MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a94f4c6189a4f89c3df20864c695be40f546a249cb216ff843c734c488cc2742. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a94f4c6189a4f89c3df20864c695be40f546a249cb216ff843c734c488cc2742
SHA3-384 hash: 74fb402578751ff23ce7d2643be2b3c51e373c5954c78bda93039d5e9cc428ddc8b9bd9d2579cb32997aefb3d1215d1f
SHA1 hash: 00eb5d18f6993290a0a10e1615df95e8c94d0bec
MD5 hash: b6aa10916971a67255460735652ef1ec
humanhash: mango-autumn-charlie-golf
File name:a94f4c6189a4f89c3df20864c695be40f546a249cb216ff843c734c488cc2742
Download: download sample
Signature njrat
Create hunting rule
File size:100'928 bytes
First seen:2020-11-10 11:04:43 UTC
Last seen:2024-07-24 20:05:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 1536:WAp5eznKUlIOp3YjVCguHEvQEbFqVC3woFRKpT4b:d5eznsjsguGDFqGb
Threatray 471 similar samples on MalwareBazaar
TLSH 3FA3CA387D952133C67EC1F689E50A8AEB69223F3191E9ED4CA742C418B2F166DC1D1F
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
3
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Bladabindi-6717505-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
DNS request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Launching the process to change the firewall settings
Connection attempt to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a94f4c6189a4f89c3df20864c695be40f546a249cb216ff843c734c488cc2742/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 19:55:25 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vfhuyymjut4jyppsbbsmnfn6id2unisjzmqw76cdy42mjcgme5ba._file
Verdict:
malicious
Similar samples:
159736558c7788b0f22c0427eaeb06b29e7d65b38a1eaee3cd7e94ecb1d308ea
njrat
1a14c81206d4ba6deefd3530e6cdc950974b4d6df3524a9a4b00d7c5e041fd02
njrat
226050e34938404ff5dbc7d402fdfa8c5386dc312060b29bf2c25beb466c5f49
njrat
41372f3f369d6be620fd69cb01d60a6fd28c9094e6ce647a0abe941f4b79010b
njrat
524801975f071dc8562339fe68bc0094c94b0e4bfb936e4c4f7c0bf572f1720d
njrat
55b75d54b93531355eab96fdf3969d233fd3891125af6dea4acba5164920fae6
njrat
b4cd64cd6ea7c31f5e568d6da93d6cfbc7c97d8d7829f27bf6702f2dc11ebf49
njrat
c8bc98c031af422824eb12cd8dcf61b8e1844aea010134692c1f3d4b8bedae69
njrat
d6090af79301c6e0b738d4ce658d8f7464fa7ec7ce59b6f6776d6852ac7af65e
njrat
ec239cea89c5def6ff25870f9bf97dda8bef7af85c9c4bfe5fb3cc9d8ab75f6a
njrat
+ 461 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/201110-ecm5cbrbze/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
496ac16ee61a4b6684256d9a167379748c5bc10bde803d0fe64e3c95b20b99fe
MD5 hash:
ecfa5f6d4a079ecbf84c7c298b140e38
SHA1 hash:
82670e4664b3cfc2e12f86b05a7e3169490e6761
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/9b9858d9-76cd-4442-a744-535e460fda94/
Parent samples :
d1b56c2b7a96b831726e9d643003ca2944891a503c89e735802472ce91288f48
b0aac0d798e9f2f747d38c7fb06d871dc418b3122f45c346d323b4375f37dbed
a393c0e0403bc744eca209d2a7b083d16b7f0b27aa4e19a20dc38766f59263ab
2df21c5e9dafb2d943c87343252041881b1226e8d2b6fe2744ac2a24d27d95fe
d2a5408154b1551ffa7e25ac75836e9df32edd62c677e6e55541257b99dd60b2
c28ff0ac18647b980286a824a1728a761c4131263b7b560f7541bbff34c311cd
3f5015704b8cdc1a4593054951dc5eda6f92b2ca3c8b282fd7fb006a1c286bad
870dcb66d005cb9d714b857af908d008d99b8be474d6954d3436caea829ac4fb
3dfe8bc62b1bc2d873e542593c410b85a9055381be9915e93421c83eeb1910c6
9ae97764efdb53ddd161d7331f5607994f5c8bd225c3bccb5e48a0a692f9c94c
cea508c7c1500ca2b22f4640fa12dee393401b987c3d1cf679c1cea4633adac9
608d8739ae7ed3bc6abafc6568edfdd29d17d189ff998eddd1c3dfc49c49ffc6
789757ae1004a49ff5d86bf31c75c7056c99aff2a419145fe048eb63693e0284
a94f4c6189a4f89c3df20864c695be40f546a249cb216ff843c734c488cc2742
da14a4e7c900e429ffb16b7f89e27216fc9befbc909af78e9677e435197ee049
0f307c97b107d3c77e326437d067b600b73bb67663835ecb7ea833f90f2abab7
5d50a9bbbd7d28c608807cda0a40675ba59e0418585527cb0d173ccbe9f397e4
79458828d4ce380b52ca39693a7b975273bbe80a504f517b17e628a86b291177
3ac6101bf9cabe27660ef1e55682d73fdfda003da84bcfcb86e40828383b4860
45e774876884d29f53659c6e2962858fcb70a77902e07e44ea2b30f8c65cbf97
9593e26184cf66f977f6183958da83ad87ea6cf254683da6f7aecebc8c64f988
c122a727fca8bec4e5a0d0a600fc00592fd96b1d79d24f8f336ba79e66fe9258
892951023a515a6fe94b5e74987d15ad7b32f5517381259c40f1555925f3d243
ccd5489042e837a771f04a06fc5296535c2fff338e4d7b6d0585f446f2b0ba6b
8d4934af5ee8162d5e8042181c44969aecb40c6404726f27d45bf37722fc3a47
b92b3f06aef438a10c85773880193efba902c385693454b655002688dadd271d
7398b95f4ac56dfe5d4fc93f73fe94877fe267e8a6737dae4fac58273978c23a
e466ea0ac9138262b6459c4a5c473de72ac2fdf6ab6fbff79c332f72a0999c2b
965bb9b053f8e76e687b5d26994978c8a7de03810b77b00c784e398bde3ede06
d07cacdbd76d1b83a61506b8da96f9e5ea7238ffaefe8d715c64d3e1f325c01b
58c89c14d8bc30283cb8be7afac30f0ea2c89c9a80dde4f1b898af763fe3e6d5
aca777666d3337112af776a4541fa1b8366546e3078f857ffd41e91f40241f7d
915bd9e1fa1c5fca6fce6f4f9d7b87354765f7a03e588290bd2403f72199cee5
d6ddb50a5c9f484e89fc63cd7bdab796b63c91ba6034271df5c17aa1919bccb5
3aa10851ee2e45aa3874b2b59d78ba00ba56201528118f64d0d2f7c95ae953ad
31f61628f0dbaf14ddacb7d271a91b281038d3c6120c7ee082cc00c30112f1d2
49f277dc019b879a635698e0611344db6d45bc7c577dc4fed3d1fe98ddef94fe
b28b6fb51ad601426665371ccd212a0038865c40f73b76cc1adba27da491cebf
22426a542a836312bd6bcfdafb88ae727fe519046ac3a0ea2af2a2beca285e8f
7f9690a0ca91cfd371100be8d22540405315508650093ab356570bf236abe0ed
e2798e218dd3dc6dcef7a86a0f143acbbbb6d6b4a3aff594b1186c878fecc91a
ddea6079aa1de6f1b20a1417b1b01d835451b2b59a7beeb8591b59af37230351
120f92905913bccc61e294ec99684e86e5ad071413d0e5d552841718d2e061fa
12c5ae7eae4ad3f2a7a63f82db9a746c7b4c90dcd77d54a49d1547d77433ab8e
65f628e78ca5d7cc1a094a2baa3a3cc5a24e0f680e40a34ee482df42e7d0e005
adb83e8227bcdebe27274521da4e62ccb9d0c2beb6e65493299d7bef985b0cc7
cf5fa58a9cfbe95541b166b26f73b16de59cd4da5ced463caa1f9dc336593d09
c2e1d400d15201525198f40822b5b35c5366691f94394fdbf1c20e1fd44f4176
f49bf2ac8babbe700e737698c0da57140ad78d61d759b508bc949ace4992c66c
e33e0c5feea6734224716cdcdf532bfeb950f456a482657c107184b3b67e7fe7
2e8cca3ef6cea17f22468a9cd2695cea50707273e2ffb4fd28b0fc7f3e7a1c39
72e9105cade1c5f92dad850ce2ffcf4792ae86e3f0039187bf2fbfb0bd949ff9
7454c11de16577f7375b4ec11bb7e541f5646347954d8ba10450c1cf5777db65
3b787e1042e716123a63a1741fa19dc9d2378b3874b528b5a0946d6fedb10a54
677978ec1d0f15c43bdfae42bfc1c0c4ba1c782e0c189fc05d65b5ad64668b94
2866fb77592619d287c46a11e344f43c679b5c498cd41f44b624228154b260a1
89afd81cb7cb59382bf5830fd0111fd79a186532d960242e2e7e079415850ba0
1ae11a30e1d4021c5335ded1f2b25ed86834b20bc38b334fe897ab16fc15224c
ff4501dcfc5f1f6ab5c50195d053191d54290d2efc160def4de7af2b2c1f7039
5e0316581c455ebfae4775fe8b37bca0e7e451839553916920f20b3a7269e9c6
b5b6e5d9344d39b6ecb14d6d3076d8afdf66cafbae960a0d375f6fd19fa6d376
2d36ee83d5349c163250cf5f782d0be89dd882c576682a570d0ae236e8dd1c93
39972599e9f197a89cafc40a5a6d7311bd5102588102c4b6107003cb6cc1cb52
c9ab1615da4eb661e347aed48b91b4b1490322bc6a3a743cf87657df38150d1f
f1ee6a26a415669c195bb842fad2d0330776d9e8544a406ba60837c5f5d45e2d
0878ea566ab7bf507460d2e99ebd3fc3ca63d53c22e7cabc180988161d143aa4
fb92f4bcee1c79fb56625d8c7a4f3e1f3b6cee63567eb49b6138ef5224ba5486
bfd9f1d986d76e8780347ba542921c40f4e986cda51256fa68007b3bfa218499
f5c3ea5d83c91bbc77eeb5221e38bcbe276337b757d073fc2e812a68669f73ff
d7c234e4663d1afe2f9ac871ed2e989832226359bb3f1d97fc96b2ffbdba0d9d
28d5b7cd42ffa1e121b8f0510ea2065ac825f469b57204cfa40399a7c9fbc0b3
e50b524e5ba146bbdda9b4d967e4f5cf1ec76dc5f3cd05d9b992f0e0a507ffef
dd32f7c0a534ee0c27635da7cf642ec6917a3f87651ea079a9a24fddd142291e
2e6649ed037d2e4cace0d5d68824eb880ec6138bee690d080198255ea12591e8
183e22d164b0fa4007a449da7128abd59d999e773551cc166af22375a6cec767
81f37485c8b3d9a6b8dceccefe4c3bc1249d15a80159d29da6ad8d745077b3c7
319a146a8c0141832f736f173bb143d0ee617d61aa826bb1f2505440474d271c
f9a8439b27e33b82578b1bac2e1abef4e8bf15cbef1bb935b242bbdda0535478
da2a01e2b4e3d5b2e56d43427636e9c0a20157b1369234c91087a0083e986d3f
41ce0fdba3de8ca8d948f4b82eb9d4f63397a5f8cc77ef8cefab1cce2f70c709
1135f4d76cb6ca7605d54bd690b378bd769acdd28172fe55117f53de8f3c7520
f1f4a97525f047c84ec6fcc2b6cbf23634cade68ee984584aff989d179f0a470
3ed2cc17203f1d0c92bda0d567ed327de37bdf1af02b082efd5806198846e132
d922132bd6b747e094d0ded4460f854353da88637cba8ab915038b57a2735a88
950642667832dfc935327fadb2d34754861e612253ded52707202e0425193071
df83cef315dc016412a03ce95770d9bc418b9780878c8116d91f0bd9cdcb7c0f
01b7c4f2fd331fa3b60509d40f17e18622cc4e2e0d51d2da642a8a169b4099b3
ccdea9d525e02bea9927110a0ff982a2b56439298dbdc52329f0d935141fc46f
023a41305bae352e2bab9686ab8efdde111585a6e357b6245b59bb3459142b38
a5d9f94d86b783da9487edaa950aa157a7521b02dd9962f578f1e7cfa0514342
1ef58d18a795cce5b4a9b056c48349ce4d683e6f148a48d965471edf24323b98
eaaa3a226dbb0ec3feacfefb958122d43574255242646dbf9f44bf7d48a50bf0
41126df4807fb0546c92d3b88279cef6681c963dbd62141079d3f9e788088f63
b0fefc8090f6939e62728eff74cd7fb2d845aaba2c7463f8800cc1c7a9b4492d
46319b21801cc4f8034d29294e0cdd65299d4eb85654d3fda73ef6b492180bf1
34053df9484a86e4ea0a109a9d13abee25af404bff47f091c71a0c9a58a7713c
3d817613e4b0b9e73bae444e2526f0eaf605ada7702e043b6311cde34e0517cc
33aee37671d9e67a24846380d63a0a15cb03335a2d07f52fc5c1b1066bf1d90f
36cebb3a6e6484b12c91b5d6baea3dd9dcc123df7067dcd2ed4663ddf6115cd6
d8400f0d57c3b1f88ea36a74f1dfffd74cbfcfdcc995fb4b0be4c363440b9655
0a9b7be8f126cc85b166f350eccdcad73827ad627574b13d9e34b6fe175c9986
2650cfb26e7feaecef2d3b0f97656bdb1d37b64b206d78f18555eede941ad871
7e93b3a5bed3d2ab87eac6f297e6bbc63c7cc27e8da00b1ad4f6275c428a130f
518ee9f74a609d856403d4a94c650e62aba87c9dd17e6e885fe4e0adc4113e9a
5251011e8feda9381a5a1b119b36c8bd4bbd3de97044743d8cea2d2f69ee0b4d
af2f05611639653b5c588b25b9e42d57f53fd0262681f89f6acdc24b58887214
0ff8f9853b1951fcefad14ec98e7c21d098fa87d5e3af0cb0d1f2962315a483f
6a56a1810bc71836b0a21868db9ed2f1265f5219c8318c8cbcc6dbaa79ac4c3f
1a61db925eab1ac6e12c0345cbc23089e253023b5f34723f62ae1b6777dabc88
e4f2690fcb0f00257fd5352a90159144b02a1c6c669d96498b48611525f4a778
ce97b7fb60608c686500a645e0e3d0816b531fcdb52b89ed4e8a9dacd5fcbf2e
bdba87b50a8922290009c64e922e7f02e7543d22ca8730960c8cb6fa02b02441
dd9ec1c6a4be9bd962e1b1bd843d5750ef399c7c7cce60b368f627f5384e7a7c
7beef34a13c069175139e5e4905728a982d7f75ad06b04bf6a7339231947aa60
d229f81248d413a0ea6ea9bf4adf43c42dfaf8338e8db6826306e9b3373d9cf2
8cb91cdd7eb70884114b5ad8e55dae4fe9682567c997769a6613b8934806318c
7c17747837c4171c47f331a7a3d77ea927ca47efab1c7577daf33bd00d42d859
dc47961a7054e98a62aaa994e879ee9becbf6096843c899bde226ecbb985f4bd
af6c30a1cf970182aa400f711f18fa2d4675d1d648d79e01f4c7c0f121542d5b
9f63f60ae709bc6c3f830c1656091583879cca7380ccbf99ec6b94465e4796aa
651efbaaddced564347355a681a0f1aefcf36f5b7327385cee13598e05b331ff
0c592dacdd46cc39bd5f0ecba98432d3ef859d60a4e5f1f5802b50d530a5c139
68e5d9b94fc7e84ba8577f73902c266e9b25d29abc001226b3ab0e4fe4a47dc2
638d35e3c7c522b0c39180ed16612c3e182b96b57486e59123295f38e9bbbb48
3a2b0cf95197170b7600ea437df2030cf7176a00f646d703e1385d80ae6768ae
b0fbced03f7d674295d8e2c6b4ee3c4894b1f2932b6c45c353e007f323e7e421
6fc287491ec03b06a9090223def2390687d22cd555f1dbe4c1df18e1cf622699
ebcdf0ea7146fac2e4d68409c125892102c8b65c97321d7a57e1386ce69d5e09
44eed6970bddad6e65c69efe78615476ee0b162d7419562ba3ff1190252043e4
379344d731d4800175bd825bced3f8af2c64d57b2364a1598bc4a6d36e636a4e
dec10b8896db38cadc312a885bd9022c9519679e0cef018288e2e3ae447fcb70
c58262972733216a13e70f944d445a27a9ce158da384c70d5a2c06fc227835cb
e2e6e72e4178791e6741a7125f941e337f7ab9457db68dd4be3f6bfe36ac1d4d
0a9098bba351186ee13496207e7334293067b56fee60e9f9dfdf3e9ed1c1964d
ca556149fa9f0ba30343e099d1d852bcf3eba68c718482c8b8f209b8cf72efb4
3d7efcd6d8aea2ac2b5ef051dc9933ab37400132b9f54d5ac042748b92e43c4b
73304b5c73a1c90b192c8748348509c213890807d3ca34b08c8fb84652b0cbd3
bf2de56ca9ce6fc0b83d911ea86356d3338823d33630556de10878aeb3de0430
dc2ceb535e34fd0e54e87cce63d3ef05d5987b4e367f2158293486e5e07377a5
3d806b76a162faeed54de273a7c4965fbb18973aec1158cbbdf1efcd553c2a18
a88ab1054e6a52a003c986f8814fe6936a85cf1416eb1cbc61e955be42c84d05
1f8f39067871df0c4f5b3e7dfdf7bf3d70c319ccb78190d5c012f59be946c1e1
05de7f808bcbd9c8c9bc3620b3bb36faa7f9d1a956223f0ac2579792addb9908
aa16d79a7d5d91927c0bf58de137a83dedc30ec19bb3d9b6e3af626fa59064b4
c3d9caaeaf98c26409460994ae65613e3fbad63418c1a4c52a66be504acd3324
558f2824e50ddc2c367b5cf26c44caaff119be1649bb35a01ff9333baf3a0b4c
59f50ec4fcc19b78826368b625df91df27ff9543761b17fc1a757a93d8de15b1
736cacb24c1dd1a8a52b9e3f194a4f611c2cca36a654859c923a0f9ffec07ae5
1c398b2da1b9e66801e458af1ec89e1ebb86c9c5ce5683a7b1eaffebe8ef8363
63ffc8f33d7b4d202677844246f41c5d98d74694bb0a83f28c413c8e2c85445e
a2f16c7691e8ccdbffc398742b03ecdca42d3f10297e10c11b7b03d3b1762fdf
de69cb7f1a78bb5c454d149112f9fd62d946426a12d86d30acbcb0974af59a89
87a62cc18156525f997087f7958522a16815fb481db9a5db7d78ea9dc3ca2633
b462b5986b5bb5e0a5a06fef67810b4a665e7a4b6c45a612140e478aee1a8d70
0484e1fa67b4eccdd208258e6052a50e9f3db9175ede4d36f73b851d59570045
d74c5c50aa3acc3a6545a53badb0f862dbd034868185ac750ea703ccc55a8b34
11760c0c47222614dbd80f76495bfd86f65dbdb7276ad3741cc3f77dbd73e6b7
3e8759684c280075237ed75502a8e72b9aa3379aabdce27d1f226391e649b80f
5005f4dd86b2bf19ea984feec50b9fe489967af0311e851727912e20920ea414
717523d724e1a190e26629f839ef7acefc4ece512c0ae447d3ef453739e14203
cf3775ef3f1b3ca53f43dd3a68ab7800a58d091ee73a1b69b8645ca217e6b5ff
6bbfac7c84bc99ec3c44ba7873b7e2329585b97875d3265ebd398c44d5710e3c
222cd93440a5164569fae152333710a9f169b85644b9f61d1f00e4aaab1fe07f
83db39d3dcb2b20724085d4e8c49b8b5e74c2dda134fdce39cfd0f3344fc4cfe
dfc4f3937a61828511c1f70fb56a0cc3104f80e957c0fd582b3f750136f510a7
c411f481563dd48db8a218e063da6477062a9cb628d50c666009ad9040dfde21
ef2e8058072b7d590f8ac4796487db839cc60064151c136bfa58213c87f016d4
53d52508d4fbf502264ff4e8482ff3c988f86f4727326d09a71724b61a152e92
33a995a9fb0790de7a522da691ab296e6d0e845b8228cb1fde3acddfff4e0584
4666046b2855686628c636e49ec6669b2c694e65f13862168b37f88a96588520
aa885d2d8550a5816070d4174a504ae7b4d90e3e50b3dbce7cea17443b6b9080
SH256 hash:
a94f4c6189a4f89c3df20864c695be40f546a249cb216ff843c734c488cc2742
MD5 hash:
b6aa10916971a67255460735652ef1ec
SHA1 hash:
00eb5d18f6993290a0a10e1615df95e8c94d0bec
Link:
https://www.unpac.me/results/9b9858d9-76cd-4442-a744-535e460fda94/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments