MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df
SHA3-384 hash: a93a8c152fc74a51d179d49da959cce2e0c89fd68719c709f1cc923ef465f64e15a4678202498b136d6480994c88bca5
SHA1 hash: 03419c2d9dcdda38826203dad7a9ef3b5eff6280
MD5 hash: 9d547d2e07746d84f0c9ce72502a9749
humanhash: river-music-island-sixteen
File name:abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df
Download: download sample
Signature njrat
Create hunting rule
File size:787'105 bytes
First seen:2021-09-30 11:58:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c19c5a27cf193c3f49f1a5b91054e502 (3 x RemcosRAT, 3 x BanditStealer, 2 x AveMariaRAT)
ssdeep 24576:/1+BN+ySbjMrYgHrQYkiCaEMqPV0bsVS1tzeTQEFKLWawmEfg:/0BN+ySbjyYC8ri3EMqObsVSsYLq9Y
Threatray 123 similar samples on MalwareBazaar
TLSH T16CF4F1D8E9D45DFFF628637BD981D9280F8D64F5D149E6222392D23FC0CAE821E80725
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df
Verdict:
Malicious activity
Analysis date:
2021-09-30 22:51:45 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/7f38916c-6721-4f73-8d0c-5d4dd15a942d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193536/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

Win.Dropper.Generickdz-9898143-0
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7546c248-ca1f-4090-a4de-871bcbfa441b
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/862208
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files to the user root directory
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494636 Sample: be3ORPXHAm Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 46 servidorbrabo.ddns.net 2->46 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 8 other signatures 2->58 11 be3ORPXHAm.exe 2 2->11         started        14 svchost.exe 1 2->14         started        17 svchost.exe 5 2->17         started        19 5 other processes 2->19 signatures3 process4 dnsIp5 42 C:\Users\user\Desktop\test.exe, PE32 11->42 dropped 21 cmd.exe 1 11->21         started        23 conhost.exe 11->23         started        50 192.168.2.1 unknown unknown 14->50 file6 process7 process8 25 test.exe 1 7 21->25         started        file9 38 C:\Users\user\svchost.exe, PE32 25->38 dropped 40 C:\Tools.exe, PE32 25->40 dropped 60 Antivirus detection for dropped file 25->60 62 Multi AV Scanner detection for dropped file 25->62 64 Machine Learning detection for dropped file 25->64 66 2 other signatures 25->66 29 svchost.exe 3 7 25->29         started        signatures10 process11 dnsIp12 48 servidorbrabo.ddns.net 29->48 44 C:\...\b82593d475a899b9a3354da582932eb7.exe, PE32 29->44 dropped 68 Antivirus detection for dropped file 29->68 70 System process connects to network (likely due to code injection or exploit) 29->70 72 Multi AV Scanner detection for dropped file 29->72 74 6 other signatures 29->74 34 netsh.exe 1 3 29->34         started        file13 signatures14 process15 process16 36 conhost.exe 34->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 09:13:17 UTC
AV detection:
24 of 45 (53.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vo3bkmunu4hko6rj6hh32vrnhvhlgrv22exp2zbrxjg4ixsna7pq._file
Verdict:
malicious
Similar samples:
0e74c2ee6af403d13dfe7ff6b11d3f1eb04c177202eb752448640c06db1566ec
njrat
2454d64559ffdaf95915ebea1ad0a5310fa2ef724e42d8e510e4cac97078e80f
njrat
37a1dca413bedca841a9a633c04c77df208a7dcef64a26c799d01078805f8774
njrat
56f435a5987f429df40365c3fc9e17443e7a79a003d57d29b4b8f4396bf8c22b
njrat
7cf4fafb7d41c7c48f1078e94fa059ad3a666786a74c9864238f251c06298c94
njrat
90f6d27c8269a6dbbfbcd3c6735ae51bcc1942defd21c547004b33265e85b7e2
njrat
93c6cc14e478c54711c794dc49dcedd43bce1a7f15de08fe279af4da5b4f84e5
njrat
a0de65c408284dfddf6318980b138aa05015686c4371853070500ff84d18cd50
njrat
aa6048f1b4c756dd7ecf4d78af9a5ea07cc7d2d43817c1bae77c38a5391cded9
njrat
f1b01db7444eacf1c44d10f564d4841c8fbfd885810bfa4da24dbcaa79188b59
njrat
+ 113 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan upx
Link:
https://tria.ge/reports/210930-n5sl1ahec2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
284b56c8832abb1514f3c7176d6677c9884a4301153dae983e89c9f668530125
MD5 hash:
5dc742a26056e07e592ec534a29db726
SHA1 hash:
d283675f20a33b11522c5ab24094abf590169fd5
Link:
https://www.unpac.me/results/70a74f73-ee4f-4a1a-9bda-0413e31749b3/
SH256 hash:
1d757ae12fe63009d4ad937fb87fa345921668f8785d613749f85a14600643bb
MD5 hash:
a6b48dd84c52a2b1afb5b12ae2935429
SHA1 hash:
1fbb02ecb98810571d4729ac1e60b63395b40f20
Link:
https://www.unpac.me/results/70a74f73-ee4f-4a1a-9bda-0413e31749b3/
SH256 hash:
abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df
MD5 hash:
9d547d2e07746d84f0c9ce72502a9749
SHA1 hash:
03419c2d9dcdda38826203dad7a9ef3b5eff6280
Link:
https://www.unpac.me/results/70a74f73-ee4f-4a1a-9bda-0413e31749b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.92
Link:
https://yomi.yoroi.company/submissions/abb615328da70ea77a29f1cfbd562d3d4eb346bad12efd6431ba4dc45e4d07df

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193536/

Comments