MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6
SHA3-384 hash: 9d69e83e041b84353ad9a79f6956e63b86172cd6abe392317d6da3baf1a12969280c12d7f1edf24e6a50f0b12f5c8207
SHA1 hash: 5a7d521fea0380476e8eb1745c59e8a8ba644b5f
MD5 hash: 106eea3179a0e1b57aed6fd0f3a8a2c6
humanhash: foxtrot-skylark-texas-may
File name:ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6
Download: download sample
Signature njrat
Create hunting rule
File size:3'971'072 bytes
First seen:2020-07-29 07:11:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 98304:qviz/27qWGq/TzuqCDl2Ptao7jXYrR6MiI4vwNw:qviq75/Tzuf0EREI/Nw
Threatray 1'715 similar samples on MalwareBazaar
TLSH 8D06334175DC0427C9B113F238FD62D70BB4BCB2537A979BB0C961CE08A64E4A5B1BB6
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34310/
Detection(s):
Win.Malware.Generic-6895514-0
Create hunting rule

PUA.Win.Tool.Netcat-6917729-0
Create hunting rule

SecuriteInfo.com.MSIL.Kryptik.UGA.6996.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Delayed reading of the file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Connection attempt
Searching for the window
Deleting a recently created file
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/401469
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Binary contains a suspicious time stamp
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252972 Sample: 1PUUbeQ4YD Startdate: 29/07/2020 Architecture: WINDOWS Score: 72 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected Njrat 2->58 60 .NET source code contains method to dynamically call methods (often used by packers) 2->60 62 2 other signatures 2->62 10 1PUUbeQ4YD.exe 1 13 2->10         started        13 Chrome.exe 2 2->13         started        16 Chrome.exe 2 2->16         started        18 2 other processes 2->18 process3 file4 46 C:\Users\user\AppData\Local\...\lua51.dll, PE32 10->46 dropped 48 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 10->48 dropped 50 C:\Users\user\AppData\Local\Temp\...\CDS.exe, PE32 10->50 dropped 20 CDS.exe 3 10->20         started        66 Machine Learning detection for dropped file 13->66 signatures5 process6 dnsIp7 54 192.168.2.1 unknown unknown 20->54 42 C:\Users\user\AppData\Local\...\crypted.exe, PE32 20->42 dropped 24 crypted.exe 4 20->24         started        file8 process9 file10 44 C:\Users\user\AppData\...\tmp2B4C.tmp.exe, PE32 24->44 dropped 64 Machine Learning detection for dropped file 24->64 28 tmp2B4C.tmp.exe 4 24->28         started        32 crypted.exe 24->32         started        34 crypted.exe 24->34         started        36 3 other processes 24->36 signatures11 process12 file13 52 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32 28->52 dropped 68 Machine Learning detection for dropped file 28->68 38 powershell.exe 1 18 28->38         started        signatures14 process15 process16 40 conhost.exe 38->40         started       
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 10:33:11 UTC
File Type:
PE (Exe)
Extracted files:
765
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vttezpq67enawfdaejsp4dpi4nuyzofzahf5mji3h7ir3b5ax33a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1f02d06a14d5e83c297271a24f9dad9f28d25e387bc65784077ddc27165290b5
njrat
250cfc3bf5271e6a5cdd6ebe240865bf2f960c877590b679c878181b42f85341
njrat
548c375182f63e134625ec757d001e42051be39bf22f4065932ba53557825312
njrat
9d50a832749b89ed5ac52dd84acf0ae6cd16196267401d1ad1cbfc8506f92bba
njrat
b0fedb5fc4232c07ff1161ddcc830cf11596ba2653cc7cea1d5666b4bab1f276
njrat
b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b
njrat
b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
njrat
cfb6b2b831592f1ebd43929977ae4963f8c2b3b2472214c82c3c3c1513a6b54f
njrat
d286b259d2a986d300bffff49e6047c2e48af4d85e6936703e7b167266fdcc63
njrat
fc0ffda44e2748b424639a1592356cc209abf6045a8d6a069f5f562ea1f31763
njrat
+ 1'705 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
persistence evasion trojan family:njrat
Link:
https://tria.ge/reports/200729-v6xnveqres/
Behaviour
Suspicious behavior: AddClipboardFormatListener
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Modifies service
JavaScript code in executable
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34310/

Comments