MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac0512ae388edecb444eac7b61138650b05f1ab927277696aaecb73efd62776c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 17


Intelligence 17 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac0512ae388edecb444eac7b61138650b05f1ab927277696aaecb73efd62776c
SHA3-384 hash: 5445085e1670f80588306c883701873a4eed1c4516d5ea75aae0dad2509f02fd04e30941ac86f503d3e39e93f9495dc2
SHA1 hash: 03aa09f53639aa75749838ad5bae1f4fcbeaf38f
MD5 hash: 171be6edcf6644be78732097dd68f585
humanhash: queen-lima-paris-football
File name:ac0512ae388edecb444eac7b61138650b05f1ab927277696aaecb73efd62776c
Download: download sample
Signature njrat
Create hunting rule
File size:318'654 bytes
First seen:2023-05-10 10:55:24 UTC
Last seen:2023-05-13 22:46:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ab9ff6e4872ea2766a5f5c6af5649e9d (20 x CryptOne, 13 x RedLineStealer, 6 x RecordBreaker)
ssdeep 6144:g61E/QSnxoEMTlXEulock9X+t40VMcY4x53biGB92:g6ErxJMTtEulg9X+t4qMAmIQ
Threatray 140 similar samples on MalwareBazaar
TLSH T12464AD027AC48471E5B229751EF696305A3F7C301B798ADB539C2B1E5F335D09A32B63
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10523/12/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4505/5/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter adrian__luca
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
271
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
ac0512ae388edecb444eac7b61138650b05f1ab927277696aaecb73efd62776c
Verdict:
Malicious activity
Analysis date:
2023-05-10 10:54:19 UTC
Tags:
njrat
Link:
https://app.any.run/tasks/44495099-6d84-4fbc-9bba-c0872c8799e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/388137/
Detection(s):
Win.Trojan.Generic-9947715-0
Create hunting rule

SecuriteInfo.com.Variant.Fugrafa.249470.10364.14457.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/83348/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
alien greyware overlay packed setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/645b7842d054a0b0ef8483b5/reports/6f99107f-9a78-41f6-8deb-32899dd5c254/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/ac0512ae388edecb444eac7b61138650b05f1ab927277696aaecb73efd62776c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b717ecfa-30d0-47dd-a354-a6f4711f9e9d
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1229943
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to spread to USB devices (.Net source)
Creates autorun.inf (USB autostart)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Drops PE files to the user root directory
Found malware configuration
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 862925 Sample: NctB4DPSda.exe Startdate: 10/05/2023 Architecture: WINDOWS Score: 100 48 loawdrf.ddns.net 2->48 60 Multi AV Scanner detection for domain / URL 2->60 62 Found malware configuration 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 10 other signatures 2->66 10 NctB4DPSda.exe 1 8 2->10         started        13 Microsoft Corporation.exe 3 2->13         started        signatures3 process4 file5 44 C:\Users\user\AppData\Local\Temp\akrien.exe, PE32 10->44 dropped 15 akrien.exe 7 10->15         started        process6 file7 46 C:\Users\user\server.exe, PE32 15->46 dropped 52 Antivirus detection for dropped file 15->52 54 Multi AV Scanner detection for dropped file 15->54 56 Machine Learning detection for dropped file 15->56 58 Drops PE files to the user root directory 15->58 19 server.exe 2 15 15->19         started        signatures8 process9 dnsIp10 50 loawdrf.ddns.net 37.146.94.236, 3019, 49696, 49697 CORBINA-ASOJSCVimpelcomRU Russian Federation 19->50 36 C:\system.exe, PE32 19->36 dropped 38 C:\Windows\SysWOW64xplower.exe, PE32 19->38 dropped 40 e8f7fbc7646554b21c...2Windows Update.exe, PE32 19->40 dropped 42 4 other malicious files 19->42 dropped 68 Antivirus detection for dropped file 19->68 70 Multi AV Scanner detection for dropped file 19->70 72 Creates autorun.inf (USB autostart) 19->72 74 5 other signatures 19->74 24 netsh.exe 3 19->24         started        26 netsh.exe 3 19->26         started        28 netsh.exe 3 19->28         started        file11 signatures12 process13 process14 30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 28->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac0512ae388edecb444eac7b61138650b05f1ab927277696aaecb73efd62776c/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-04-27 14:17:35 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
27 of 37 (72.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqcrflryr3pmwrcovr5wce4gkcyf6gvze4txnfvk5s3t57lco5wa._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
023ba111fa8dccee3ae3eaff7cbab1927096fb47ee58e8983eb2a5241d4557d7
njrat
049c85c420d5b7b01316bd54cac073421f0f2a6d3af1dc6bf49a494bb9356c02
njrat
23ad77a2be48a81e4460c894c41a35db18308a8f85eb841f5bf7ae99265f7310
njrat
27425ab21814acdc92665957ce92f326a46ea99131ef32df83ccaeaaa5228c20
njrat
2c1038dc89e97201da583f1e8fed3da0c5ab27a87438c4a33c63e8d0f91be6ef
njrat
4d6a68af9d1de9ad0ed6dfdd5cbb0daa6341caa3798b26b3d2d111d06fc402ba
njrat
6bc2d4c7cf6c183e47b32a0a9f6802ef785f6d7938e452248e3f00b2b37162aa
njrat
70caeb1acf2902a83cc604e44bffed2b43c0698a5e101f12b6f1a6f9eeccc546
njrat
d9ce2ae26ef828242795235373849f97eaf395f19607f1b12258e0608cbc5626
njrat
f8ba98c4f7f9ccf0520492b17b56a57e69c7624e497fca78007766cdce05b947
njrat
+ 130 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion trojan
Link:
https://tria.ge/reports/230510-m1nltafe89/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Drops file in System32 directory
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Disables Task Manager via registry modification
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
302272c4a6088f8b9363ffa76fac3cf686db9b7f4a31ed36b4beecd55931434a
MD5 hash:
6caea54eb02090a398d4900f9183e533
SHA1 hash:
915a889e1c3c815fa7f4ecfd7594359793110e4c
Link:
https://www.unpac.me/results/27dd8f1f-126d-46cb-bbd0-6763b10deb2f/
SH256 hash:
ac0512ae388edecb444eac7b61138650b05f1ab927277696aaecb73efd62776c
MD5 hash:
171be6edcf6644be78732097dd68f585
SHA1 hash:
03aa09f53639aa75749838ad5bae1f4fcbeaf38f
Link:
https://www.unpac.me/results/27dd8f1f-126d-46cb-bbd0-6763b10deb2f/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac0512ae388e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac0512ae388edecb444eac7b61138650b05f1ab927277696aaecb73efd62776c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/388137/

Comments