MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0fc35a4bf1bee6806e0321d05845a1415f0b2ac1def10d69ea8be587794e3cb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0fc35a4bf1bee6806e0321d05845a1415f0b2ac1def10d69ea8be587794e3cb
SHA3-384 hash: 5235f323e83c6f1c202d3746e8849509b1318a10a3cf4cccfead318b4edd8bc79d030a74ba99883f1ae09056ddf5d541
SHA1 hash: e31c86b725ef109010e3d9478b8ba8d97efdd2db
MD5 hash: bf9c5aa863450625bba5c7337b68bc92
humanhash: violet-apart-south-bulldog
File name:bf9c5aa863450625bba5c7337b68bc92.exe
Download: download sample
Signature njrat
Create hunting rule
File size:22'067'969 bytes
First seen:2023-04-17 15:15:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 393216:S4durphW6P4y0BxVNZK9r+bpGC9EndaJuQt1bIlbrmQVOgfiUx54uT3MkdkJ:bdurphl4rvNGSbp/9Q0gQt1bIlbCQBq9
Threatray 15 similar samples on MalwareBazaar
TLSH T15927338439D04670CEBB13348AE92295117538715B7409B76BAE2B9E1F70EC0A3ADF77
TrID 89.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
1.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.124.67.191:10352

Intelligence

File Origin
# of uploads :
1
# of downloads :
297
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
bf9c5aa863450625bba5c7337b68bc92.exe
Verdict:
Malicious activity
Analysis date:
2023-04-17 15:15:50 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/0e0ec40e-df9a-474b-b92f-53262d4d9cf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Malware.Speedingupmypc-6718419-0
Create hunting rule

Win.Malware.Ursu-9774869-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

SecuriteInfo.com.Trojan.Uztuby.4.21386.15255.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Searching for analyzing tools
Sending a custom TCP request
Creating a file in the %AppData% directory
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Launching the process to change the firewall settings
Creating a file in the mass storage device
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80092/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/643d62b4c1735fe5e75668c2/reports/0de6c331-4147-4a2a-a514-558f3b1fa097/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a0fc35a4bf1bee6806e0321d05845a1415f0b2ac1def10d69ea8be587794e3cb
Result
Verdict:
MALICIOUS
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.adwa.evad
Score:
98 / 100
Link:
https://www.joesandbox.com/analysis/1215315
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Found malware configuration
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file contains section with special chars
PE file has nameless sections
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 848243 Sample: P8pPTe0SFR.exe Startdate: 17/04/2023 Architecture: WINDOWS Score: 98 125 Snort IDS alert for network traffic 2->125 127 Multi AV Scanner detection for domain / URL 2->127 129 Found malware configuration 2->129 131 15 other signatures 2->131 10 P8pPTe0SFR.exe 9 2->10         started        13 msiexec.exe 2->13         started        16 svchost.exe 2->16         started        18 16 other processes 2->18 process3 dnsIp4 93 C:\Users\user\...\Radmin_VPN_1.2.4457.1.exe, PE32 10->93 dropped 95 C:\Users\...\PortableVPN_protected.sfx.exe, PE32 10->95 dropped 21 PortableVPN_protected.sfx.exe 8 10->21         started        25 Radmin_VPN_1.2.4457.1.exe 2 10->25         started        97 C:\Windows\Installer\MSIE21E.tmp, PE32 13->97 dropped 99 C:\Windows\Installer\MSI9A37.tmp, PE32+ 13->99 dropped 101 C:\Program Files (x86)\...\RvControlSvc.exe, PE32 13->101 dropped 103 103 other files (none is malicious) 13->103 dropped 147 Drops executables to the windows directory (C:\Windows) and starts them 13->147 149 Sample is not signed and drops a device driver 13->149 27 msiexec.exe 13->27         started        37 2 other processes 13->37 151 Changes security center settings (notifications, updates, antivirus, firewall) 16->151 29 MpCmdRun.exe 16->29         started        113 198.244.200.34, 17301, 49711 RIDLEYSD-NETUS United States 18->113 115 198.244.228.170, 17301, 49706 RIDLEYSD-NETUS United States 18->115 117 4 other IPs or domains 18->117 153 Query firmware table information (likely to detect VMs) 18->153 155 DLL side loading technique detected 18->155 157 Hides threads from debuggers 18->157 31 drvinst.exe 18->31         started        33 drvinst.exe 18->33         started        35 netsh.exe 18->35         started        39 2 other processes 18->39 file5 signatures6 process7 file8 73 C:\Users\user\...\PortableVPN_protected.exe, PE32 21->73 dropped 135 Multi AV Scanner detection for dropped file 21->135 41 PortableVPN_protected.exe 7 21->41         started        75 C:\Users\user\...\Radmin_VPN_1.2.4457.1.tmp, PE32 25->75 dropped 137 Obfuscated command line found 25->137 45 Radmin_VPN_1.2.4457.1.tmp 3 14 25->45         started        47 netsh.exe 27->47         started        49 netsh.exe 27->49         started        51 conhost.exe 29->51         started        77 C:\Windows\System32\...\SETA9A6.tmp, PE32+ 31->77 dropped 79 C:\Windows\System32\...\RvNetMP60.sys (copy), PE32+ 31->79 dropped 81 C:\Windows\System32\drivers\SETCE55.tmp, PE32+ 33->81 dropped 83 C:\Windows\System32\...\RvNetMP60.sys (copy), PE32+ 33->83 dropped 53 conhost.exe 35->53         started        55 conhost.exe 39->55         started        57 conhost.exe 39->57         started        signatures9 process10 file11 85 C:\Users\user\AppData\Roaming\server.exe, PE32 41->85 dropped 139 Multi AV Scanner detection for dropped file 41->139 141 Detected unpacking (changes PE section rights) 41->141 143 Detected unpacking (overwrites its own PE header) 41->143 145 Hides threads from debuggers 41->145 59 server.exe 1 10 41->59         started        87 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 45->87 dropped 89 C:\Users\user\...\Rvis_install_dll.dll, PE32 45->89 dropped 91 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 45->91 dropped 64 conhost.exe 47->64         started        66 conhost.exe 49->66         started        signatures12 process13 dnsIp14 119 3.125.188.168, 10352, 49704, 49705 AMAZON-02US United States 59->119 121 3.126.224.214, 10352, 49707, 49719 AMAZON-02US United States 59->121 123 2 other IPs or domains 59->123 105 bcdd854a4e5ee6ab3c...5Windows Update.exe, PE32 59->105 dropped 107 C:\Users\user\...\Microsoft Corporation.exe, PE32 59->107 dropped 109 C:\Umbrella.flv.exe, PE32 59->109 dropped 111 C:\autorun.inf, Microsoft 59->111 dropped 159 Multi AV Scanner detection for dropped file 59->159 161 Detected unpacking (changes PE section rights) 59->161 163 Creates autorun.inf (USB autostart) 59->163 165 4 other signatures 59->165 68 netsh.exe 59->68         started        file15 signatures16 process17 signatures18 133 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 68->133 71 conhost.exe 68->71         started        process19
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-04-12 21:07:41 UTC
File Type:
PE (Exe)
Extracted files:
3181
AV detection:
13 of 37 (35.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ud6dljf7dpxgqbxagioqlbc2cqk7bmvmdxxrbvu6vc7fq54u4pfq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
20b6bad0f4cef3da8b183c5b57e45008ee345eb84b214281fe85694f825b93d8
njrat
4bc9ce4193e3f851db39f86de98004c2d0421d89fe78120d422a648363a2eb08
njrat
5574e0b5e404aa5bad86dd9aca033eb35421ec30dd91a9777bd6b053514010d7
njrat
8e8a01dc98efc4c5d9fb61620f75b9c0886bc45dbfcf934f1601b75a3629d0fc
njrat
8f54b40666425ce85b4ff251e6e9b6d1942a069968b1b00935455c05b402c33d
njrat
9cd5a28728147661323d8ff925112d951db1bd04764620c08cd2aeba1392d958
njrat
b4401786ef72c3baf0f60c69e620839a1967cb79d398aae5ec9f5eb84fa46705
njrat
da2630dccf5901a34f9d3f02aa46cc5ccc8b77fce73e01daff853476e47d7f55
njrat
fd11715f74c03c006abf3d00ef802d9ed283ffa17ded36537b2d240757185fbc
njrat
+ 5 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion trojan
Link:
https://tria.ge/reports/230417-snfy4aeg54/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Suspicious use of NtSetInformationThreadHideFromDebugger
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
njRAT/Bladabindi
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a0fc35a4bf1b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0fc35a4bf1bee6806e0321d05845a1415f0b2ac1def10d69ea8be587794e3cb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:malware_Njrat_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:MAL_njrat
Create hunting rule
Author:SECUINFRA Falcon Team
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Windows_Trojan_Njrat_30f3c220
Create hunting rule
Author:Elastic Security
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.
Rule name:XWorm_Hunter
Create hunting rule
Author:Potato

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments