MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 989a832dd6395528e5373e6fd04432a48843c299b53e8aade6142a6fee6dec94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 989a832dd6395528e5373e6fd04432a48843c299b53e8aade6142a6fee6dec94
SHA3-384 hash: be2bbe0d7e22acac52312187aebfedf0bd406ff8a0f6fb3c22d0fbb1517e197bfc015139558c0fae338b3cf11bed7d70
SHA1 hash: eceaa6209329685fc0afef3cac00bc5434574a69
MD5 hash: 67a6ae9185924d38b14277f4206a6d6d
humanhash: emma-maine-eighteen-four
File name:67a6ae9185924d38b14277f4206a6d6d.exe
Download: download sample
Signature njrat
Create hunting rule
File size:136'192 bytes
First seen:2021-07-30 06:15:19 UTC
Last seen:2021-07-30 06:44:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:Q9uQwSPdnMrFDqVBwBifm9WmpbJvYPNlUsD:Q9uZS1lVBwBiO9WmpbJvYPNlUs
TLSH T178D3939C766072DFC86BC8769EA85C74EA60347B530B9203A06316EDDE4D99BCF150F2
Reporter abuse_ch
Tags:exe NjRAT RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
645
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67a6ae9185924d38b14277f4206a6d6d.exe
Verdict:
No threats detected
Analysis date:
2021-07-30 06:22:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5b19ccbc-7eb5-468b-a29a-afc6a52c191c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175205/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.7041.704.12176.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d74786f1-2a05-4d6b-a8cc-8535ea289816
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/824307
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 456716 Sample: AJsDab2kCB.exe Startdate: 30/07/2021 Architecture: WINDOWS Score: 88 37 ant-ec.duckdns.org 2->37 47 Antivirus / Scanner detection for submitted sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Uses dynamic DNS services 2->51 53 2 other signatures 2->53 9 note.exe 2 2->9         started        12 AJsDab2kCB.exe 3 6 2->12         started        16 note.exe 1 2->16         started        signatures3 process4 dnsIp5 55 Antivirus detection for dropped file 9->55 57 Multi AV Scanner detection for dropped file 9->57 18 svchost.exe 3 9->18         started        39 ant-ec.duckdns.org 46.246.14.9, 2054 PORTLANEwwwportlanecomSE Sweden 12->39 41 192.168.2.1 unknown unknown 12->41 29 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 12->29 dropped 31 C:\Users\user\AppData\Roaming\note.exe, PE32+ 12->31 dropped 33 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 12->33 dropped 35 C:\Users\user\...\note.exe:Zone.Identifier, ASCII 12->35 dropped 59 Drops PE files with benign system names 12->59 21 svchost.exe 1 16->21         started        file6 signatures7 process8 signatures9 43 Antivirus detection for dropped file 18->43 45 Multi AV Scanner detection for dropped file 18->45 23 note.exe 1 18->23         started        25 note.exe 18->25         started        process10 process11 27 svchost.exe 23->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/989a832dd6395528e5373e6fd04432a48843c299b53e8aade6142a6fee6dec94/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-29 02:57:00 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcniglowhfksrzjxhzx5arbsuseehquzwu7ivlpgcqvg73tn5ska._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Link:
https://tria.ge/reports/210730-k3wrz5w33n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Core1 .NET packer
Unpacked files
SH256 hash:
989a832dd6395528e5373e6fd04432a48843c299b53e8aade6142a6fee6dec94
MD5 hash:
67a6ae9185924d38b14277f4206a6d6d
SHA1 hash:
eceaa6209329685fc0afef3cac00bc5434574a69
Link:
https://www.unpac.me/results/2294931f-5138-4a60-8942-7c9a56b10064/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/989a832dd6395528e5373e6fd04432a48843c299b53e8aade6142a6fee6dec94

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 989a832dd6395528e5373e6fd04432a48843c299b53e8aade6142a6fee6dec94

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1470374/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175205/

Comments