83edf7243aa80
cd7951f7292506e314834d7c82e290f84a9f55ba2feac4fa4ef545d9cbf79864
707d2a9dc17cfe0734dc3ef46a4e7761d8c873de5496243b7b435ac3c9c0b209
ffd3401a514ab70fe36ce5f3e25c814a8b9fbf7982f21c6d7bb5f82c82fd2009
0ab667dc59ad6ac24333bab211bf1bf9c85f90be59f12cfc7ca46b1ee2e9393d
8bc1e289657c8d1bbbc902bd0315dc20ae52a58cd045bfff5a550fab62ef56f2

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample