MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 17


Intelligence 17 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89
SHA3-384 hash: af89de788dc694fcd81f3bede07d032a201d0f8f86c0e639cde2eaa21125e0e87a2a7308871135fe1366e190338b7a44
SHA1 hash: e3e00c86534ea4095f45820fc5d9d59641832058
MD5 hash: b24f58bb4315dfa0c7efe2cb18bed37d
humanhash: quebec-speaker-bluebird-saturn
File name:Game Laucher.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'150'464 bytes
First seen:2024-07-08 16:11:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:ga81+sa79EYE7uS2KzKuHcJNc4R0eB+Kt3cNmLc9dJ:ga81+sqnQd2KzK0coTeBX3cQL2J
Threatray 47 similar samples on MalwareBazaar
TLSH T10E35331E73CB1851EC54B9BF9610BC78BD8FC6287DAE1E08AFD7558321404E25F80E9A
TrID 25.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
19.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.1% (.EXE) Win32 Executable (generic) (4504/4/1)
7.8% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f0d4b049e8ccc4f0 (1 x njrat)
Reporter Anonymous
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
407
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9ffac3be20e18a26f2e3d748ec0cddf8aa1c28ac7010e2b28c29586c35ee00fc.exe
Verdict:
Malicious activity
Analysis date:
2024-07-08 16:02:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f23736ca-f864-4daf-9bd7-40c2e8952e52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Win.Malware.Tiggre-9829278-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=668c0fda80ab330aba4abdcfwin10vpnfull_triage
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Enabling the 'hidden' option for analyzed file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Enabling the 'hidden' option for files in the %temp% directory
Enabling the 'hidden' option for recently created files
Creating a window
Searching for synchronization primitives
DNS request
Connection attempt
Searching for the window
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Launching a tool to kill processes
Creating a file in the mass storage device
Forced shutdown of a system process
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
enigma lolbin mingw obfuscated packed packed shell32
Link:
https://www.filescan.io/uploads/668c0fd97731d034e880f556/reports/8cc0e456-23cc-440a-94e9-dcd88ae1a947/overview
Verdict:
Malicious
Labled as:
Packer.Enigma.Generic
Link:
https://www.hybrid-analysis.com/sample/a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0dfb11b3-8ce0-4738-83d5-ae227e76d90e
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1469270
Signature
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1469270 Sample: Game Laucher.exe Startdate: 08/07/2024 Architecture: WINDOWS Score: 100 40 2.tcp.eu.ngrok.io 2->40 46 Snort IDS alert for network traffic 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 20 other signatures 2->52 9 Game Laucher.exe 1 8 2->9         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\windows process.exe, PE32 9->26 dropped 28 C:\...\windows process.exe:Zone.Identifier, ASCII 9->28 dropped 30 C:\Users\user\...behaviorgraphame Laucher.exe.log, ASCII 9->30 dropped 54 Hides threads from debuggers 9->54 13 windows process.exe 2 11 9->13         started        signatures6 process7 dnsIp8 42 18.156.13.209, 16943, 49731 AMAZON-02US United States 13->42 44 2.tcp.eu.ngrok.io 18.192.93.86, 16943, 49717 AMAZON-02US United States 13->44 32 C:\windows process.exe, PE32 13->32 dropped 34 C:\...\b0eb5dd3a6fc209e7aa02e6880775930.exe, PE32 13->34 dropped 36 C:\windows process.exe:Zone.Identifier, ASCII 13->36 dropped 38 2 other malicious files 13->38 dropped 56 Protects its processes via BreakOnTermination flag 13->56 58 Creates autorun.inf (USB autostart) 13->58 60 Creates autostart registry keys with suspicious names 13->60 62 Hides threads from debuggers 13->62 18 netsh.exe 2 13->18         started        20 taskkill.exe 1 13->20         started        file9 signatures10 process11 process12 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89/
Threat name:
Win32.Backdoor.njRAT
Create hunting rule
Status:
Malicious
First seen:
2024-07-08 16:12:08 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4nvmcx3tedta6h2qlqacq5i3ofzh3lz4pocfcea62lmccn53seq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
2493acac8d8cae5687f709d86a041a2d3b4389b3952a96f1a3bbd12921b8a7f1
njrat
36e1e5608c15c5a1425e116d3e0c669622381f0cc70d9934218da802b707a27f
njrat
3fe08bed843dedf8cb769b5606f8adb5c2a1cfdabd6d8b3445a4b87c0cc35733
njrat
495917ba4c1baf471a277c7d06cc1f9b8e5a4bfb6a89987288ba967ed54e611b
njrat
6d4056dce7464a436ab92a94702d79b48f861daa8f97d29c30b26c3461f3f0a1
njrat
7d623dcdebf0992732101afeb5c3821ca95e297b2992aef9c16ebb44aa6c47b0
njrat
ba82a9c832160874c537f1907f246ed9ae136c2c42ed07125c6761c2973a47d1
njrat
ebe160919d1646d96694de6a38b7ac570f1827dedb163174bee9253a7475dd54
njrat
+ 37 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence privilege_escalation trojan
Link:
https://tria.ge/reports/240708-tnhclaxbrp/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Drops autorun.inf file
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
njRAT/Bladabindi
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a6d1550d-baa3-40a5-bddb-b94b65925a93
Unpacked files
SH256 hash:
3257af166792806e33a6435958f3de36c9c7230bc06d1b8cb9768e22570f2a83
MD5 hash:
2998f2ce01585665c00287d44edc4ec9
SHA1 hash:
1fcbf9524402439e6d00a87b0c90899a98067bf4
Link:
https://www.unpac.me/results/85ea8839-cd9f-48c8-b013-8988cc448066/
SH256 hash:
9066a745c5704c2ca69d151b43e17174262657735be6f0beaf7999f9130f107f
MD5 hash:
d1685a0cd8c3fa0d481c3eb77a41c38b
SHA1 hash:
e598cb5d95702ac2ad999d4dc8a2f35289809e9f
Link:
https://www.unpac.me/results/85ea8839-cd9f-48c8-b013-8988cc448066/
SH256 hash:
b15b5364e79029d4de6ec67b62495ee8d404f3717cbdb116103751c3da0cec90
MD5 hash:
f368177fe46ba2e2648bf548b50391c8
SHA1 hash:
b305b2038705cf3740eeb9a7e6bad332ea5b7d12
Link:
https://www.unpac.me/results/85ea8839-cd9f-48c8-b013-8988cc448066/
SH256 hash:
0377585ec50ed2e1b3d8519be272599f31024accd20b484ddae8240e09cc83b4
MD5 hash:
13d3997b43c3d5cbafb0ff10b6f0dee1
SHA1 hash:
e650a76f3fa8d28e2ff3751ccf44d124ef2b82bd
Link:
https://www.unpac.me/results/85ea8839-cd9f-48c8-b013-8988cc448066/
SH256 hash:
00b9c0120df0595184523a3620ef9b3c3e11fc0e61d366d7eeabb646647cfceb
MD5 hash:
bd1f243ee2140f2f6118a7754ea02a63
SHA1 hash:
cdf7dd7dd1771edcc473037af80afd7e449e30d9
Link:
https://www.unpac.me/results/85ea8839-cd9f-48c8-b013-8988cc448066/
SH256 hash:
ad80064f71d273967dcf0b14b9cd6e84d79a132231d619687d9266c7807bdfe0
MD5 hash:
a35ee23aaab26afc575ac83df9572b57
SHA1 hash:
81ea38c694ce9702faddfb961f17c1bbf628a76d
Link:
https://www.unpac.me/results/85ea8839-cd9f-48c8-b013-8988cc448066/
SH256 hash:
e37aa72bca3cecb9bdbe51cbd81ec1143bb17163088a1379a4ccb93f5d881e76
MD5 hash:
5cac4fe734fc8454ccb847e030beee38
SHA1 hash:
34298fe220e35f614b2c837cf1dc2604ab0882d6
Link:
https://www.unpac.me/results/85ea8839-cd9f-48c8-b013-8988cc448066/
SH256 hash:
a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89
MD5 hash:
b24f58bb4315dfa0c7efe2cb18bed37d
SHA1 hash:
e3e00c86534ea4095f45820fc5d9d59641832058
Detections:
SUSP_XORed_URL_In_EXE
Create hunting rule
Link:
https://www.unpac.me/results/85ea8839-cd9f-48c8-b013-8988cc448066/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a71b560afb99/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:EnigmaProtector11X13XSukhovVladimirSergeNMarkin
Create hunting rule
Author:malware-lu
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_URL_In_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 9ffac3be20e18a26f2e3d748ec0cddf8aa1c28ac7010e2b28c29586c35ee00fc

njrat

Executable exe a71b560afb99073078fa82e00143a8db8b93ed79e3dc228880f696c109bddc89

(this sample)

  
Dropped by
SHA256 9ffac3be20e18a26f2e3d748ec0cddf8aa1c28ac7010e2b28c29586c35ee00fc
  
Delivery method
Other
  
Dropped by
MD5 dd5efcb938410288178a553c3e04e3f4

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteA
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create Filesversion.dll::GetFileVersionInfoA

Comments