MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9cf93c4c0c4e0b609c5f21e3b49099009e5010cb2391dea6009d73e1293e1c70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9cf93c4c0c4e0b609c5f21e3b49099009e5010cb2391dea6009d73e1293e1c70
SHA3-384 hash: 36acfb3e3af8f47ab421a33faa2e885874bd67d765a7e0acc9597182783276a3348d3e13fe98ccd507f16c002a4fa3f9
SHA1 hash: 8d7afc8519439840d5959f95c6a234cf572d4fed
MD5 hash: e4b9076e0909775d85a39706c0337d0d
humanhash: eighteen-romeo-three-lactose
File name:e4b9076e0909775d85a39706c0337d0d.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'262'592 bytes
First seen:2021-05-04 08:31:04 UTC
Last seen:2021-05-04 10:07:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:JxjrJSpmaxIephPrYDKpZZQyG5b/MF/aMDb8BtRjA7XcYNclB:rUNZeDKpZZQyG5EF/aMHCR07zc
Threatray 68 similar samples on MalwareBazaar
TLSH 2D455B086FEC4719F53F73FA84E5607023B8AC416757E30A1AF875AA1872363DD8919E
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
141.255.156.15:5355

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
141.255.156.15:5355 https://threatfox.abuse.ch/ioc/28924/

Intelligence

File Origin
# of uploads :
3
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa.exe
Verdict:
No threats detected
Analysis date:
2021-05-04 15:48:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c456576a-27de-4fd4-9c01-0015813e364c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/149770/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.20164.16858.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/709555
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9cf93c4c0c4e0b609c5f21e3b49099009e5010cb2391dea6009d73e1293e1c70/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-04-27 15:40:25 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tt4tytamjyfwbhc7ehr3jeezacpfaegleoi55jqatvz6ckj6drya._file
Verdict:
unknown
Similar samples:
1acdf1fa101a7f3d7c59bdc7494a67879a0b1b0410122072f73ecf3cc8eff5e9
njrat
4e890d4e6329b4ea3bc61d458e727a81cdf9358d6b5bedbd290aa85ed7a189d1
njrat
8cb5ccee62cb939a88f8ee36da47518c7c11eef0378b4ce9e678502bd83dd5aa
njrat
91a51c0ed7c1cf2e5d3fdb73e6f99e13745f036d5bfbf6d8df47df154eacbf37
njrat
9f1a15d397da38beca711d36c64eb697a9947bbf3a16b62809063a94f8eb0129
njrat
b295967168e9fc2f06437a12689122301171650aa213095bda2c1260d8f3c607
njrat
bf5d5c28bec7bdcf41fad771fd465ba6bb9a56e053c9470a6e10293466109d3c
njrat
e0287568096f94034a8746adef8f4c08db4ef5f51134f90740b1c72eb1b1eb0b
njrat
eedded196860d1ef5a143268a85bc3951af23e55da8c12b8b1b58b42b9f443f1
njrat
f9cb1efeadb768deb9b9fb669249b1b7bc242ee6fd3462b326ffcdeea42a657b
njrat
+ 58 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/210504-9sdvqd17lx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops startup file
Unpacked files
SH256 hash:
9cf93c4c0c4e0b609c5f21e3b49099009e5010cb2391dea6009d73e1293e1c70
MD5 hash:
e4b9076e0909775d85a39706c0337d0d
SHA1 hash:
8d7afc8519439840d5959f95c6a234cf572d4fed
Link:
https://www.unpac.me/results/edf22c00-5baf-4a8b-8da6-0ac0034401af/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9cf93c4c0c4e0b609c5f21e3b49099009e5010cb2391dea6009d73e1293e1c70

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackWorm
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify BlackWorm
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/149770/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-04 09:00:44 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0027.001] Cryptography Micro-objective::AES::Encrypt Data
2) [B0023] Execution::Install Additional Program