MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4d493227e334e826fbb6dcbca9110478d6f23596b1c0d141b38e97d7d8ade33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	b4d493227e334e826fbb6dcbca9110478d6f23596b1c0d141b38e97d7d8ade33
SHA3-384 hash:	c8ea4a80a996299903b45cd87937d693ab49a6a4c85465b42fde074035059d9c0c74cdc42aa63e06ad516ebe701fa45f
SHA1 hash:	1f433446c3a40fa15babcc6d629a8924b55299ad
MD5 hash:	474f92f591dda1b1a9a74e7b7f339894
humanhash:	friend-low-winner-pasta
File name:	W1rh45g5.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	79'872 bytes
First seen:	2020-10-14 14:17:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	1536:xt6+6Y9yhU19DppS5wpOk3JCK6pFoRXd6fOpd/9nEh9TGSJAR:WhU19QwpOk5CK6DO/9ESSJA
Threatray	7 similar samples on MalwareBazaar
TLSH	5B733A4877F54A12D1BF0EB5897292220B35FC076D26F76D09D174AA5FB36C08A09FB2
Reporter	pmelson
Tags:	exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

138

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/70791/

Detection(s):

Win.Trojan.B-468

Win.Trojan.Bladabindi-6192388-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Packed.Barys-6880522-0

Win.Dropper.njRAT-7436651-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connecting to a non-recommended domain

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Enabling a "Do not show hidden files" option

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/491020

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Changes the view of files in windows explorer (hidden files and folders)

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/b4d493227e334e826fbb6dcbca9110478d6f23596b1c0d141b38e97d7d8ade33/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2020-10-14 14:19:05 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wtkjgit6gnhie353nxf4veiqi6gw6i2znmoa2fa3hdux27mk3yzq._file

Verdict:

malicious

njrat

208a8cfdd915e43d58459d4e082efbbf58c649933c09c18c52bc95d34f9725ce

njrat

62e099194f9f946b0c0dd4c474c862dadb605101b87dc2eb7b8e43f6510ae3d1

njrat

bf0452ef3eb6c2e6f2ea84b2bf649a024f6190b0baae26e21c9790820171581f

njrat

c530a21d1704688f69168de95d24fbf2060fdcb4b7afcc0fda9035906a8c565d

njrat

ce66906eb9b0e76d2b0e9b313e84c543412ae3ab598e57dce0b913759946254e

njrat

d9d43f3164fba1aceb44777a7e89de0d62ef5f196ae713effcc8a893eff20e5f

njrat

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201014-qwtjtfzt8a/

Behaviour

Suspicious use of AdjustPrivilegeToken

Unpacked files

SH256 hash:

b4d493227e334e826fbb6dcbca9110478d6f23596b1c0d141b38e97d7d8ade33

MD5 hash:

474f92f591dda1b1a9a74e7b7f339894

SHA1 hash:

1f433446c3a40fa15babcc6d629a8924b55299ad

Detections:

win_njrat_w1

win_njrat_g1

Link:

https://www.unpac.me/results/d683a999-bc31-4793-b5b2-ecc14bc71c98/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NJRat

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b4d493227e334e826fbb6dcbca9110478d6f23596b1c0d141b38e97d7d8ade33

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	Select_from_enumeration Create hunting rule
Author:	James_inthe_box
Description:	IP and port combo

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

exe b4d493227e334e826fbb6dcbca9110478d6f23596b1c0d141b38e97d7d8ade33

(this sample)

Link

https://www.virustotal.com/gui/file/b4d493227e334e826fbb6dcbca9110478d6f23596b1c0d141b38e97d7d8ade33/detection

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/70791/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample