MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a31dfcb36d457e6e8cb5d6d26c864d6fc36dc6eda9a1de0788b45a00e1a5b859. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a31dfcb36d457e6e8cb5d6d26c864d6fc36dc6eda9a1de0788b45a00e1a5b859
SHA3-384 hash: e2774ae8c8b08d92d6833021c505e1591fadb33cae7e1d9b4311f732316617a5723444d006d158f1ab38ec17217a7462
SHA1 hash: dbb7496f5cef0a1bae9b7fdf97da336c2481bd36
MD5 hash: 12d24c1f96516f3fd472581507dc42e6
humanhash: sixteen-william-glucose-seventeen
File name:a31dfcb36d457e6e8cb5d6d26c864d6fc36dc6eda9a1de0788b45a00e1a5b859
Download: download sample
Signature njrat
Create hunting rule
File size:221'696 bytes
First seen:2020-11-14 17:53:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 720f62ecaae027b5c3ec6686644322e9 (12 x njrat, 8 x RevengeRAT, 4 x AgentTesla)
ssdeep 6144:pSCRerM42B/SyTB9vj48ylt89HDU/TGbxVhw1cuN:pSlgh5pTrvj4/ltIHVu1BN
Threatray 62 similar samples on MalwareBazaar
TLSH 0624D01435C0C2B3C4BB113A48E5CB799A2534365BAEE5D3FB991FA66E113D097323CA
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a window
DNS request
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536323
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 317261 Sample: ZcMLeud6oh Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 48 cdn.onenote.net 2->48 50 ahmadx9.no-ip.biz 2->50 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus detection for dropped file 2->58 60 Antivirus / Scanner detection for submitted sample 2->60 62 10 other signatures 2->62 9 ZcMLeud6oh.exe 2 6 2->9         started        12 system.exe 3 2->12         started        14 system.exe 4 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\system.exe, PE32 9->38 dropped 40 C:\Users\user\...\system.exe:Zone.Identifier, ASCII 9->40 dropped 42 C:\Users\user\AppData\...\ZcMLeud6oh.exe.log, ASCII 9->42 dropped 18 system.exe 2 8 9->18         started        44 C:\...\dae31c02cb06222e776b9ccb9207edb1.exe, PE32 12->44 dropped 46 dae31c02cb06222e77...exe:Zone.Identifier, ASCII 12->46 dropped 22 netsh.exe 12->22         started        24 netsh.exe 3 14->24         started        26 netsh.exe 3 16->26         started        process6 dnsIp7 52 ahmadx9.no-ip.biz 18->52 54 192.168.2.1 unknown unknown 18->54 64 Antivirus detection for dropped file 18->64 66 Multi AV Scanner detection for dropped file 18->66 68 Protects its processes via BreakOnTermination flag 18->68 70 3 other signatures 18->70 28 netsh.exe 1 3 18->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures8 process9 process10 36 conhost.exe 28->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a31dfcb36d457e6e8cb5d6d26c864d6fc36dc6eda9a1de0788b45a00e1a5b859/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 17:54:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=umo7zm3niv7g5dfv23jgzbsnn7bw3rxnvgq54b4iwrnabynfxbmq._file
Verdict:
unknown
Similar samples:
2028ddda2340b3b970746b54e87062982d668a9314d84175d2a759426d2b23f9
njrat
2568dc1c5fbbec2e5a84dd95559dd89a8318d4eb1f501c33ed1d1bf861b4dca8
njrat
43a0c2443d1a63d4cc498bae9d459590b37379d5dd57a625545fa484a99d3fb6
njrat
9a569928b9970643f530c9077cb2c441adbd81d13a747d55294b3fa9168069f2
njrat
a4b56ba3f208c1a1211cf2c9164b8b1da5406045fa80f32e4bb324886b10e611
njrat
b8fbf85d1eab97ed168f99eb07d13294594675a051c2056b5374630d81fd974d
njrat
bff28338bbadacd9bd733c2d87b16357874b8e9ff7cccdca89a330193fabc9f5
njrat
cebc70d2a5836d2a510eaf274a8e4e2e1ca815aa14fe31406cd05fda7ea7220b
njrat
d873f30f48805a3dbab8c976665c26fc9c661e23f3b82f143fdd7346268b595a
njrat
eedded196860d1ef5a143268a85bc3951af23e55da8c12b8b1b58b42b9f443f1
njrat
+ 52 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201114-drsyl73r26/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Drops startup file
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
a31dfcb36d457e6e8cb5d6d26c864d6fc36dc6eda9a1de0788b45a00e1a5b859
MD5 hash:
12d24c1f96516f3fd472581507dc42e6
SHA1 hash:
dbb7496f5cef0a1bae9b7fdf97da336c2481bd36
Link:
https://www.unpac.me/results/aa319677-bfb1-4a6d-a91b-82ab212a4f21/
SH256 hash:
88e508ce732fdef9cab509314689dbb40ec18ebd5625b427dfb668a400cae85f
MD5 hash:
8441503220f6e0afb771b0f42c38b802
SHA1 hash:
412e32f14e5bea02ba15bb33ffe144fc09de6f33
Link:
https://www.unpac.me/results/aa319677-bfb1-4a6d-a91b-82ab212a4f21/
SH256 hash:
7cfc70d09da47af9a2a11ccc4adef918d5b4b9dd4d2aa5370d456f5ace7e2b34
MD5 hash:
8e16800c059b84b691a95cf71a3f1cb6
SHA1 hash:
40d60705098962a3602c8d729776e3b6acce495b
Link:
https://www.unpac.me/results/aa319677-bfb1-4a6d-a91b-82ab212a4f21/
SH256 hash:
2bb851ae03b081a6f6388f0878904856c815d165e173b7f2cc11b4b31b2ac304
MD5 hash:
e14dc2907a4e9d835a7efdbf821dc5a0
SHA1 hash:
c0b35ec7bad6afa2b3b1cabd1be21a4c7635e3f3
Detections:
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/aa319677-bfb1-4a6d-a91b-82ab212a4f21/
Parent samples :
bff28338bbadacd9bd733c2d87b16357874b8e9ff7cccdca89a330193fabc9f5
a31dfcb36d457e6e8cb5d6d26c864d6fc36dc6eda9a1de0788b45a00e1a5b859
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
RevengeRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a31dfcb36d457e6e8cb5d6d26c864d6fc36dc6eda9a1de0788b45a00e1a5b859

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments