MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0cb00d5bb97ce9125323b94cfee7c1b2563e3166b6a37f751894a917971d370. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0cb00d5bb97ce9125323b94cfee7c1b2563e3166b6a37f751894a917971d370
SHA3-384 hash: 095909ed1087dd23f62e33cd5e304db76ed7b2e1933cd09f249ffa6359908f938e621c0d899d6c5cc9a6d37c690d5d43
SHA1 hash: aed81f5840ecab220adcde38081c741bfc855784
MD5 hash: b4577db1a7ba5aa3d820e6c6945b115b
humanhash: sodium-zebra-king-oscar
File name:a0cb00d5bb97ce9125323b94cfee7c1b2563e3166b6a37f751894a917971d370
Download: download sample
Signature njrat
Create hunting rule
File size:186'880 bytes
First seen:2022-03-22 13:10:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 720f62ecaae027b5c3ec6686644322e9 (12 x njrat, 8 x RevengeRAT, 4 x AgentTesla)
ssdeep 3072:gRIEC2Oi8NXC797F8TBfFvj4bq57e3GNDG2PuKbnsHT3FqORyvSy:gVC2F8NXC796TB9vj48XkKbcT3KX
TLSH T10404CF1475C0C2B3C47B203545E6CB399A39343627BE95D3BB9E1FB66E222D096352CE
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/254284/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/10404/overview
Behaviour
MalwareBazaar
CPUID_Instruction
EnumerateProcesses
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer.exe greyware packed
Link:
https://www.filescan.io/uploads/6239cad2b94fb38cb4ce888f/reports/44b36327-8c80-40ee-8d74-5582f5f5f8e9/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2f3634c2-41d5-4bed-a187-56a88eff4a09
Result
Threat name:
CyberGate Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/961850
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: File Created with System Process Name
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspcious CLR Logs Creation
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected CyberGate RAT
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 594331 Sample: S5XoBsJeMf Startdate: 22/03/2022 Architecture: WINDOWS Score: 100 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Multi AV Scanner detection for domain / URL 2->69 71 Found malware configuration 2->71 73 19 other signatures 2->73 9 S5XoBsJeMf.exe 1 8 2->9         started        13 explorer.exe 3 2->13         started        15 svchost.exe 3 2->15         started        17 8 other processes 2->17 process3 dnsIp4 51 C:\Users\user\AppData\Local\explorer.exe, PE32 9->51 dropped 53 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->53 dropped 55 C:\Users\...\explorer.exe:Zone.Identifier, ASCII 9->55 dropped 59 2 other malicious files 9->59 dropped 87 Creates multiple autostart registry keys 9->87 89 Drops PE files with benign system names 9->89 20 svchost.exe 4 9 9->20         started        91 Antivirus detection for dropped file 13->91 93 Multi AV Scanner detection for dropped file 13->93 95 Machine Learning detection for dropped file 13->95 57 C:\Users\user\AppData\...\svchost.exe.log, ASCII 15->57 dropped 63 127.0.0.1 unknown unknown 17->63 file5 signatures6 process7 dnsIp8 65 system.servebeer.com 105.101.120.241, 49790, 49791, 49808 ALGTEL-ASDZ Algeria 20->65 43 C:\...\ba4c12bee3027d94da5c81db2d196bfd.exe, PE32 20->43 dropped 45 C:\Users\user\AppData\...\ewiqmcodof.exe, PE32 20->45 dropped 47 ba4c12bee3027d94da...exe:Zone.Identifier, ASCII 20->47 dropped 49 C:\Users\user\AppData\...\svchost.exe.tmp, ASCII 20->49 dropped 79 Antivirus detection for dropped file 20->79 81 System process connects to network (likely due to code injection or exploit) 20->81 83 Multi AV Scanner detection for dropped file 20->83 85 6 other signatures 20->85 25 ewiqmcodof.exe 20->25         started        29 netsh.exe 1 3 20->29         started        file9 signatures10 process11 file12 61 C:\Windows\install\svchost.exe, PE32 25->61 dropped 97 Antivirus detection for dropped file 25->97 99 Creates an undocumented autostart registry key 25->99 101 Machine Learning detection for dropped file 25->101 103 6 other signatures 25->103 31 explorer.exe 25->31 injected 34 conhost.exe 29->34         started        signatures13 process14 signatures15 105 Drops executables to the windows directory (C:\Windows) and starts them 31->105 36 svchost.exe 31->36         started        39 svchost.exe 31->39         started        41 svchost.exe 31->41         started        process16 signatures17 75 Antivirus detection for dropped file 36->75 77 Machine Learning detection for dropped file 36->77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0cb00d5bb97ce9125323b94cfee7c1b2563e3166b6a37f751894a917971d370/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-03-17 12:25:08 UTC
File Type:
PE (Exe)
AV detection:
23 of 26 (88.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udfqbvn3s7hjcjjshokm73t4dmswhyywnnvdp52rrffjc6lr2nya._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220322-qeyfnsfdc9/
Behaviour
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
6a26441947ad32b940ac0f034725c5f356618a20cf1bda094ddfd1aa5d380dd7
MD5 hash:
98f7e613b893eea987e649d8d2efdb33
SHA1 hash:
e0c911e90631e1a0f96d7d3d2e0ca9ddf50dff1e
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/92a07511-0a73-46e1-99d0-756a32bdff5b/
SH256 hash:
f8dd9bcf7c94734c331790d4506ca3007765e5b253e26f79e735b07389052f42
MD5 hash:
03eb38972049cb9ae178c5ccdeb125ec
SHA1 hash:
dbdbd6a6550920868550e4f53612aae1697eddbc
Link:
https://www.unpac.me/results/92a07511-0a73-46e1-99d0-756a32bdff5b/
SH256 hash:
a0cb00d5bb97ce9125323b94cfee7c1b2563e3166b6a37f751894a917971d370
MD5 hash:
b4577db1a7ba5aa3d820e6c6945b115b
SHA1 hash:
aed81f5840ecab220adcde38081c741bfc855784
Link:
https://www.unpac.me/results/92a07511-0a73-46e1-99d0-756a32bdff5b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/a0cb00d5bb97ce9125323b94cfee7c1b2563e3166b6a37f751894a917971d370

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/254284/

Comments