MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1b8ff83e0ab9708e7d30f7df18834705dcb8576226581cb6a9a8995286728d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1b8ff83e0ab9708e7d30f7df18834705dcb8576226581cb6a9a8995286728d5
SHA3-384 hash: 86c93be465a6f235be9d518a924a333535d2b406b373723a9829982fdb13ddf0f9b245a731112a88b970ede39016bca6
SHA1 hash: be21f7a59cd5a1b0d5fed5e45871b265e297ee44
MD5 hash: d1db5fbae44a71818cc4c78fff7da741
humanhash: october-lithium-item-hot
File name:paymentinfo.exe
Download: download sample
Signature njrat
Create hunting rule
File size:593'920 bytes
First seen:2023-05-30 05:50:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:guRP2B0xTGlxNqvNu2hZ+nUEsn9Lm1eGY/kzm5oV7tM0xXXR:gmPLaVUH9996ItebpM4x
Threatray 1'866 similar samples on MalwareBazaar
TLSH T18EC41268A69B802FD79B1FB80848377865BC87C9FD61D7271D87A0E8DB07E0D4582396
TrID 69.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
1.9% (.EXE) Win16/32 Executable Delphi generic (2072/23)
File icon (PE):PE icon
dhash icon 0060696969714410 (13 x AgentTesla, 7 x SnakeKeylogger, 7 x Loki)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
194.55.224.37:7777

Intelligence

File Origin
# of uploads :
1
# of downloads :
308
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
paymentinfo.exe
Verdict:
Malicious activity
Analysis date:
2023-05-30 05:51:15 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/5f8f8444-19a1-40e9-ab10-1b23abd3593d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393274/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19483.21400.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
bladabindi packed
Link:
https://www.filescan.io/uploads/64758ec7c5640fa6ccd02f0c/reports/8d15fa1e-420b-436b-95c4-08970b986515/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/b1b8ff83e0ab9708e7d30f7df18834705dcb8576226581cb6a9a8995286728d5
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/05fde9c5-12f6-412b-9c35-42f5a3b2f374
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1244895
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 877901 Sample: paymentinfo.exe Startdate: 30/05/2023 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 6 other signatures 2->46 7 paymentinfo.exe 7 2->7         started        11 WUEvUptAo.exe 5 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\WUEvUptAo.exe, PE32 7->30 dropped 32 C:\Users\...\WUEvUptAo.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmp4C8B.tmp, XML 7->34 dropped 36 C:\Users\user\AppData\...\paymentinfo.exe.log, ASCII 7->36 dropped 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Adds a directory exclusion to Windows Defender 7->50 52 Injects a PE file into a foreign processes 7->52 13 paymentinfo.exe 2 5 7->13         started        16 powershell.exe 21 7->16         started        18 schtasks.exe 1 7->18         started        54 Multi AV Scanner detection for dropped file 11->54 56 Machine Learning detection for dropped file 11->56 20 schtasks.exe 1 11->20         started        22 WUEvUptAo.exe 1 11->22         started        signatures5 process6 dnsIp7 38 194.55.224.37, 49694, 7777 LVLT-10753US Germany 13->38 24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 20->28         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1b8ff83e0ab9708e7d30f7df18834705dcb8576226581cb6a9a8995286728d5/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2023-05-30 05:04:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
15 of 37 (40.54%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wg4p7a7avolqrz6tb567dcbuobo4xblwejsyds3ktkezkkdhfdkq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
104ef2e1223676a6d315da9de43b53286de58d5a390cb6d8c0ef391e7ee23a86
njrat
114f4e62ec2b81ab45799a56b183ef282b2bc5c172fd9831af33c154b23034ea
njrat
16cb75f304ead30d5c624f026272b3c6a3b533f087197c240fa92b1b69646045
njrat
21a5e58e2fe39e481f9977f94a94d352c4c492e9bd6d79d4ae3bbf4cc4a2d751
njrat
2484f3b9e112f39471b0375d98ac190b4ffe3e29a295bcecdb8fd7b71af0094b
njrat
4634594a43ca9d6f4630aecf8a17a04a1b2e942cafa3080a4064e2ec7741bd5f
njrat
6053c5c3a4202b8c2e6b2f176a99c980233f63024be06b67d3a30e2f0b4470f4
njrat
8e3f656f70978440245c238870f316ccdbfbadff73350dd6d204c9035cc00357
njrat
bdc2674f2a97b86c7ad40c521aaa21dc112acb9a8076f163929b992875288e7c
njrat
+ 1'856 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked trojan
Link:
https://tria.ge/reports/230530-gj57msfh3y/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
njRAT/Bladabindi
Malware Config
C2 Extraction:
194.55.224.37:7777
Unpacked files
SH256 hash:
5fb0a47655262dd5a89100938881bfcf0c3c39a5a2e10e86cb88f2625ee07311
MD5 hash:
41a64bffca31c8e511da84be6508d79b
SHA1 hash:
e1f2c24f265ab58c17083eb18b332314c627608f
Link:
https://www.unpac.me/results/2564e714-afb5-4684-9e10-64ebd9e242fd/
SH256 hash:
16c255190eaaf1b60ec7d07abcac5f614ea197cee2416ca9d01bb563c526c87d
MD5 hash:
fb4ed205b442f470bbf10913128efdcb
SHA1 hash:
9a0a4c5ae429769e3253a9a3daefa24270b87a5b
Link:
https://www.unpac.me/results/2564e714-afb5-4684-9e10-64ebd9e242fd/
Parent samples :
ee57b6fa1e5a3c5ef776b79f32820327bcb3fe1974eeddf65c0eb56131193397
de8c7c543f438af1e7e78096f6873268e9b1a12745edf9c88db07e136163399e
SH256 hash:
d093ace4392ccfde0d8f56c4f92fae34ab8cb4dbff28884c453486d3201bdcca
MD5 hash:
6e567538131e7f59e85ca344b7086605
SHA1 hash:
8033687cbc39a8c2bb8a1dcd5eb622a3551e30f0
Link:
https://www.unpac.me/results/2564e714-afb5-4684-9e10-64ebd9e242fd/
SH256 hash:
f65d6c87102a18d7897c08ba82697e0b4808a8307b584d25a42aea016a41e7f8
MD5 hash:
7299310139d8fd6d9f2c067d13b3824e
SHA1 hash:
3bbc1160b82f289b5e8683d790a2ec1263998930
Link:
https://www.unpac.me/results/2564e714-afb5-4684-9e10-64ebd9e242fd/
SH256 hash:
c9e68e9e194672c37875eb7c12e93057dbc261b8eb826e7d9a2c659e7c92b662
MD5 hash:
5b134e22a0aea61836599c5576d2c171
SHA1 hash:
31c9731ba63ab01aaaef66506d0b59e4442446fa
Link:
https://www.unpac.me/results/2564e714-afb5-4684-9e10-64ebd9e242fd/
SH256 hash:
b1b8ff83e0ab9708e7d30f7df18834705dcb8576226581cb6a9a8995286728d5
MD5 hash:
d1db5fbae44a71818cc4c78fff7da741
SHA1 hash:
be21f7a59cd5a1b0d5fed5e45871b265e297ee44
Link:
https://www.unpac.me/results/2564e714-afb5-4684-9e10-64ebd9e242fd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1b8ff83e0ab9708e7d30f7df18834705dcb8576226581cb6a9a8995286728d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/393274/

Comments