MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8079edc38bc308df7f65a4e59d690f3261ab5ebf8c2d41c168c109c28f5d95e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8079edc38bc308df7f65a4e59d690f3261ab5ebf8c2d41c168c109c28f5d95e
SHA3-384 hash: 84534e218d1b09e992f7b35daa3f219b74fe1629ddf483037a6f381852e90aab8d3f765d3bde5e5846806e4f39f92a22
SHA1 hash: f0983bb64760aa4e3d1f3c5234323e7fe1c5d5ec
MD5 hash: 811aa8d51005fb7a9d44fee3c640503f
humanhash: steak-wolfram-mockingbird-four
File name:fdaf64.exe
Download: download sample
Signature njrat
Create hunting rule
File size:346'052 bytes
First seen:2023-12-25 07:05:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0b36fc85e0cb5e337c80982db5210969 (7 x Berbew, 6 x njrat)
ssdeep 3072:dfEEcs+MhGsnhgvl6gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:dfaMg61+fIyG5jZkCwi8r
TLSH T1C074C7FB5DA25F1FC41F533A84AACAC06269C44F0D6AC68225742CD9B96F4CA3CF5D48
TrID 28.5% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4505/5/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Reporter adm1n_usa32
Tags:64 exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
368
Origin country :
RO RO
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/469281/
Detection(s):
Win.Trojan.Crypted-28
Create hunting rule

Win.Trojan.Obfus-38
Create hunting rule

Win.Packed.Generic-9795615-0
Create hunting rule

Win.Packed.Generic-9795616-0
Create hunting rule

Win.Dropper.Berbew-10010799-0
Create hunting rule

Win.Dropper.Berbew-10013413-0
Create hunting rule

Win.Trojan.Padodor-10013789-0
Create hunting rule

Win.Dropper.njRAT-10015886-0
Create hunting rule

Win.Trojan.Generic-6417450-0
Create hunting rule

Win.Trojan.Generic-6454614-0
Create hunting rule

Win.Trojan.Generic-6454615-0
Create hunting rule

Win.Trojan.B-468
Create hunting rule

Win.Trojan.Bladabindi-6192388-0
Create hunting rule

Win.Packed.Bladabindi-6917466-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the Windows subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Enabling autorun
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
cmd crypted fingerprint greyware keylogger lolbin netsh njrat overlay packed rat replace stealer
Link:
https://www.filescan.io/uploads/658929db03487a0d25d51ec2/reports/b8a500f9-89a3-40b5-ae6e-7b9ec678057c/overview
Verdict:
Malicious
Labled as:
Dropper.Generic.MSIL.Bladabindi
Link:
https://www.hybrid-analysis.com/sample/a8079edc38bc308df7f65a4e59d690f3261ab5ebf8c2d41c168c109c28f5d95e
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4b6241bd-10ac-4e8a-b9c5-93b2d21c44ce
Result
Threat name:
Berbew, Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1366834
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Yara detected Berbew
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1366834 Sample: fdaf64.exe Startdate: 25/12/2023 Architecture: WINDOWS Score: 100 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for URL or domain 2->98 100 9 other signatures 2->100 14 fdaf64.exe 3 3 2->14         started        process3 file4 82 C:\Windows\SysWOW64hbnfffk.dll, PE32 14->82 dropped 84 C:\Windows\SysWOW64\Cmgpbe32.exe, PE32 14->84 dropped 146 Creates an undocumented autostart registry key 14->146 148 Drops executables to the windows directory (C:\Windows) and starts them 14->148 18 Cmgpbe32.exe 2 14->18         started        signatures5 process6 file7 54 C:\Windows\SysWOW64\Kkjpbjmn.dll, PE32 18->54 dropped 56 C:\Windows\SysWOW64\Cjkplj32.exe, PE32 18->56 dropped 102 Antivirus detection for dropped file 18->102 104 Machine Learning detection for dropped file 18->104 106 Drops executables to the windows directory (C:\Windows) and starts them 18->106 22 Cjkplj32.exe 2 18->22         started        signatures8 process9 file10 66 C:\Windows\SysWOW64phlmdlh.dll, PE32 22->66 dropped 68 C:\Windows\SysWOW64\Cccdeo32.exe, PE32 22->68 dropped 120 Antivirus detection for dropped file 22->120 122 Machine Learning detection for dropped file 22->122 124 Drops executables to the windows directory (C:\Windows) and starts them 22->124 26 Cccdeo32.exe 2 22->26         started        signatures11 process12 file13 74 C:\Windows\SysWOW64\Ppgmnfbl.dll, PE32 26->74 dropped 76 C:\Windows\SysWOW64\Ccfajo32.exe, PE32 26->76 dropped 134 Antivirus detection for dropped file 26->134 136 Machine Learning detection for dropped file 26->136 138 Drops executables to the windows directory (C:\Windows) and starts them 26->138 30 Ccfajo32.exe 2 26->30         started        signatures14 process15 file16 86 C:\Windows\SysWOW64\Dmnecdib.exe, PE32 30->86 dropped 88 C:\Windows\SysWOW64\Dmfonp32.dll, PE32 30->88 dropped 150 Antivirus detection for dropped file 30->150 152 Machine Learning detection for dropped file 30->152 154 Drops executables to the windows directory (C:\Windows) and starts them 30->154 34 Dmnecdib.exe 2 30->34         started        signatures17 process18 file19 58 C:\Windows\SysWOW64\Djbfmi32.exe, PE32 34->58 dropped 60 C:\Windows\SysWOW64\Aancmb32.dll, PE32 34->60 dropped 108 Antivirus detection for dropped file 34->108 110 Machine Learning detection for dropped file 34->110 112 Drops executables to the windows directory (C:\Windows) and starts them 34->112 38 Djbfmi32.exe 2 34->38         started        signatures20 process21 file22 70 C:\Windows\SysWOW64\Dgfffm32.exe, PE32 38->70 dropped 72 C:\Windows\SysWOW64\Amfaigea.dll, PE32 38->72 dropped 126 Antivirus detection for dropped file 38->126 128 Multi AV Scanner detection for dropped file 38->128 130 Machine Learning detection for dropped file 38->130 132 Drops executables to the windows directory (C:\Windows) and starts them 38->132 42 Dgfffm32.exe 2 38->42         started        signatures23 process24 file25 78 C:\Windows\SysWOW64\Fenkgpbi.dll, PE32 42->78 dropped 80 C:\Windows\SysWOW64\Dcmgkn32.exe, PE32 42->80 dropped 140 Antivirus detection for dropped file 42->140 142 Machine Learning detection for dropped file 42->142 144 Drops executables to the windows directory (C:\Windows) and starts them 42->144 46 Dcmgkn32.exe 2 42->46         started        signatures26 process27 file28 90 C:\Windows\SysWOW64\Fbcnec32.dll, PE32 46->90 dropped 92 C:\Windows\SysWOW64\Daqhdb32.exe, PE32 46->92 dropped 156 Antivirus detection for dropped file 46->156 158 Machine Learning detection for dropped file 46->158 160 Drops executables to the windows directory (C:\Windows) and starts them 46->160 50 Daqhdb32.exe 2 46->50         started        signatures29 process30 file31 62 C:\Windows\SysWOW64behaviorgrapholeql32.dll, PE32 50->62 dropped 64 C:\Windows\SysWOW64\Djilmhbd.exe, PE32 50->64 dropped 114 Antivirus detection for dropped file 50->114 116 Machine Learning detection for dropped file 50->116 118 Drops executables to the windows directory (C:\Windows) and starts them 50->118 signatures32
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a8079edc38bc308df7f65a4e59d690f3261ab5ebf8c2d41c168c109c28f5d95e
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a8079edc38bc308df7f65a4e59d690f3261ab5ebf8c2d41c168c109c28f5d95e/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-09-03 15:46:00 UTC
File Type:
PE (Exe)
AV detection:
36 of 37 (97.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vadz5xbyxqyi357wljhftvuq6mtbvnpl7dbnihawrqijykhv3fpa._file
Verdict:
malicious
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat persistence trojan
Link:
https://tria.ge/reports/231225-hw3gysabdj/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Executes dropped EXE
Adds autorun key to be loaded by Explorer.exe on startup
njRAT/Bladabindi
Unpacked files
SH256 hash:
a8079edc38bc308df7f65a4e59d690f3261ab5ebf8c2d41c168c109c28f5d95e
MD5 hash:
811aa8d51005fb7a9d44fee3c640503f
SHA1 hash:
f0983bb64760aa4e3d1f3c5234323e7fe1c5d5ec
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Njrat
Create hunting rule
MALWARE_Win_NjRAT
Create hunting rule
Link:
https://www.unpac.me/results/17f44a51-87c3-4e71-a18f-70f1d5fba224/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8079edc38bc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a8079edc38bc308df7f65a4e59d690f3261ab5ebf8c2d41c168c109c28f5d95e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Joe
Joe Sandbox
https://www.hybrid-analysis.com/sample/a8079edc38bc308df7f65a4e59d690f3261ab5ebf8c2d41c168c109c28f5d95e/6589059914d28013e4067583
Cape
Cape
https://www.capesandbox.com/analysis/469281/

Comments