MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae380a8d4305031f7dba4fe2c7f4ce47784f5cb6b65aaa150388f3422c70b685. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs 4 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae380a8d4305031f7dba4fe2c7f4ce47784f5cb6b65aaa150388f3422c70b685
SHA3-384 hash: af13cf658a366c9f59ff016f2dfb33d1d7f73bf78845d7b28be4d90651e86c7334eb4f36a042ce1cfb115917f6b2376f
SHA1 hash: eed53486cf1a8d3df8d86d4de50079aa0fe133f5
MD5 hash: 0ba3affabcc7040c8e4c2568131306b6
humanhash: football-spaghetti-missouri-golf
File name:0BA3AFFABCC7040C8E4C2568131306B6.exe
Download: download sample
Signature njrat
Create hunting rule
File size:57'856 bytes
First seen:2021-04-05 21:20:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 1536:EkrhAn5ZrOTAlEDQ9yKC7ZQCtUW2f9D6aaNoU/q:hrhi51OwrCVQzW2fUxKU/q
Threatray 405 similar samples on MalwareBazaar
TLSH 8943F20973E0B077D25B873B68E793C63FE6EC498BA7CB0E3C4B446599996186313648
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.128.107.74:12616

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.128.107.74:12616 https://threatfox.abuse.ch/ioc/6885/
3.138.45.170:12616 https://threatfox.abuse.ch/ioc/6886/
3.22.53.161:12616 https://threatfox.abuse.ch/ioc/6887/
3.131.207.170:12616 https://threatfox.abuse.ch/ioc/6888/

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0BA3AFFABCC7040C8E4C2568131306B6.exe
Verdict:
Malicious activity
Analysis date:
2021-04-05 21:29:26 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/8dab187f-1d44-4a56-977f-0ed5d925a35d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132474/
Detection(s):
Win.Packed.Razy-7334624-0
Create hunting rule

ditekSHen.INDICATOR.Packed.NyanXCAT-CSharpLoader.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching the process to change the firewall settings
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/738823e0-a690-479e-8293-5508de1a3ce2
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/666593
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ae380a8d4305031f7dba4fe2c7f4ce47784f5cb6b65aaa150388f3422c70b685/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2021-04-03 15:15:00 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vy4avdkdaubr67n2j7rmp5goi54e6xfwwznkufidrdzueldqw2cq._file
Verdict:
malicious
Similar samples:
153e5b1b4b51f9f27c38a24577764a9873ea08467348b5a2db04f2a13c49e291
njrat
206daa7d62850c579968f14560f06ba362ded251da3a8faeb9a331dd862b970f
njrat
25321bc3e274b62ff03c184cd1a058645d41f842ce0b368019912ada6b3f34df
njrat
27f7e212954191d2fc10676ad69942421e904a5719cb2001149de2bb38c0610f
njrat
2a22805bbe73a869fc9240d722d6cfb22c582683918103bda90f3a321756c44d
njrat
329c2259d6015d98464322b873b783d18da6ac1a13d7ec40d1de9f143659b1bb
njrat
9b7a11ff4bbed4f1c548267a7f68b534efe5709d58a1dd9dbdfdcce133be334d
njrat
dfa0c14670f8df1eac3e005262e901622c0ec1ccdcc91fd8aedb93da5a32ad64
njrat
f6204acfaf5b611f3d970a483d6929ec7a37cbc31e5c8977e7267f20026fb1ea
njrat
fefdd2a90c1eda565689d37b29b0a36d479f18ef17a1c631eb021ccb9a62e8b7
njrat
+ 395 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/210405-1r7vknpgkj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Modifies Windows Firewall
Unpacked files
SH256 hash:
697b4b93c4e7d61c828a29733e24410d4b1187f665f414d0c79b74a95ba6f94b
MD5 hash:
104e90dcba551d80b77c6fd6f8c8c552
SHA1 hash:
046aeb6fdf5d80dd251f479041427dbcbbf19cea
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/6085c165-d7b0-4631-8ed5-fbc07707f0a5/
SH256 hash:
ae380a8d4305031f7dba4fe2c7f4ce47784f5cb6b65aaa150388f3422c70b685
MD5 hash:
0ba3affabcc7040c8e4c2568131306b6
SHA1 hash:
eed53486cf1a8d3df8d86d4de50079aa0fe133f5
Link:
https://www.unpac.me/results/6085c165-d7b0-4631-8ed5-fbc07707f0a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae380a8d4305031f7dba4fe2c7f4ce47784f5cb6b65aaa150388f3422c70b685

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_NyanXCat_CSharpLoader
Create hunting rule
Author:ditekSHen
Description:Detects .NET executables utilizing NyanX-CAT C# Loader
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132474/

Comments