MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92b11183a34d5b832d8848a1b57e41765845ecc2f79050606e2ad914b417f336. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92b11183a34d5b832d8848a1b57e41765845ecc2f79050606e2ad914b417f336
SHA3-384 hash: 2a158d07d67f241bf29c2cbdca5a0b37edb6a4d5b69c5d136c6305979f9b52ad126003545447cbbb663dfe6645f80bec
SHA1 hash: 2682ec05de87ec4e8f2580c6e92ff05b3af74e53
MD5 hash: 42f672f78b9c71fd542d3162af32fa3b
humanhash: may-pizza-indigo-violet
File name:FACTURA.exe
Download: download sample
Signature njrat
Create hunting rule
File size:343'421 bytes
First seen:2021-03-29 14:49:59 UTC
Last seen:2021-03-29 16:25:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1a57b635b23ffd553b3fd1e0960b2bd (39 x Formbook, 29 x Loki, 27 x AgentTesla)
ssdeep 3072:VPA6jXFN2McHrCId4VKASmsqhjBT5t5JTu5TJ8UGub4K1GyAwz5Dg0IJs8:VhjmvrCIdJqhdT5t51exGucsqwW0Iu8
Threatray 598 similar samples on MalwareBazaar
TLSH CB74D1EC26709472D95FCBF3CA129DE853309F246BA0874E217076BA1BF61E5DC051BA
Reporter abuse_ch
Tags:ESP exe geo NjRAT


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: assistcard.com
Sending IP: 45.137.22.138
From: Monica Gisel Cavita Ledesma <Monica.Cavita@assistcard.com>
Subject: Factura final - ¡Cuenta bancaria de la nueva empresa!
Attachment: FACTURA.r00 (contains "FACTURA.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
FACTURA.exe
Verdict:
Malicious activity
Analysis date:
2021-03-29 17:39:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c688d3c3-8c8d-4717-96d4-14761e70218f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127672/
Detection(s):
SecuriteInfo.com.Dropped.Trojan.GenericKDZ.73612.18257.22158.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3b04b1d1-b5ee-4f57-824f-db088ab8d03f
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/657105
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/92b11183a34d5b832d8848a1b57e41765845ecc2f79050606e2ad914b417f336/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 14:50:08 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=skyrda5djvnyglmijcq3k7sbozmel3gc66ifaydoflmrjnax6m3a._file
Verdict:
malicious
Similar samples:
06fa1b160e322bd7710c9110b1e4e873795b5c2680b8bbe70bbaf23484533459
njrat
4ee463200a2e23f5f8cd27820da94a17de71dfbcdd4793524262d6ab2099b44c
njrat
61d71ab4e23eba8055de07d4283a6e2f70e00fbb3c4fdeaf8ae8258fafe340f7
njrat
79e70809a85e291f9da3d391131208ce7645dd512eb6bb71811154b43da23222
njrat
8875bcc3b28c05466bf313def566f00467cfdc7c72626b445f10169943294180
njrat
9785024470a4d46ec73337a43698c74387853bbe500c7d893eed47730da1ecd5
njrat
bf645fad6cb23a9422e58a642b223a5d6a2dfc616c7480dfdd02393838f399b5
njrat
c67a752275a99a0ba74a93e5a715a591ad9db9eb010759cdf41b1e7df980e84d
njrat
cf9895b3086ece4cf7fb15d831b7257578897021f8996cbabcbdd14f181941fa
njrat
d092a60d031f2dfa8d009742db3f7d78d34d817f9c6be57a7b21469203a48dc3
njrat
+ 588 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/210329-8fyn9bc4m6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Unpacked files
SH256 hash:
28a3e7081d247f3752310c4ee31adff2be368e150d180aadbfe35450850cd252
MD5 hash:
843f9e086a62a6c99dc74947b3156605
SHA1 hash:
4be0a8ff7861e817c1d4c5a868732e23d4bbbe03
Link:
https://www.unpac.me/results/e247f6bd-4a3a-4486-9f16-eaec605b376c/
SH256 hash:
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586
MD5 hash:
d753362649aecd60ff434adf171a4e7f
SHA1 hash:
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0
Link:
https://www.unpac.me/results/e247f6bd-4a3a-4486-9f16-eaec605b376c/
SH256 hash:
92b11183a34d5b832d8848a1b57e41765845ecc2f79050606e2ad914b417f336
MD5 hash:
42f672f78b9c71fd542d3162af32fa3b
SHA1 hash:
2682ec05de87ec4e8f2580c6e92ff05b3af74e53
Link:
https://www.unpac.me/results/e247f6bd-4a3a-4486-9f16-eaec605b376c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92b11183a34d5b832d8848a1b57e41765845ecc2f79050606e2ad914b417f336

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_njrat_g1
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann<at>fkie.fraunhofer.de>
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

r00 4c72f894b1f77f39a841ea11ab8572d81c3fd525e78ceacf4b4cad4234aed667

njrat

Executable exe 92b11183a34d5b832d8848a1b57e41765845ecc2f79050606e2ad914b417f336

(this sample)

  
Dropped by
MD5 4ad4f2326a267bf7670944c88c7e752a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/127672/
  
Dropped by
SHA256 4c72f894b1f77f39a841ea11ab8572d81c3fd525e78ceacf4b4cad4234aed667

Comments