MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
SHA3-384 hash: 9822c6a4c7d18b0bb7d89799a6ca2cfa1b47137bb03b7d47c779c7f2d95b714d88aa4f9caee77beb12f3e4a3e5de8bdd
SHA1 hash: 65726604b29227377aadef41da87a7306c852f0c
MD5 hash: c3ec94cb1c15fbfd213aa5d5854b8e3f
humanhash: gee-tango-william-april
File name:AVI Reader.exe
Download: download sample
Signature njrat
Create hunting rule
File size:50'620 bytes
First seen:2023-09-08 20:43:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'672 x AgentTesla, 19'489 x Formbook, 12'212 x SnakeKeylogger)
ssdeep 1536:a7dS1EAd8II28ca2zhmamGJCKDRMcyEQXGNEPRbw1Rl:igEA6II2Da2zPf/XyEQSiRby
Threatray 26 similar samples on MalwareBazaar
TLSH T15433E00AF54C9A3BCCA62737CE3349C447204EA4C4D75D4BE8A4BD167EB3B85669728C
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon b2b2b271e8f0b68e (5 x AsyncRAT, 4 x XWorm, 3 x njrat)
Reporter Anonymous
Tags:exe NjRAT xworm


Avatar
Anonymous
C2: 217.229.108.168:1 / AS3320 - Deutsche Telekom AG

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AVI Reader.zip
Verdict:
Malicious activity
Analysis date:
2023-09-08 20:24:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e70185f8-92e9-4cfb-8994-a682076c146f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/447596/
Detection(s):
SecuriteInfo.com.Generic.KillMBR.B.33029EB2.12073.18630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
Creating a file
Launching a process
Enabling the 'hidden' option for recently created files
Enabling the 'hidden' option for files in the %temp% directory
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Gathering data
Verdict:
Malicious
Labled as:
KillMBR.B.Generic
Link:
https://www.hybrid-analysis.com/sample/87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/94af92dc-95fb-463f-8165-9ffe03c33ee1
Result
Threat name:
Njrat, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1306506
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Protects its processes via BreakOnTermination flag
Self deletion via cmd or bat file
Sigma detected: Drops script at startup location
Sigma detected: Schedule system process
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Yara detected Njrat
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1306506 Sample: AVI_Reader.exe Startdate: 08/09/2023 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 83 14 other signatures 2->83 9 AVI_Reader.exe 1 5 2->9         started        13 MicrosoftEdge.exe 2->13         started        15 MicrosoftEdgeUpdate.exe 2->15         started        17 8 other processes 2->17 process3 file4 65 C:\Users\user\AppData\Local\Temp\smss.exe, MS-DOS 9->65 dropped 101 Self deletion via cmd or bat file 9->101 103 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->103 105 Drops PE files with benign system names 9->105 19 smss.exe 4 8 9->19         started        24 cmd.exe 1 9->24         started        107 Antivirus detection for dropped file 13->107 109 Machine Learning detection for dropped file 13->109 signatures5 process6 dnsIp7 73 217.229.108.168, 1, 49712 DTAGInternetserviceprovideroperationsDE Germany 19->73 55 C:\Users\user\AppData\Roaming\...\smss.exe, MS-DOS 19->55 dropped 57 C:\...\75014531228344409477697616f41a41.exe, PE32 19->57 dropped 59 C:\Users\user\AppData\Roaming\...\smss.url, MS 19->59 dropped 85 Antivirus detection for dropped file 19->85 87 Protects its processes via BreakOnTermination flag 19->87 89 Machine Learning detection for dropped file 19->89 91 4 other signatures 19->91 26 75014531228344409477697616f41a41.exe 5 19->26         started        30 schtasks.exe 1 19->30         started        32 schtasks.exe 1 19->32         started        34 conhost.exe 24->34         started        36 choice.exe 1 24->36         started        file8 signatures9 process10 file11 67 C:\Users\user\...\MicrosoftEdgeUpdate.exe, PE32 26->67 dropped 69 C:\Users\user\AppData\...\MicrosoftEdge.exe, PE32 26->69 dropped 71 C:\...\Meatspin_v6_FULL_by_LuckyKazya.exe, PE32+ 26->71 dropped 111 Antivirus detection for dropped file 26->111 113 Machine Learning detection for dropped file 26->113 38 MicrosoftEdgeUpdate.exe 26->38         started        42 MicrosoftEdge.exe 26->42         started        45 Meatspin_v6_FULL_by_LuckyKazya.exe 26->45         started        47 conhost.exe 30->47         started        49 conhost.exe 32->49         started        signatures12 process13 dnsIp14 61 C:\Users\user\...\MicrosoftEdgeUpdate.exe, PE32 38->61 dropped 93 Antivirus detection for dropped file 38->93 95 Protects its processes via BreakOnTermination flag 38->95 97 Machine Learning detection for dropped file 38->97 51 WerFault.exe 38->51         started        53 WerFault.exe 38->53         started        75 192.168.2.133 unknown unknown 42->75 63 C:\Users\user\AppData\...\MicrosoftEdge.exe, PE32 42->63 dropped 99 Creates multiple autostart registry keys 42->99 file15 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4/
Threat name:
ByteCode-MSIL.Backdoor.Ratenjay
Create hunting rule
Status:
Malicious
First seen:
2023-09-08 20:44:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6rubrw4tmxjst65y7w3ozfldf6oh22xnrcfnke3t6w52xziwc2a._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
4f2fb9d8928b5087960d7807d8cb0f2fb2a11291f539e1f18326a7baf0f7e191
njrat
7db1638194f98d1f0546d41cdf2bfae5f7b23319305f9b2b26b2e220f88e88a5
njrat
85d94b63f241688d840e0d2aa58270b93eb019b908366e682c71edd533d86581
njrat
868448f6c06d672fd544f64ae73ca4b1fe8403af947b870edd99ff842c02c59d
njrat
bcc039aa2691f019648d7a098ee7ac05c56f8e60be87ad43bdf027a6b1d51cc4
njrat
e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551
njrat
eda8e0bd2b4cc55089ac0f090da85b368055d729cdb4eab90bc0a65e856f303f
njrat
+ 16 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:xworm botnet:cheats persistence rat trojan
Link:
https://tria.ge/reports/230908-zh5tlafc45/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
Xworm
njRAT/Bladabindi
Malware Config
C2 Extraction:
127.0.0.1:1
217.229.108.168:1
192.168.2.133:1
Unpacked files
SH256 hash:
87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4
MD5 hash:
c3ec94cb1c15fbfd213aa5d5854b8e3f
SHA1 hash:
65726604b29227377aadef41da87a7306c852f0c
Link:
https://www.unpac.me/results/05675622-1500-410b-943c-80800a57dd8c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 87a340c6dc9b2e994fddc7edb764ab197ce3eb576c4456a89b9faddd5f28b0b4

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/447596/

Comments