MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3f239159215935d46c660d48d64e6ba457c3d01b42eb400c993c82376d8eb30. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3f239159215935d46c660d48d64e6ba457c3d01b42eb400c993c82376d8eb30
SHA3-384 hash: 8f87c4d8c3bfa18bd4a5d73b95bb7f12b6ab0df0349e8b846e6b1ed973e0adc8a3c8683aa46b6720473350fdcddd0564
SHA1 hash: 00f84b07abb14729dbde288facd551918b0d69af
MD5 hash: b0ac96d323d0000f0874331b26cbae57
humanhash: ceiling-maine-comet-shade
File name:b0ac96d323d0000f0874331b26cbae57.exe
Download: download sample
Signature njrat
Create hunting rule
File size:632'385 bytes
First seen:2020-12-18 09:22:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 890e522b31701e079a367b89393329e6 (25 x Formbook, 12 x AgentTesla, 8 x Loda)
ssdeep 12288:M6Wq4aaE6KwyF5L0Y2D1PqLqreE/+q0D7smZd0jyni:KthEVaPqLC+qSgEdC8i
Threatray 224 similar samples on MalwareBazaar
TLSH A1D423FFEB598C31D8FA77B391DA0293C0D0E742176C9F2856ACB4172D2B1446DA294E
Reporter abuse_ch
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
282
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b0ac96d323d0000f0874331b26cbae57.exe
Verdict:
Malicious activity
Analysis date:
2020-12-18 09:32:40 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/982b9ec3-0f0a-4b2f-93cf-bab1f19520f5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/108354/
Detection(s):
PUA.Win.Packer.Upx-48
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Trojan.Autoit-771
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the system32 subdirectories
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/566191
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to detect sleep reduction / modifications
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Creates executable files without a name
Drops PE files to the startup folder
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 332178 Sample: ArvD6aN10p.exe Startdate: 18/12/2020 Architecture: WINDOWS Score: 66 43 geant80hd.linkpc.net 2->43 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 8 other signatures 2->53 11 ArvD6aN10p.exe 4 2->11         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\Serial_Otp-v0.4.exe, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\Temp\8.exe, PE32 11->39 dropped 14 8.exe 8 11->14         started        18 Serial_Otp-v0.4.exe 17 15 11->18         started        process6 file7 41 C:\Users\user\Desktop\.exe, PE32 14->41 dropped 69 Antivirus detection for dropped file 14->69 71 Multi AV Scanner detection for dropped file 14->71 73 Machine Learning detection for dropped file 14->73 75 Creates executable files without a name 14->75 20 .exe 2 5 14->20         started        77 Contains functionality to detect sleep reduction / modifications 18->77 signatures8 process9 file10 33 C:\Users\user\AppData\...\epsonmmmmi2.exe, PE32 20->33 dropped 55 Antivirus detection for dropped file 20->55 57 Multi AV Scanner detection for dropped file 20->57 59 Machine Learning detection for dropped file 20->59 24 epsonmmmmi2.exe 2 6 20->24         started        signatures11 process12 dnsIp13 45 geant80hd.linkpc.net 41.102.38.59, 1177 ALGTEL-ASDZ Algeria 24->45 35 C:\...\c741c17e298e3c4e58b64ba96c6b9010.exe, PE32 24->35 dropped 61 Antivirus detection for dropped file 24->61 63 Multi AV Scanner detection for dropped file 24->63 65 Protects its processes via BreakOnTermination flag 24->65 67 3 other signatures 24->67 29 netsh.exe 1 3 24->29         started        file14 signatures15 process16 process17 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3f239159215935d46c660d48d64e6ba457c3d01b42eb400c993c82376d8eb30/
Threat name:
Win32.Trojan.Dynamer
Create hunting rule
Status:
Malicious
First seen:
2016-07-13 01:09:00 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
61322bfef06e7fda9e84ad05a402f63f3ece7013120081ca2d3cdbfd4cfbc807
njrat
647260f08017b3f63e2c5178e751b9d37503850cc18aeaa367506e7808b1e249
njrat
6c5e170ec02d30c57a8bbceb8533eb73efd7b46f8ae1cd6e552fa6a5656afb36
njrat
6ffadd114c7180e8dbbac5751036b4962884662dc5495b6f9988d9c48d26949c
njrat
8dcf1ddad7fe3c955ea0713dc7d72a97589490c47f12c163c2f5e19746cea11e
njrat
c5d7176d2929750e2c3706f1cf41a356e7bf132ca4fcd994796e9f913b0a2fa3
njrat
c6b1bd6ce756a09bc3ce5b1b322abb8cc9700a640cc37cb8c32ebfc1eb433184
njrat
d32f540a1a99336a0cca85ebab89d071b4fcebb62a797074975eabce3662d380
njrat
fb400e7c4b16ab67fa5c080f8b1e7f7db965b77d097526a6a28ef5ca34f24bd9
njrat
fe93d4797dcffea0d8a5bd8dae89f6012fe45fd730e640e18a264d42fa17945e
njrat
+ 214 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence upx
Link:
https://tria.ge/reports/201218-c6kdjhnvje/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Drops desktop.ini file(s)
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
b3f239159215935d46c660d48d64e6ba457c3d01b42eb400c993c82376d8eb30
MD5 hash:
b0ac96d323d0000f0874331b26cbae57
SHA1 hash:
00f84b07abb14729dbde288facd551918b0d69af
Link:
https://www.unpac.me/results/8979529d-0783-42f0-b2f9-7bceb372ee91/
SH256 hash:
8054476b071c6323400a30a64e760587f5db2655c92fb4e39487f569d81c48b9
MD5 hash:
0833745e8708a50c8555abd8fb683553
SHA1 hash:
6332114e8825c5577f277a0a6589caf7b2661f0e
Link:
https://www.unpac.me/results/8979529d-0783-42f0-b2f9-7bceb372ee91/
SH256 hash:
fdc847b575fd7c8d1c635983fdea0551200f6ee5dae03c3523867cf1e25259d0
MD5 hash:
88ce64bab90e052480ac3f76b743cfbe
SHA1 hash:
e3ed9192757df3ba1494ebc7dcb3dbe85686da8f
Link:
https://www.unpac.me/results/8979529d-0783-42f0-b2f9-7bceb372ee91/
SH256 hash:
311c4cf65048dc4a45884ac7ccb524873cfb7f4fdb917d6b17982f773dc3c96f
MD5 hash:
c2da48cc6ce60bb5e055bdc9c8b960f9
SHA1 hash:
9287438874100845eacaabd2333b6b6f716fcb3e
Link:
https://www.unpac.me/results/8979529d-0783-42f0-b2f9-7bceb372ee91/
SH256 hash:
5bdfb6bd50e89279f5be120f448b477c857afc2e6c5d9ff2f0d56e08d6c1ebfc
MD5 hash:
9af4f413151ae202ba6999711a8498fa
SHA1 hash:
4d45aa398e1f018fa3f3631deaab83d490e3145c
Detections:
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/8979529d-0783-42f0-b2f9-7bceb372ee91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3f239159215935d46c660d48d64e6ba457c3d01b42eb400c993c82376d8eb30

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/108354/

Comments