MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b
SHA3-384 hash: 3e2972fa307a43b73aef5e3cb02baef5a811f4c1e50189b7d2135c2cf7bf8dcb40f041f2a2a008a3f799a9bc8686cc3a
SHA1 hash: 1d21d2d4f21fa7a19cad7e69c8c143bebc9ba7fd
MD5 hash: 536018d01ee05bc37064c480178e2bf8
humanhash: low-batman-orange-steak
File name:536018D01EE05BC37064C480178E2BF8.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'078'272 bytes
First seen:2023-11-03 17:35:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:vtW4x8xgmUdUcyezFSjahBaNOMGC3UgJuTYdIMlM9QVmcIOLfEdjJYVB1X1:s4x8x1UGexmbcMGC3U3MlLVmczEdjJYR
Threatray 226 similar samples on MalwareBazaar
TLSH T1B735DF1F11A0A033EFD236716998B2603F6DDD5AA7308D8F32C432FD4AF1AE26975255
TrID 51.9% (.RLL) Microsoft Resource Library (x86) (177572/6/26)
21.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
12.6% (.EXE) InstallShield setup (43053/19/16)
3.8% (.SCR) Windows screen saver (13097/50/3)
3.0% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
156.196.88.201:5552

Intelligence

File Origin
# of uploads :
1
# of downloads :
364
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Msilinj-9854537-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Creating a file
Creating a process from a recently created file
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Creating a process with a hidden window
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin netwire packed shell32
Link:
https://www.filescan.io/uploads/65452f8b3dd412119beb8ece/reports/a3568de0-4bdf-409c-bdce-16d3a5a9e005/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
WeSteal
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7b358411-5989-4806-a23e-7dc629b1c0a5
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1336857
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1336857 Sample: ESjy0irMIn.exe Startdate: 03/11/2023 Architecture: WINDOWS Score: 100 55 bmw2022.ddns.net 2->55 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus / Scanner detection for submitted sample 2->69 71 9 other signatures 2->71 10 ESjy0irMIn.exe 6 2->10         started        13 wscript.exe 1 1 2->13         started        signatures3 process4 file5 49 C:\ProgramData\essam@sasa2023.exe, PE32 10->49 dropped 51 C:\ProgramData\dotNetFx40_Client_setup.exe, PE32 10->51 dropped 16 essam@sasa2023.exe 3 5 10->16         started        21 dotNetFx40_Client_setup.exe 136 10->21         started        73 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->73 23 essam@sasa2023.exe 13->23         started        25 essam@sasa2023.exe 13->25         started        signatures6 process7 dnsIp8 53 bmw2022.ddns.net 156.196.162.149, 49734, 49738, 49741 TE-ASTE-ASEG Egypt 16->53 39 C:\Users\user\AppData\Roaming\...39ame.js, ASCII 16->39 dropped 57 Antivirus detection for dropped file 16->57 59 Multi AV Scanner detection for dropped file 16->59 61 Drops script or batch files to the startup folder 16->61 63 3 other signatures 16->63 27 netsh.exe 2 16->27         started        41 C:\b53dd3b256ba71dad061693a386e\sqmapi.dll, PE32 21->41 dropped 43 C:\...\SetupUtility.exe, PE32 21->43 dropped 45 C:\b53dd3b256ba71dad061693a386e\SetupUi.dll, PE32 21->45 dropped 47 27 other files (none is malicious) 21->47 dropped 29 Setup.exe 4 9 21->29         started        file9 signatures10 process11 process12 31 conhost.exe 27->31         started        33 WINWORD.EXE 29->33         started        35 WINWORD.EXE 29->35         started        process13 37 splwow64.exe 33->37         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b/
Threat name:
ByteCode-MSIL.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 05:22:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhvhqafq6ucqkjulawhrjir5xzgpnqhrgrubu2g445bjxhpy3cfq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
38b152d95fa2fec41b84833f70030ccce86c2295bcef323c7ee804591f0354ee
njrat
54622fa73246157a2e25e418d554d5ccafc663151ac067819d18f48caad9a32c
njrat
6a949940330b0828af63f56d10981f8596ef1c24952b058e40af09ce6e947100
njrat
7f9c8c44079baed3e635a5d894ddad9c0db48022a19e80af11c79699727de3e0
njrat
a604eed1325b12671370e268783cfa74f8675a468492ff98416187d73768b4af
njrat
f7b1f59d4c4e68848083a7d5310653e6a77505f01182284df5c2205c9ed32af0
njrat
f8d0609debf08c60070fef13599aa2b10d66f43ddc904a8176d2ef0ffa01a8fe
njrat
fef984d0cfaacd9e1685f796788009e017649a9485e7927a61968007f6e05bcd
njrat
+ 216 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion trojan
Link:
https://tria.ge/reports/231103-v6kfcahf84/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
3270b06399e85bf345de33c42400eb0e1698e0af9ff8b09fd0f87d0495f92414
MD5 hash:
ce9b39653618178af4caeb13eb64bfbe
SHA1 hash:
e27f783ec74890b1b8eec9c0c78c0c363e1b48a4
Link:
https://www.unpac.me/results/c14df085-8098-49da-ac9c-60b7eea4a707/
SH256 hash:
29b42ea64013ab78c8dbd57deec5bb10df8def09af17340fc4495d7459ba1409
MD5 hash:
76964bfe00772689439daa06ebd725ac
SHA1 hash:
9afb0a2faa40657197d0b63f2e0806d09864a847
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/c14df085-8098-49da-ac9c-60b7eea4a707/
SH256 hash:
ca7558f8a955e520a7b1ae443ce82140977c16d46c3ac8d89b00e52cf5451e11
MD5 hash:
d320ceee717e2951247b3c8a85f0e876
SHA1 hash:
ef3b9da67211b2de38062d2699fde5580da5a5ee
Link:
https://www.unpac.me/results/c14df085-8098-49da-ac9c-60b7eea4a707/
SH256 hash:
bd9c19cdcc21422203e918b578a46d5f5e1795fb60dcad8dd101f7673a8feaa5
MD5 hash:
51342c36e3f886de5595d59e78562630
SHA1 hash:
a14a39a6bf6bd5917d67714417b393471bb58768
Link:
https://www.unpac.me/results/c14df085-8098-49da-ac9c-60b7eea4a707/
SH256 hash:
3c70b5963b25d50c3f81eeea159601faf22b9112519f5dcf4bc1ca0fd8e84f3d
MD5 hash:
08a33b7801a442d95ee1934f501bcc8e
SHA1 hash:
163fd2ad3e7952876b9b54d147742fc753aaa6b3
Link:
https://www.unpac.me/results/c14df085-8098-49da-ac9c-60b7eea4a707/
SH256 hash:
67f7bdf8bc94963346e894bd921c3d98e497add3dfaa1017da21e6201911167a
MD5 hash:
3c3c7cfabdeabbcbb0084223814a34db
SHA1 hash:
c8195bf014f1c59185063d3abb95daf9ac23a0fb
Link:
https://www.unpac.me/results/c14df085-8098-49da-ac9c-60b7eea4a707/
SH256 hash:
a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b
MD5 hash:
536018d01ee05bc37064c480178e2bf8
SHA1 hash:
1d21d2d4f21fa7a19cad7e69c8c143bebc9ba7fd
Link:
https://www.unpac.me/results/c14df085-8098-49da-ac9c-60b7eea4a707/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9ea7800b0f5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9ea7800b0f50505268b058f14a23dbe4cf6c0f134681a68dce7429b9df8d88b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments