MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0de3c7f5026e72496e15c3fcb24947aa54e2d615bed91bc8f44fd07a2553b44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0de3c7f5026e72496e15c3fcb24947aa54e2d615bed91bc8f44fd07a2553b44
SHA3-384 hash: 37474c0c28c182dd40ba6a474e1a3ad5dd566ce05485ccaef50c8d69d78ffe00f4fc6e47c662d92cce90ef518b3c5bb7
SHA1 hash: 9790816345ee7f10a0336f4013864c565c75de89
MD5 hash: fc24752914e03759c7cc97e560154868
humanhash: mexico-beryllium-eighteen-river
File name:Cryptded_protected.bin
Download: download sample
Signature njrat
Create hunting rule
File size:1'526'272 bytes
First seen:2022-07-11 12:17:09 UTC
Last seen:2022-07-11 12:55:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 84bb1ac192dd1d591766b467b12ade64 (8 x CoinMiner, 5 x DCRat, 2 x RedLineStealer)
ssdeep 24576:IoixLIFJQBj9n1Wyq12ZmHLIqToRdfTI3fflnwqVyvsX/P8dR5Xpbxo:IoixEyr57KsvLI3ftwq8DLpx
Threatray 1'231 similar samples on MalwareBazaar
TLSH T1826533BC2253B370D5511A3E6495450EC5B2EA6FCC6F8CABA76067EC3B481631C6DAC3
TrID 28.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
25.4% (.EXE) Win32 Executable (generic) (4505/5/1)
11.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
11.4% (.EXE) OS/2 Executable (generic) (2029/13)
11.3% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter KdssSupport
Tags:exe NjRAT


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
297
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
Cryptded_protected.sfx.exe
Verdict:
Malicious activity
Analysis date:
2022-07-10 17:08:42 UTC
Tags:
stealer rat njrat bladabindi trojan
Link:
https://app.any.run/tasks/816eff91-45fd-4ab9-8808-dca191a0dd58

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/286212/
Detection(s):
PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Creating a file
DNS request
Sending a custom TCP request
Creating a window
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the %AppData% directory
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Searching for the window
Sending an HTTP GET request
Unauthorized injection to a recently created process
Stealing user critical data
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Launching a tool to kill processes
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/62cc1513bbcf6baf27938a64/reports/2b4936e8-3a2d-4acf-bb96-393d6edce39b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54b09785-a692-4d05-acf4-6eff1d9e353a
Result
Threat name:
44Caliber Stealer, Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1028527
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Drops PE files with benign system names
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Drops fake system file at system root drive
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Yara detected 44Caliber Stealer
Yara detected Generic Downloader
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 661022 Sample: Cryptded_protected.bin Startdate: 11/07/2022 Architecture: WINDOWS Score: 100 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 Antivirus detection for dropped file 2->65 67 16 other signatures 2->67 9 Cryptded_protected.exe 3 2->9         started        13 svhost.exe 2->13         started        15 svhost.exe 2->15         started        17 svhost.exe 2->17         started        process3 file4 45 C:\Users\user\AppData\...\Umbrella.flv.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\...\Insidious (2).exe, PE32 9->47 dropped 79 Detected unpacking (changes PE section rights) 9->79 81 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->81 83 Hides threads from debuggers 9->83 19 Umbrella.flv.exe 1 5 9->19         started        23 Insidious (2).exe 14 32 9->23         started        26 powershell.exe 17 9->26         started        signatures5 process6 dnsIp7 43 C:\Users\user\AppData\Roaming\svhost.exe, PE32 19->43 dropped 69 Antivirus detection for dropped file 19->69 71 Machine Learning detection for dropped file 19->71 28 svhost.exe 2 9 19->28         started        55 freegeoip.app 188.114.97.3, 443, 49739 CLOUDFLARENETUS European Union 23->55 57 ipbase.com 99.83.231.61, 443, 49740 AMAZON-02US United States 23->57 73 Tries to harvest and steal browser information (history, passwords, etc) 23->73 75 Tries to steal Crypto Currency Wallets 23->75 77 Deletes itself after installation 26->77 33 conhost.exe 26->33         started        file8 signatures9 process10 dnsIp11 59 37.235.54.26, 2142 HSO-GROUPGB European Union 28->59 49 C:\svchost.exe, PE32 28->49 dropped 51 C:\...\cbf292fcc15f8937d92f60f5f6be68ce.exe, PE32 28->51 dropped 53 C:\autorun.inf, Microsoft 28->53 dropped 85 Antivirus detection for dropped file 28->85 87 Protects its processes via BreakOnTermination flag 28->87 89 Creates autorun.inf (USB autostart) 28->89 91 6 other signatures 28->91 35 netsh.exe 28->35         started        37 taskkill.exe 28->37         started        file12 signatures13 process14 process15 39 conhost.exe 35->39         started        41 conhost.exe 37->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0de3c7f5026e72496e15c3fcb24947aa54e2d615bed91bc8f44fd07a2553b44/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 12:18:11 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udpdy72qe3tsjfxblq74wjeupksu4llblpwzdpepit6qpisvhnca._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
03c797996da1b603758c6875b0dc86c8c1cf2f4f1939d25aa3874cb0fe2bf08a
njrat
5320400539e21be4eee7c8adc75f045b957d5696007adb23c0f390bcfdfea9cc
njrat
53777546c28cb8912525bf2f3f0e7a69e29f61755b82cbba7d1a0c0d9c562536
njrat
772ca61d127be3c8992d2537bca4e0df6f77b68718d086cb4eef28fb7c6412b9
njrat
c7b54cc4aa3d4b08652359ddb2e8b0d91ccd6d0a01c7a34eb527fde4f0f44957
njrat
cf0f62c6105ceec3db23af296678feed3ea95d14ff032223d5397c7351cfc9e0
njrat
ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439
njrat
+ 1'221 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:44caliber family:njrat evasion persistence spyware stealer trojan
Link:
https://tria.ge/reports/220711-pgln8aghgp/
Behaviour
Checks processor information in registry
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
44Caliber
njRAT/Bladabindi
Malware Config
C2 Extraction:
https://discord.com/api/webhooks/963884131157168128/l7y0A3as75Se94o7XMk4zXPVahSSRfUXKz2j0cONgRgga6ZiO0oAtr3nqCmT9TlwHPnJ
Unpacked files
SH256 hash:
a0de3c7f5026e72496e15c3fcb24947aa54e2d615bed91bc8f44fd07a2553b44
MD5 hash:
fc24752914e03759c7cc97e560154868
SHA1 hash:
9790816345ee7f10a0336f4013864c565c75de89
Link:
https://www.unpac.me/results/1c3e40d7-a242-4e3a-a190-5bbd260589ea/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a0de3c7f5026/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/a0de3c7f5026e72496e15c3fcb24947aa54e2d615bed91bc8f44fd07a2553b44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe a0de3c7f5026e72496e15c3fcb24947aa54e2d615bed91bc8f44fd07a2553b44

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/286212/

Comments