MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a31ffbdea743038de8710e149117fce2035ed4682b1755fdda0a67ba272e4155. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a31ffbdea743038de8710e149117fce2035ed4682b1755fdda0a67ba272e4155
SHA3-384 hash: bfe47a3e1f0a7050bba6a8d5d7d91d3643822aed6f4fca0e7e49b726c38011decd31d2d8ba33adccf01640c0dd5d9b92
SHA1 hash: 486b6215785fc8f2464202cff4e8c0ad3a38ff8f
MD5 hash: 1c2d01bddf4cd5b658b3ea99335a7fe6
humanhash: whiskey-bulldog-lake-bacon
File name:RblxImageLoggerSploitz.bin
Download: download sample
Signature njrat
Create hunting rule
File size:102'400 bytes
First seen:2022-06-18 17:29:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:lXUhYlEzrCYDBA77SDklKbx+pW/jZRemBH7u7LLTBSjnN76JHIc7fXBK:2uwCyD8r5HIc7vY
Threatray 3'404 similar samples on MalwareBazaar
TLSH T13DA3BB2529FB40ADF3A79EB25FC8F8FF8969E537260E70B6359107468722D408D52336
TrID 64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.5% (.SCR) Windows screen saver (13101/52/3)
9.2% (.EXE) Win64 Executable (generic) (10523/12/4)
5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter KdssSupport
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
410
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
https://mega.nz/folder/SvhEALzD#4ZFdtdb0s1gPnRsFpj-VoA
Verdict:
Malicious activity
Analysis date:
2022-04-17 11:09:14 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/598b3edd-b9e7-4167-b18d-4334c5ba3e23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281192/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi packed
Link:
https://www.filescan.io/uploads/62ae0bd7c07f2e38a158f0c1/reports/effbf2b8-5fb8-49a8-ace5-66ed0b354e2c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96079808-49d3-4ced-ad64-c2b34de91735
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1015755
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 648247 Sample: RblxImageLoggerSploitz.bin Startdate: 18/06/2022 Architecture: WINDOWS Score: 100 41 fasterstronger.ddns.net 2->41 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for URL or domain 2->51 53 11 other signatures 2->53 9 RblxImageLoggerSploitz.exe 6 2->9         started        13 svchost.exe 9 1 2->13         started        16 svchost.exe 2 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 35 C:\ProgramData\svchost.exe, PE32 9->35 dropped 37 C:\Users\...\RblxImageLoggerSploitz.exe.log, ASCII 9->37 dropped 39 C:\ProgramData\svchost.exe:Zone.Identifier, ASCII 9->39 dropped 63 Drops PE files with benign system names 9->63 20 svchost.exe 3 5 9->20         started        45 127.0.0.1 unknown unknown 13->45 file6 signatures7 process8 dnsIp9 43 fasterstronger.ddns.net 194.150.65.220, 1177 UNINET-ASSoprusepst145FI Estonia 20->43 29 C:\...\ad76a6098df431046ffdf41b1a2ed40a.exe, PE32 20->29 dropped 31 ad76a6098df431046f...exe:Zone.Identifier, ASCII 20->31 dropped 33 C:\ProgramData\svchost.exe.tmp, ASCII 20->33 dropped 55 Antivirus detection for dropped file 20->55 57 System process connects to network (likely due to code injection or exploit) 20->57 59 Multi AV Scanner detection for dropped file 20->59 61 5 other signatures 20->61 25 netsh.exe 1 3 20->25         started        file10 signatures11 process12 process13 27 conhost.exe 25->27         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a31ffbdea743038de8710e149117fce2035ed4682b1755fdda0a67ba272e4155/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-04-09 00:49:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ump7xxvhimby32drbykjcf744ibv5vdifmlvl7o2bjt3ujzoifkq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
179e97a913167cf134940de30dcf83311d6daa3d156e0285111f111a75c8fbd3
njrat
1ab5a32c95f4645f124b455ccbd65a46e56897a9f0f62e3edd8a8c3ea06189ab
njrat
1c9655a848a8e2dd98308732a4fd8bc82d0460ae3269dac8c3f45abcadce95d4
njrat
219cf2977c0afa489825030495c43b818336546fdc1c8555217c41d2ad730da8
njrat
6427f0361a3101a575c54575674ca52a241b8b295954609ce2dd5d5200c0b3a8
njrat
78364eb0cc0cf381b000b9ae8f942bb4c94f342ba10827d7e7e4dd8ae3d140ff
njrat
7b864591a77a15197d9f25ed3e625b50576ffc061f2849ac6fcc245d296b7357
njrat
a0cb00d5bb97ce9125323b94cfee7c1b2563e3166b6a37f751894a917971d370
njrat
f8bb1118a79d74dc964c6f7da6c9cac4b4d25be0428f49840267d666b3f94c55
njrat
+ 3'394 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:v1ctim evasion persistence trojan
Link:
https://tria.ge/reports/220618-v25wgsacbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
fasterstronger.ddns.net:1177
Unpacked files
SH256 hash:
7bfebc8acadf2f273f5adcd2bfec90fea7c03f5217b9451a2b37e3e9dfcabe7e
MD5 hash:
29411838e27403911c3f8b651636dc1c
SHA1 hash:
f6398904e7f46271dd33c6041b28bdefd9f63b8f
Detections:
win_njrat_g1
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/cf49f24c-fa97-41bb-9113-848a868a2d43/
SH256 hash:
a31ffbdea743038de8710e149117fce2035ed4682b1755fdda0a67ba272e4155
MD5 hash:
1c2d01bddf4cd5b658b3ea99335a7fe6
SHA1 hash:
486b6215785fc8f2464202cff4e8c0ad3a38ff8f
Link:
https://www.unpac.me/results/cf49f24c-fa97-41bb-9113-848a868a2d43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a31ffbdea743038de8710e149117fce2035ed4682b1755fdda0a67ba272e4155

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281192/

Comments