MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fc6e869d0bb32f11f19ff4628bfd3e8c7c0616f01becb93f4c828955e28465b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs 5 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fc6e869d0bb32f11f19ff4628bfd3e8c7c0616f01becb93f4c828955e28465b
SHA3-384 hash: 16d6371087825ab34f2042fa413609213c8791af1cc1c784de0f5395eba84b8ee6f9ffb9211c11234272df690a7843c4
SHA1 hash: 13b0ad476f89697708910d80152b56224ee8cfe1
MD5 hash: 3d882526b381e7b346837e515ed7817e
humanhash: hydrogen-beer-video-vegan
File name:3D882526B381E7B346837E515ED7817E.exe
Download: download sample
Signature njrat
Create hunting rule
File size:30'720'000 bytes
First seen:2021-12-29 19:10:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0331ca1875ee1266bf09953125b712b1 (13 x njrat, 2 x DCRat)
ssdeep 768:nhuuCHTZbVuNsyAo3OMQHkUqpcBc9zAccuy28We:nhMTZJ9yLO9FQzAGy2
Threatray 76 similar samples on MalwareBazaar
TLSH T17A67D1A3392C93BDD1146E310587DA27A2BAB5261F4F7B55EF826261D8F4DC0DFC0252
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.19.130.43:12581

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.19.130.43:12581 https://threatfox.abuse.ch/ioc/289056/
3.142.167.54:12581 https://threatfox.abuse.ch/ioc/289057/
3.142.81.166:12581 https://threatfox.abuse.ch/ioc/289058/
3.142.167.4:12581 https://threatfox.abuse.ch/ioc/289059/
3.142.129.56:12581 https://threatfox.abuse.ch/ioc/289060/

Intelligence

File Origin
# of uploads :
1
# of downloads :
390
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
3D882526B381E7B346837E515ED7817E.exe
Verdict:
Malicious activity
Analysis date:
2021-12-29 19:13:24 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/82a5a9c2-8360-47b7-bfff-9049c794f82b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
DNS request
Creating a file
Launching a process
Creating a process with a hidden window
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed poison xorist
Link:
https://www.filescan.io/uploads/61ccb2caec6c6c14a9fc2000/reports/9e9a3de4-fd9f-441a-8af6-80015285d5b0/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/913902
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Suspicius Add Task From User AppData Temp
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 546380 Sample: i8hCHJUCOs.exe Startdate: 29/12/2021 Architecture: WINDOWS Score: 100 41 8.tcp.ngrok.io 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 10 other signatures 2->55 10 i8hCHJUCOs.exe 9 2->10         started        14 Server.exe 1 2->14         started        16 steam_loder.exe 1 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 39 C:\Users\user\AppData\Local\Temp\otc4.exe, MS-DOS 10->39 dropped 71 Detected unpacking (changes PE section rights) 10->71 20 otc4.exe 1 3 10->20         started        73 Antivirus detection for dropped file 14->73 75 Multi AV Scanner detection for dropped file 14->75 77 Machine Learning detection for dropped file 14->77 signatures6 process7 file8 33 C:\ProgramData\steam_loder.exe, MS-DOS 20->33 dropped 57 Antivirus detection for dropped file 20->57 59 Multi AV Scanner detection for dropped file 20->59 61 Machine Learning detection for dropped file 20->61 24 steam_loder.exe 3 4 20->24         started        signatures9 process10 dnsIp11 43 3.142.129.56, 12581, 49747, 49753 AMAZON-02US United States 24->43 45 8.tcp.ngrok.io 3.142.167.4, 12581, 49744, 49748 AMAZON-02US United States 24->45 47 3 other IPs or domains 24->47 35 C:\Users\user\AppData\...\steam_loder.exe, MS-DOS 24->35 dropped 37 C:\Users\user\AppData\Local\Temp\Server.exe, MS-DOS 24->37 dropped 63 Antivirus detection for dropped file 24->63 65 Multi AV Scanner detection for dropped file 24->65 67 Protects its processes via BreakOnTermination flag 24->67 69 3 other signatures 24->69 29 schtasks.exe 1 24->29         started        file12 signatures13 process14 process15 31 conhost.exe 29->31         started       
Gathering data
Threat name:
Win32.Trojan.VBinder
Create hunting rule
Status:
Malicious
First seen:
2021-12-29 05:05:58 UTC
File Type:
PE (Exe)
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7doq2oqxmzpchyz75dcrp6t5dd4aylpag7mxe7uzaujkxriiznq._file
Verdict:
malicious
Similar samples:
06af78c89fc6b79696c14326d98a5d8ff14ae51b4303c308a77d980dbd731922
njrat
0dee20eae747781c183499abc341feded87a5a6325f0a9b789067d1b6377ef89
njrat
25cd127b9d559d6754269ecc116d35be66aca027640bcd71a836567c32b946c5
njrat
7387dda5e2f645e2bdb9c2b366b4917a52a0535800580deb50f28e6790418ec9
njrat
ac8bc27c6868bbb4b617b4280d8e400e6c9dda52c3ffda8a5603fe378374f69e
njrat
e53485cd1127d2af7d09d0e7d971f92d13ac910ec1124055868107fa9738648c
njrat
+ 66 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:pc suricata trojan
Link:
https://tria.ge/reports/211229-xvx86sdgaq/
Behaviour
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Loads dropped DLL
Executes dropped EXE
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
8.tcp.ngrok.io:12581
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8fc6e869d0bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fc6e869d0bb32f11f19ff4628bfd3e8c7c0616f01becb93f4c828955e28465b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments