MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca
SHA3-384 hash: d3f7b572461fb29dfdb740395cb68ea594e395935ebff0593b5a73150eb90b4ef6f332c5174d5e9c569263a3e1cf52d5
SHA1 hash: 9ec1b89b8583731c50c6748afbbd2fbd33ad22c6
MD5 hash: ebec78ef2edc1b36362972ff93a2e2d2
humanhash: lima-eleven-ten-stream
File name:a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca
Download: download sample
Signature njrat
Create hunting rule
File size:1'175'237 bytes
First seen:2021-08-30 06:24:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 24576:OhvJVJdMKiPEx2FO6E51J3p30BJ8IznJgOz4SMwhknL:23dmMx2FO6E51zEfNGA4UheL
Threatray 1'005 similar samples on MalwareBazaar
TLSH T1DA451201B8C095F2D6210C76462A6F60257DBD312B149FDBB3E86E2DA9751D0FB31BA3
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
443
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca
Verdict:
Malicious activity
Analysis date:
2021-08-30 06:55:21 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/2cfe0ecd-a0ef-4e46-901d-594fe1d3cfb4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183538/
Detection(s):
Win.Malware.Rasftuby-9864353-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.37098799.28291.25939.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process from a recently created file
Deleting a recently created file
Creating a file in the %AppData% directory
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Connection attempt
Sending a UDP request
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f85fc5d1-a805-43da-b76c-13c6edb047be
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842032
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474462 Sample: S7lFz9VsQn Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 8 other signatures 2->85 14 S7lFz9VsQn.exe 13 2->14         started        17 svchost.exe 2->17         started        20 svchost.exe 2->20         started        23 11 other processes 2->23 process3 dnsIp4 73 C:\Users\user\...\CheatEngine2.sfx.exe, PE32 14->73 dropped 25 cmd.exe 1 14->25         started        77 Changes security center settings (notifications, updates, antivirus, firewall) 17->77 75 127.0.0.1 unknown unknown 20->75 file5 signatures6 process7 process8 27 CheatEngine2.sfx.exe 12 25->27         started        31 conhost.exe 25->31         started        file9 69 C:\Users\user\AppData\...\CheatEngine2.exe, PE32 27->69 dropped 101 Multi AV Scanner detection for dropped file 27->101 33 CheatEngine2.exe 13 27->33         started        signatures10 process11 file12 61 C:\Users\user\...\CheatEngine1.sfx.exe, PE32 33->61 dropped 87 Multi AV Scanner detection for dropped file 33->87 37 cmd.exe 1 33->37         started        signatures13 process14 process15 39 CheatEngine1.sfx.exe 12 37->39         started        43 conhost.exe 37->43         started        file16 65 C:\Users\user\AppData\...\CheatEngine1.exe, PE32 39->65 dropped 91 Multi AV Scanner detection for dropped file 39->91 45 CheatEngine1.exe 13 39->45         started        signatures17 process18 file19 71 C:\Users\user\...\CheatEngine0.sfx.exe, PE32 45->71 dropped 103 Multi AV Scanner detection for dropped file 45->103 49 cmd.exe 45->49         started        signatures20 process21 process22 51 CheatEngine0.sfx.exe 49->51         started        55 conhost.exe 49->55         started        file23 63 C:\Users\user\AppData\...\CheatEngine0.exe, PE32 51->63 dropped 89 Multi AV Scanner detection for dropped file 51->89 57 CheatEngine0.exe 51->57         started        signatures24 process25 file26 67 C:\Users\user\AppData\Roaming\svchost.exe, PE32 57->67 dropped 93 Antivirus detection for dropped file 57->93 95 Multi AV Scanner detection for dropped file 57->95 97 Machine Learning detection for dropped file 57->97 99 Drops PE files with benign system names 57->99 signatures27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2021-08-15 06:48:33 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
20 of 46 (43.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ujplprik6inbktecvsixx6phvo33sqrf3i4bqsnas54s5sywulfa._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1d64d3eb1c28bda9e53ed296e9a84092b655deb5fb27aac6ee6d99c65ee6f118
njrat
64730c6f60dd679aea8d9e2f7e9d7ee6c8a3983afc347a9e00fcf32caeeaab9d
njrat
8500f1744e517dfa7e8f0e08aeea29ca2625695ee2b90653a007edd1be838f54
njrat
8b3d0f667e789aada31ebcff914bf61e811d33c9faf6205424e3b27bad4ffebb
njrat
b75c96558da89e3f3935a90cfd0494db199fce26cbd387985f5d16b3bebe857b
njrat
e7cc1a50c3ab054c7c102301d32b802813f0651154f585ac315d0778a81501c8
njrat
e94c70d3dc3ab2496465e73bffc7c5f1bc3963f3ae309a88d5e16d5e54a540ce
njrat
f54f4f34ff1f194148e1296d12e1badfae3eecf24cbfd35aa0308507d7cd367d
njrat
f7ecb9c84f5daf63ea888403a57ff94757d5178c11705ccccf00748fe88fc18f
njrat
+ 995 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/210830-layk2rsfdx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
f725ccdcca78b62292970203faee7340e42a8c3cd6288efb47c0f387dac250e0
MD5 hash:
783aa869fe89245e57c953ccf04592f6
SHA1 hash:
d912ea8c3a84f00c2af3310d7f795dfa7e3beb64
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/57095b0d-f122-449b-8c21-25512338fbe8/
Parent samples :
a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca
6eb6b5bbe6d91549da0f12fb62da2a6be6370839192de6f1b21b6baea974958f
SH256 hash:
a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca
MD5 hash:
ebec78ef2edc1b36362972ff93a2e2d2
SHA1 hash:
9ec1b89b8583731c50c6748afbbd2fbd33ad22c6
Link:
https://www.unpac.me/results/57095b0d-f122-449b-8c21-25512338fbe8/
Malware family:
njRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a25eb7c50af2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a25eb7c50af21a154c82ac917bf9e7abb7b94225da381849a097792ecb16a2ca

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183538/

Comments