MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3a40e1d85f1e1608acf07414a8dea2730c0de0d824bc6165856b8fe00e8ed3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3a40e1d85f1e1608acf07414a8dea2730c0de0d824bc6165856b8fe00e8ed3d
SHA3-384 hash: 40ca79d42d57d379766806396eb38db45b33120d22302992fb46792a9a501a84125fa4bb4b78e65259d92eb8e61c2358
SHA1 hash: 26ac6a26196a9e2255bce6f4e5a1a1f8f14b91a6
MD5 hash: ba7bd95f99307975cc4af3048c9ba46e
humanhash: washington-arkansas-edward-kentucky
File name:b3a40e1d85f1e1608acf07414a8dea2730c0de0d824bc6165856b8fe00e8ed3d
Download: download sample
Signature njrat
Create hunting rule
File size:394'093 bytes
First seen:2020-07-06 07:00:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ad4a673108fd270b8f9861d4ea649547 (1 x njrat)
ssdeep 6144:UF8sbVQehlX8uju6BjI6icvTseKBjI6icvTse4Ug43d2rpbGDwG/K6786TEnCAIK:s8sbVQehFBuOjDnvr+jDnvrTjlzGj
Threatray 59 similar samples on MalwareBazaar
TLSH 7F846D86FA865DF3ED22037848E6D33B033EB6904A16CF67E960D9394E539E16DC4706
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Bladabindi
Create hunting rule
Link:
https://www.capesandbox.com/analysis/20991/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Launching cmd.exe command interpreter
Creating a process from a recently created file
Launching a process
Creating a file in the %temp% directory
Creating a process with a hidden window
Creating a window
DNS request
Connection attempt
Setting a single autorun event
Launching the process to change the firewall settings
Deleting of the original file
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3a40e1d85f1e1608acf07414a8dea2730c0de0d824bc6165856b8fe00e8ed3d/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-07-03 00:42:37 UTC
File Type:
PE (Exe)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wosa4hmf6hqwbcwpa5auvdpke4ymbxqnqjf4mfsyk24p4ahi5u6q._file
Verdict:
malicious
Similar samples:
14262b3cd2627ba46dca74fa62e17a3ecb3853982a81a8e39a0c41a5077974c4
njrat
27f7e212954191d2fc10676ad69942421e904a5719cb2001149de2bb38c0610f
njrat
6739301df01608fd2317175f72add2c77d998e16d5b37b30c6940a468a478d7a
njrat
674e6af13bc6b40d023c0d9306b7ba538f8dc7110da48067174858b605851aa1
njrat
9d1f32d9806bafd63451a59e1768502f31cf9dc746c9e92f62b978c1ed259497
njrat
b3bb77a17e54a662b6fed76d2537ad3a27ec2ab051f913a9aa1207219d96c30f
njrat
ba38f08588d75d7ffd054253f4afd1d9803c2c0f5f390f35214c0b552840793d
njrat
dfa0c14670f8df1eac3e005262e901622c0ec1ccdcc91fd8aedb93da5a32ad64
njrat
ed34d4eba0bc7d434f32bb9bca0147632592656ddf0c2aa892fbee54b0850ff1
njrat
f0caf48005d504dfb402e3ef4b137187e9ffa0d903099222560d7f4a8885358d
njrat
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/200706-dpv8kqdfv2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Modifies service
Suspicious use of SetThreadContext
Adds Run entry to start application
Deletes itself
Identifies Wine through registry keys
Loads dropped DLL
Identifies Wine through registry keys
Executes dropped EXE
Looks for VMWare Tools registry key
Modifies Windows Firewall
Looks for VMWare Tools registry key
Modifies Windows Firewall
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Enumerates VirtualBox registry keys
Looks for VirtualBox Guest Additions in registry
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/20991/

Comments