MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8797ab41f89827f3231b25b4240fd7aae72ee46415e1f28a3b81148debc00408. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8797ab41f89827f3231b25b4240fd7aae72ee46415e1f28a3b81148debc00408
SHA3-384 hash: 35f08d78f5b324a1786ab883dc207d9583e25694f7dfa4efce5bc8d39e84d4ab25b00eb4a251ac7fadd3a0a8547e79ab
SHA1 hash: b2aece502fa66059dcc61e33bd2e4822e01182df
MD5 hash: 9eb869a782ce77b409f6126372c9d231
humanhash: foxtrot-zulu-sierra-alpha
File name:8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe
Download: download sample
Signature njrat
Create hunting rule
File size:382'656 bytes
First seen:2021-09-30 00:06:15 UTC
Last seen:2021-09-30 00:52:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fe665f2b5496671c416fff0c4aa96adf (1 x njrat)
ssdeep 6144:H94YVuWi4y2HIbSYRg5jqEFYPiMMMMMMMMMMMMMMMMMMsWLaFLK4ZYnqOvRcnsAm:d4YV1i4vIbS8ghbYKMMMMMMMMMMMMMM5
Threatray 115 similar samples on MalwareBazaar
TLSH T11284ADD1F28498B9D84312B59C7AAE11242BBEAE5474890D733B3F1E7E733831566D0B
File icon (PE):PE icon
dhash icon c8d888c888a88098 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
192.169.69.25:4433

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.25:4433 https://threatfox.abuse.ch/ioc/228281/

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5221f15b-366e-46a0-963c-9fc1c6d8d241
Verdict:
Malicious activity
Analysis date:
2019-02-14 23:20:26 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/4ed204ff-5a3c-4c9e-9b08-53b9a16406e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/193269/
Detection(s):
SecuriteInfo.com.VBS.DownLoader.1559.30883.6548.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Launching a process
Creating a process from a recently created file
Creating a file in the %temp% directory
Creating a process with a hidden window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/89b22b6e-0376-4837-a63b-1fd45041061c
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861397
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 493825 Sample: 8797AB41F89827F3231B25B4240... Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 79 soportesltda30.duckdns.org 2->79 85 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->85 87 Found malware configuration 2->87 89 Malicious sample detected (through community Yara rule) 2->89 91 13 other signatures 2->91 10 8797AB41F89827F3231B25B4240FD7AAE72EE46415E1F.exe 5 8 2->10         started        13 windows.exe 2->13         started        15 windows.EXE 2->15         started        17 windows.EXE 2->17         started        signatures3 process4 file5 77 C:\Users\user\Desktop\win.vbs, Little-endian 10->77 dropped 19 wscript.exe 3 10->19         started        23 AcroRd32.exe 15 42 10->23         started        25 schtasks.exe 13->25         started        27 schtasks.exe 13->27         started        29 schtasks.exe 15->29         started        31 schtasks.exe 15->31         started        33 schtasks.exe 17->33         started        35 schtasks.exe 17->35         started        process6 file7 73 C:\Users\user\AppData\Roaming\...\windows.EXE, PE32 19->73 dropped 75 C:\Users\user\AppData\Local\...\windows.exe, PE32 19->75 dropped 93 Drops PE files to the startup folder 19->93 37 windows.exe 3 4 19->37         started        41 RdrCEF.exe 60 23->41         started        43 AcroRd32.exe 9 6 23->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        49 conhost.exe 29->49         started        51 conhost.exe 31->51         started        53 conhost.exe 33->53         started        55 conhost.exe 35->55         started        signatures8 process9 dnsIp10 81 soportesltda30.duckdns.org 192.169.69.25, 4433, 49758, 49759 WOWUS United States 37->81 95 Antivirus detection for dropped file 37->95 97 Multi AV Scanner detection for dropped file 37->97 99 Machine Learning detection for dropped file 37->99 101 2 other signatures 37->101 57 schtasks.exe 37->57         started        59 schtasks.exe 37->59         started        83 192.168.2.1 unknown unknown 41->83 61 RdrCEF.exe 41->61         started        63 RdrCEF.exe 41->63         started        65 RdrCEF.exe 41->65         started        67 RdrCEF.exe 41->67         started        signatures11 process12 process13 69 conhost.exe 57->69         started        71 conhost.exe 59->71         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8797ab41f89827f3231b25b4240fd7aae72ee46415e1f28a3b81148debc00408/
Threat name:
Win32.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2019-02-14 19:51:17 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6l2wqpytat7giy3ew2cid6xvlts5zdecxq7fcr3qeki326aaqea._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
16d72d3628ed27331066627a6e8520c127e7d7e876c604a5e8c2773715038890
njrat
6f03fba6702cb99f1b9b45f60dbfd9d52e3d5ce019bcf4e68d91dbf54592c236
njrat
77feba00f6a55111f34c82733f30836d566baf560e3db58b9866caca55d303d8
njrat
7cfe6b3d43caf0e6d990caf7b778d9c68e8e95f9ea6a44f9fefb46be5476c083
njrat
82732e47492148243ee3fb338c93d43b9a9984f39e3409327600cffc5766af1b
njrat
8f74c5871c33b4bf63b43f3e7e216dae1cc92e79cd0035422c8eb6768b98dc06
njrat
a1e995c3ae3dc0bb88284a79ceb53fc6c723e0f78aaf545053f25a7927c58ab8
njrat
bf8e469a058f90d9ccbe081b0da470d3314aa4cd34f916865f0c0b4fa28eacd8
njrat
c1f0a466558441864502b7d7766cbf70c7c562b4ef8a13e562fd5c97f178dd8f
njrat
+ 105 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:lime link pdf trojan
Link:
https://tria.ge/reports/210930-aebnxafhh8/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
HTTP links in PDF interactive object
Drops startup file
Loads dropped DLL
Executes dropped EXE
njRAT/Bladabindi
Malware Config
C2 Extraction:
soportesltda30.duckdns.org:4433
Unpacked files
SH256 hash:
8797ab41f89827f3231b25b4240fd7aae72ee46415e1f28a3b81148debc00408
MD5 hash:
9eb869a782ce77b409f6126372c9d231
SHA1 hash:
b2aece502fa66059dcc61e33bd2e4822e01182df
Link:
https://www.unpac.me/results/5428c3e8-5b97-4626-8e90-99db2ec0e5fc/
Malware family:
njRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8797ab41f898/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8797ab41f89827f3231b25b4240fd7aae72ee46415e1f28a3b81148debc00408

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193269/

Comments