MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b191be04048fdc73a8c07a809940af3db699b1e7691987830d3cb29db4bb6be1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b191be04048fdc73a8c07a809940af3db699b1e7691987830d3cb29db4bb6be1
SHA3-384 hash: 2191aefdb022e248dbf43acf8bfd4b151db1f804f351a999d4e5f8c6ba230edbadb63677933385a63881fa3fc17beddc
SHA1 hash: 96b746fe643a843c3f96b44c998079de34596881
MD5 hash: a7a88c095a854da3f0468d13c1fd9ac2
humanhash: sad-tango-august-nine
File name:a7a88c095a854da3f0468d13c1fd9ac2.exe
Download: download sample
Signature njrat
Create hunting rule
File size:13'577'190 bytes
First seen:2025-01-09 00:10:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 72c4e339b7af8ab1ed2eb3821c98713a (50 x BlankGrabber, 26 x PythonStealer, 7 x LunaStealer)
ssdeep 393216:KH+T9Asq0Jfkrnov5VlYdQdF3MnG38GrNs:KH+T9Ae5VlYdQ73MGsL
TLSH T102D63346B3E11CE2F5632979C086990882B1FD960B74CB52076AA7BE0F5B6501D3FF6C
TrID 70.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
12.9% (.EXE) Win64 Executable (generic) (10522/11/4)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
2.5% (.ICL) Windows Icons Library (generic) (2059/9)
2.4% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c6c2ccc4f4e0e0f8 (47 x PythonStealer, 26 x CoinMiner, 24 x SVCStealer)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
45.137.201.181:511

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
45.137.201.181:511 https://threatfox.abuse.ch/ioc/1376898/

Intelligence

File Origin
# of uploads :
1
# of downloads :
542
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
a7a88c095a854da3f0468d13c1fd9ac2.exe
Verdict:
Malicious activity
Analysis date:
2025-01-09 00:14:43 UTC
Tags:
stealer blankgrabber screenshot rat njrat bladabindi remote python evasion discord pyinstaller susp-powershell discordgrabber generic growtopia upx
Link:
https://app.any.run/tasks/75c43feb-b5b7-4486-bf44-5647f54aa303

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.FileRepMalware.22561.28030.UNOFFICIAL
Create hunting rule

Win.Malware.Tedy-10036920-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=677f1525c029bd73f2877578
Tags:
crimsonrat vmdetect autorun njrat
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Restart of the analyzed sample
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a process from a recently created file
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Enabling the 'hidden' option for files in the %temp% directory
Creating a file
Reading critical registry keys
Searching for synchronization primitives
Launching a process
Launching the process to change network settings
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Unauthorized injection to a recently created process
Stealing user critical data
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
bladabindi expand lolbin microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/677f1419bc4dbaccf2657387/reports/a23b0fc9-baa9-4133-a0db-5789c373ae45/overview
Verdict:
Malicious
Labled as:
Tedy.600889;Gen:MSIL.Krypt.Generic
Link:
https://www.hybrid-analysis.com/sample/b191be04048fdc73a8c07a809940af3db699b1e7691987830d3cb29db4bb6be1
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b17d55e5-3853-4104-a6ed-0d0dcaaa3053
Result
Threat name:
Blank Grabber, Njrat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1586392
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Modifies the windows firewall
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Capture Wi-Fi password
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Njrat
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1586392 Sample: I334hDwRjj.exe Startdate: 09/01/2025 Architecture: WINDOWS Score: 100 109 ptb.discord.com 2->109 111 ip-api.com 2->111 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 18 other signatures 2->125 14 I334hDwRjj.exe 14 2->14         started        17 wina32.exe 2->17         started        19 wina32.exe 2->19         started        21 wina32.exe 2->21         started        signatures3 process4 file5 89 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 14->89 dropped 91 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 14->91 dropped 93 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 14->93 dropped 95 9 other files (8 malicious) 14->95 dropped 23 I334hDwRjj.exe 14->23         started        process6 process7 25 cmd.exe 1 23->25         started        28 cmd.exe 1 23->28         started        signatures8 127 Suspicious powershell command line found 25->127 129 Encrypted powershell cmdline option found 25->129 131 Bypasses PowerShell execution policy 25->131 133 5 other signatures 25->133 30 Built.exe 22 25->30         started        34 conhost.exe 25->34         started        36 Server.exe 1 5 28->36         started        38 conhost.exe 28->38         started        process9 file10 97 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 30->97 dropped 99 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 30->99 dropped 101 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 30->101 dropped 105 16 other files (15 malicious) 30->105 dropped 157 Multi AV Scanner detection for dropped file 30->157 159 Modifies Windows Defender protection settings 30->159 161 Adds a directory exclusion to Windows Defender 30->161 167 2 other signatures 30->167 40 Built.exe 1 89 30->40         started        103 C:\ProgramData\wina32.exe, PE32 36->103 dropped 163 Antivirus detection for dropped file 36->163 165 Machine Learning detection for dropped file 36->165 44 wina32.exe 36->44         started        signatures11 process12 dnsIp13 113 ip-api.com 208.95.112.1, 49917, 80 TUT-ASUS United States 40->113 115 ptb.discord.com 162.159.137.232, 443, 49922 CLOUDFLARENETUS United States 40->115 135 Found many strings related to Crypto-Wallets (likely being stolen) 40->135 137 Tries to harvest and steal browser information (history, passwords, etc) 40->137 139 Modifies Windows Defender protection settings 40->139 147 5 other signatures 40->147 47 cmd.exe 1 40->47         started        50 cmd.exe 40->50         started        52 cmd.exe 1 40->52         started        56 23 other processes 40->56 117 45.137.201.181, 49766, 511 ASSEFLOWAmsterdamInternetExchangeAMS-IXIT Germany 44->117 83 C:\...\10f6dfefb59a013e09257779b7022e13.exe, PE32 44->83 dropped 141 Antivirus detection for dropped file 44->141 143 Multi AV Scanner detection for dropped file 44->143 145 Machine Learning detection for dropped file 44->145 149 3 other signatures 44->149 54 netsh.exe 44->54         started        file14 signatures15 process16 signatures17 169 Modifies Windows Defender protection settings 47->169 171 Removes signatures from Windows Defender 47->171 58 powershell.exe 23 47->58         started        74 2 other processes 47->74 173 Encrypted powershell cmdline option found 50->173 61 powershell.exe 50->61         started        64 conhost.exe 50->64         started        175 Adds a directory exclusion to Windows Defender 52->175 66 powershell.exe 52->66         started        68 conhost.exe 52->68         started        70 conhost.exe 54->70         started        177 Suspicious powershell command line found 56->177 179 Tries to harvest and steal WLAN passwords 56->179 72 getmac.exe 56->72         started        76 45 other processes 56->76 process18 file19 151 Loading BitLocker PowerShell Module 58->151 85 C:\Users\user\AppData\...\anm4v3bl.cmdline, Unicode 61->85 dropped 78 csc.exe 61->78         started        153 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 72->153 155 Writes or reads registry keys via WMI 72->155 87 C:\Users\user\AppData\Local\Temp\haaNR.zip, RAR 76->87 dropped signatures20 process21 file22 107 C:\Users\user\AppData\Local\...\anm4v3bl.dll, PE32 78->107 dropped 81 cvtres.exe 78->81         started        process23
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b191be04048fdc73a8c07a809940af3db699b1e7691987830d3cb29db4bb6be1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b191be04048fdc73a8c07a809940af3db699b1e7691987830d3cb29db4bb6be1/
Threat name:
ByteCode-MSIL.Backdoor.njRAT
Create hunting rule
Status:
Malicious
First seen:
2024-12-16 20:53:00 UTC
File Type:
PE+ (Exe)
Extracted files:
979
AV detection:
25 of 38 (65.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgi34baer7ohhkgapkajsqfphw3jtmphnemypaynhszj3nf3npqq._file
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer trojan upx
Link:
https://tria.ge/reports/250109-aglxnasjhn/
Behaviour
Detects videocard installed
Gathers system information
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Browser Information Discovery
Enumerates processes with tasklist
UPX packed file
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Clipboard Data
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
45.137.201.181:511
Verdict:
Malicious
Tags:
njrat bladabindi Win.Malware.Tedy-10036920-0
YARA:
n/a
Link:
https://app.threat.zone/submission/f53fc497-3375-4272-9074-59a78bda6cf9
Unpacked files
SH256 hash:
e0322696268e3a36bcc88a250aeba73ad66fe5d9f148a2784c529d092664786a
MD5 hash:
61cbf8276f326c38b7baadfefe1322bd
SHA1 hash:
18d79261906d0bb3aad9e547f00ddfa239d002a3
Link:
https://www.unpac.me/results/8b594b28-c7db-4947-bd6a-c77e8351febc/
SH256 hash:
85178bd5f906c8849d2715e407ab56ad521ab53b948a45d20e5a71f6d7b43099
MD5 hash:
b00eda763f50475c5360127a91de07ed
SHA1 hash:
a9db2a1859ab0882fbecdd55e600c84fef0fb59f
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
MALWARE_Win_NjRAT
Create hunting rule
Link:
https://www.unpac.me/results/8b594b28-c7db-4947-bd6a-c77e8351febc/
SH256 hash:
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790
MD5 hash:
97ee623f1217a7b4b7de5769b7b665d6
SHA1 hash:
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0
Link:
https://www.unpac.me/results/8b594b28-c7db-4947-bd6a-c77e8351febc/
SH256 hash:
b191be04048fdc73a8c07a809940af3db699b1e7691987830d3cb29db4bb6be1
MD5 hash:
a7a88c095a854da3f0468d13c1fd9ac2
SHA1 hash:
96b746fe643a843c3f96b44c998079de34596881
Link:
https://www.unpac.me/results/8b594b28-c7db-4947-bd6a-c77e8351febc/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b191be04048f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b191be04048fdc73a8c07a809940af3db699b1e7691987830d3cb29db4bb6be1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:PyInstaller
Create hunting rule
Author:@bartblaze
Description:Identifies executable converted using PyInstaller. This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ConvertSidToStringSidW
ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::GetTokenInformation
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::FindFirstFileW
KERNEL32.dll::RemoveDirectoryW
KERNEL32.dll::SetDllDirectoryW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments