MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa01a5cbb5ef80f3ddb3eb2b14e72dfeb89d3d9ac7bbc344aa90044103e8ed48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa01a5cbb5ef80f3ddb3eb2b14e72dfeb89d3d9ac7bbc344aa90044103e8ed48
SHA3-384 hash: 1c7b69456fedcfc2dbb0fa9d145a6d992f942eca8fdcd73932ba5553a4dcd2a9dfb1b9c47628bde0b21957fb8a088b65
SHA1 hash: 9f5cc4d65d96881dd05c7d3e2c1c5b13d07e7899
MD5 hash: 0219671eff87fc1cd39875411b58733e
humanhash: vermont-missouri-lima-delaware
File name:aa01a5cbb5ef80f3ddb3eb2b14e72dfeb89d3d9ac7bbc344aa90044103e8ed48
Download: download sample
Signature njrat
Create hunting rule
File size:1'178'120 bytes
First seen:2020-11-10 11:39:44 UTC
Last seen:2024-07-24 20:07:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:GjDoBvuWsNYmPh5Jc0v6JAyLfxmHa37aWtDv3953:7Bv2PhL6JVLZYa371Dvn3
Threatray 3 similar samples on MalwareBazaar
TLSH 6A45AE427391C071FFAA96739B2AF61146BD6D790133C41F13A83DBAAD711B1263DA23
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Autoit-8000278-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Launching the process to change the firewall settings
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528645
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 313422 Sample: LE78bK4GxE Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 34 redlan.hopto.org 2->34 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Detected njRat 2->42 44 9 other signatures 2->44 9 data.exe 1 2->9         started        12 LE78bK4GxE.exe 3 2->12         started        signatures3 process4 file5 46 Antivirus detection for dropped file 9->46 48 Binary is likely a compiled AutoIt script file 9->48 50 Contains functionality to inject code into remote processes 9->50 52 3 other signatures 9->52 15 schtasks.exe 1 9->15         started        17 RegAsm.exe 3 9->17         started        32 C:\Users\user\AppData\Local\Temp\...\data.exe, PE32 12->32 dropped 19 RegAsm.exe 3 4 12->19         started        22 schtasks.exe 1 12->22         started        signatures6 process7 dnsIp8 24 conhost.exe 15->24         started        36 redlan.hopto.org 19->36 26 netsh.exe 1 3 19->26         started        28 conhost.exe 22->28         started        process9 process10 30 conhost.exe 26->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa01a5cbb5ef80f3ddb3eb2b14e72dfeb89d3d9ac7bbc344aa90044103e8ed48/
Threat name:
Win32.Hacktool.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-11-10 23:19:42 UTC
AV detection:
37 of 48 (77.08%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=via2ls5v56aphxnt5mvrjzzn724j2pm2y654grfksaceca7i5vea._file
Verdict:
suspicious
Similar samples:
8183b2d8394a4301c88f8c0ca1addb9aa56093b15ebf76404f9aa1d00524a187
njrat
869f916839342a43032ac51d3574f7a9c057f73e319f8033c6338094376cab11
njrat
bf05b86e2e3913b902481201edc5caf2a622307e67238a1c933d558bca530dea
njrat
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/201110-tk2kpwbqqn/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments