MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9d17bd42531c52bcc16e7424db420bb8c56834962cc04209f5d6f937eccff47. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	a9d17bd42531c52bcc16e7424db420bb8c56834962cc04209f5d6f937eccff47
SHA3-384 hash:	64580366acecf4576c7ed16179a8024cc3fa5f237c7ddf3c53ed8abe8598f9715e8f39026956d7ed50c64056b014f423
SHA1 hash:	9d3f440bdc2aae60c9cc906a0e39e0579d4ad6a6
MD5 hash:	6dba8d29c2a91741248a0afe4d2d8370
humanhash:	crazy-butter-nevada-don
File name:	Terraria.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	37'888 bytes
First seen:	2023-12-22 14:17:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'832 x AgentTesla, 19'769 x Formbook, 12'296 x SnakeKeylogger)
ssdeep	384:UeSvEiTbTvpWNcZ0y8fvCv3v3cLkacparAF+rMRTyN/0L+EcoinblneHQM3epzXr:lS7TZ38fvCv3E1cQrM+rMRa8Nuddt
Threatray	1'407 similar samples on MalwareBazaar
TLSH	T157032B4D7FE18168D5FD067B05B2D41207BAE04B6E23D90E8EF564AA37636C18B50EF2
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	Anonymous
Tags:	exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

402

Origin country :

Vendor Threat Intelligence

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/469053/

Detection(s):

Sanesecurity.Malware.29039.UNOFFICIAL

Win.Packed.Bladabindi-7994427-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Trojan.B-468

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

cmd explorer fingerprint keylogger lolbin netsh njrat rat replace stealer

Link:

https://www.filescan.io/uploads/65859a9bffafd83ebc980222/reports/b1fc58b2-7b51-4fdd-9a32-87add8e1fb99/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a9d17bd42531c52bcc16e7424db420bb8c56834962cc04209f5d6f937eccff47

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mimikatz

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f41d29f7-3704-4339-9aec-0ff2e9ae003a

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1366237

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Snort IDS alert for network traffic

Uses netsh to modify the Windows network and firewall settings

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a9d17bd42531c52bcc16e7424db420bb8c56834962cc04209f5d6f937eccff47

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a9d17bd42531c52bcc16e7424db420bb8c56834962cc04209f5d6f937eccff47/

Threat name:

ByteCode-MSIL.Backdoor.Ratenjay

Status:

Malicious

First seen:

2023-12-22 14:18:05 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 23 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vhixxvbfghcsxtaw45be3nbaxogfna2jmlgaiie7lvxzg7wm75dq._file

Verdict:

malicious

Label(s):

njrat

0d2e0fcd0d0b7034acb740ce51baa0bec329c0c8547dd7caf2aabb5c91c7dc99

njrat

6a65ffab90209b9a5fad0523b2878228f7062afc4679742d1efa0e77f419a8d8

njrat

718a0d28eba875ac69a1b5f6705ec3d3498bbb63d28b43798278b45f60d0bff7

njrat

ce408e126def4dab38a7a260d4775111b140154cfc5abb1b6a0f397884e0577a

njrat

de544fa6de7f86b58ff6e82a682ff8bbcc8dcdaeee61421e720f09a3471f1a72

njrat

f41b85f9d5781730263555803c9387d85afca6ef21c3640f11514bf22e82f082

njrat

+ 1'397 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:cheat evasion

Link:

https://tria.ge/reports/231222-rl9yqahafj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Legitimate hosting services abused for malware hosting/C2

Modifies Windows Firewall

Malware Config

C2 Extraction:

6.tcp.eu.ngrok.io:19960

Unpacked files

SH256 hash:

a9d17bd42531c52bcc16e7424db420bb8c56834962cc04209f5d6f937eccff47

MD5 hash:

6dba8d29c2a91741248a0afe4d2d8370

SHA1 hash:

9d3f440bdc2aae60c9cc906a0e39e0579d4ad6a6

Detections:

NjRat

win_njrat_w1

win_njrat_g1

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/268bf443-a9e6-4be8-867c-78a12deb6c64/

Malware family:

njRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a9d17bd42531/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a9d17bd42531c52bcc16e7424db420bb8c56834962cc04209f5d6f937eccff47

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

rar f23f0f4b55b95bd8a7b122769949edf4bd686aea35215286d1551d2c2dfe150c

njrat

exe a9d17bd42531c52bcc16e7424db420bb8c56834962cc04209f5d6f937eccff47

(this sample)

Dropped by

SHA256 f23f0f4b55b95bd8a7b122769949edf4bd686aea35215286d1551d2c2dfe150c

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/469053/

URLhaus

https://urlhaus.abuse.ch/url/2743671/

URLhaus

https://urlhaus.abuse.ch/url/2743672/

Dropped by

MD5 f85eecbe1d9599f267b642fd1935fea7

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample