MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d
SHA3-384 hash: b172e41bc433719be83eed330cfa6eab4b9b2b1253469ba06b24b110778c2f4aae77b314c7d40bec2340853840c02673
SHA1 hash: 81622e8f5cb9a47b8d80cdfe04e6d14dce7b4516
MD5 hash: c108a99104488f06bd03b9f18c58b4cf
humanhash: wolfram-spaghetti-echo-purple
File name:a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d
Download: download sample
Signature njrat
Create hunting rule
File size:1'140'224 bytes
First seen:2021-08-30 06:23:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep 24576:enJdpkbWv9w/tN13AQnv3bBE1muE76EdJF8rRyx9R:eX9wFN1znv3bgmr7/d4rY
Threatray 10 similar samples on MalwareBazaar
TLSH T1C43533E020B6F4A2D6D378FE6504797135E733A7D19C2B13AD9B81168A3C92D2CD0FA5
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
428
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d
Verdict:
Malicious activity
Analysis date:
2021-08-30 06:33:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a129b03-cedd-43f6-b8b4-4971ccabcaa6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/183509/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Win.Malware.Agen-9864859-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c76b4269-9146-40d8-a8c0-8bad0532885d
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842043
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 474475 Sample: fgrO7JXMAD Startdate: 31/08/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 11 other signatures 2->51 8 fgrO7JXMAD.exe 7 2->8         started        12 Microsoft Corporation.exe 3 2->12         started        process3 file4 23 C:\Users\user\AppData\Local\Temp\server.exe, PE32 8->23 dropped 25 C:\Users\user\AppData\...\fgrO7JXMAD.exe.log, ASCII 8->25 dropped 53 Detected unpacking (changes PE section rights) 8->53 55 Tries to evade analysis by execution special instruction which cause usermode exception 8->55 57 Hides threads from debuggers 8->57 14 server.exe 2 8 8->14         started        signatures5 process6 dnsIp7 35 82.202.167.230, 49707, 49709, 49710 THEFIRST-ASRU Russian Federation 14->35 27 C:\Windows\SysWOW64xplower.exe, PE32 14->27 dropped 29 C:\Users\user\...\Microsoft Corporation.exe, PE32 14->29 dropped 31 815ab323fd284dbc0a...cWindows Update.exe, PE32 14->31 dropped 33 C:33otepad.exe, PE32 14->33 dropped 37 Antivirus detection for dropped file 14->37 39 Multi AV Scanner detection for dropped file 14->39 41 Machine Learning detection for dropped file 14->41 43 6 other signatures 14->43 19 netsh.exe 1 3 14->19         started        file8 signatures9 process10 process11 21 conhost.exe 19->21         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 15:24:16 UTC
File Type:
PE (Exe)
AV detection:
29 of 46 (63.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u62btosjl3y27sykeqzsoisnjyeiwflmiine3vsyt6maxkkdc4oq._file
Verdict:
suspicious
Similar samples:
06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c
njrat
206daa7d62850c579968f14560f06ba362ded251da3a8faeb9a331dd862b970f
njrat
4322b25b29f160a08e809764a5dd86deda2289623331867004f85a905ce47769
njrat
4824693d37ee0c444b89e21a2ae1cba396927f299e88751759635b2795c1bc96
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
798eab01e5d7f1c78e3f7db514f3611ae85e468405af144245f55c8f2657c6d9
njrat
88e03236b248d004923161c7928a1546cdffd0b6e8c30a22b1d49b05dca9b2da
njrat
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
njrat
b83c0954a3138f4c18e4f6a5182768b5a1efbb13c69dcf01d63eb81f63456eda
njrat
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
njrat
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/210830-wh7cd5h8j2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Modifies Windows Firewall
xmrig
Unpacked files
SH256 hash:
a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d
MD5 hash:
c108a99104488f06bd03b9f18c58b4cf
SHA1 hash:
81622e8f5cb9a47b8d80cdfe04e6d14dce7b4516
Link:
https://www.unpac.me/results/4fd5673b-c361-4da5-8364-a5d2d13aff08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7b419ba495ef1afcb0a243327224d4e088b156c421a4dd6589f980ba943171d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:Enigma_Protected_Malware
Create hunting rule
Author:Florian Roth with the help of binar.ly
Description:Detects samples packed by Enigma Protector
Reference:https://goo.gl/OEVQ9w
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/183509/

Comments