MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs YARA 32 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f
SHA3-384 hash: 4b6d7cdb4e3e474dfedd57749f0c825ce08d60969497f93970a69bc9d55e0c4e68b1ef8510032391e320401af760d9e4
SHA1 hash: 451423d5690cffa02741d5da6e7c45bc08aefb55
MD5 hash: 6fb798f1090448ce26299c2b35acf876
humanhash: jupiter-johnny-lamp-aspen
File name:Trojan-PSW.Win32.Stealer.xuv-b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f.exe
Download: download sample
Signature njrat
Create hunting rule
File size:3'733'504 bytes
First seen:2022-09-18 18:03:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:pAdy2TU151ZIpH8YcItGTHF+iSfI77agdayaW/ej:gy5Ls8YcItWFXlWZVy
Threatray 15'719 similar samples on MalwareBazaar
TLSH T1840612227B504566C0AA0630E4BE96E0357D6DC31612B7DF93D3EB2E4E712C3DA911EB
TrID 49.5% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
20.6% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
18.3% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
3.2% (.SCR) Windows screen saver (13101/52/3)
2.6% (.EXE) Win64 Executable (generic) (10523/12/4)
Reporter petikvx
Tags:NjRAT Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
396
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
RIP_YOUR_PC_LOL.exe
Verdict:
Malicious activity
Analysis date:
2021-12-12 12:13:13 UTC
Tags:
installer trojan rat redline evasion stealer vidar raccoon keylogger hawkeye azorult loader nanocore backdoor dcrat miner fareit pony njrat bladabindi
Link:
https://app.any.run/tasks/e6303db1-68db-4965-b8bc-e571094ef24b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/311115/
Detection(s):
Win.Trojan.NanoCore-9852758-0
Create hunting rule

PUA.Win.Packer.Asprotect-3
Create hunting rule

Win.Packed.Bladabindi-7994427-0
Create hunting rule

Win.Packed.Razy-9625918-0
Create hunting rule

Win.Packed.Generic-9777790-0
Create hunting rule

Win.Trojan.Generic-9783914-0
Create hunting rule

Win.Packed.AsyncRAT-9856570-1
Create hunting rule

Win.Packed.AsyncRAT-9861056-1
Create hunting rule

Win.Dropper.Nancrat-9869495-0
Create hunting rule

Win.Dropper.Nanocore-9916514-0
Create hunting rule

Win.Trojan.Generic-6417450-0
Create hunting rule

Win.Trojan.Generic-6454614-0
Create hunting rule

Win.Trojan.Generic-6454615-0
Create hunting rule

Win.Trojan.B-468
Create hunting rule

Win.Trojan.Nanocore-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a window
Creating a file in the %temp% directory
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Launching a process
Searching for synchronization primitives
Enabling the 'hidden' option for recently created files
Creating a process with a hidden window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Launching the process to change the firewall settings
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm asyncrat cmd.exe fingerprint greyware greyware hacktool nanocore njrat obfuscated packed rat shell32.dll stealer
Link:
https://www.filescan.io/uploads/63275e19ba7b8113dd76b4ed/reports/222fdeca-7ef0-4555-a0eb-0c35af3240fd/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b9d23f99-9203-4510-8849-8cb13a420d0f
Result
Threat name:
Nanocore, njRat, AsyncRAT, Azorult, DCRa
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1072524
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected Nanocore Rat
Detected njRat
Detected unpacking (changes PE section rights)
Disables UAC (registry)
Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Yara detected AsyncRAT
Yara detected Azorult
Yara detected Azorult Info Stealer
Yara detected DCRat
Yara detected Generic Downloader
Yara detected Nanocore RAT
Yara detected Njrat
Yara detected Oski Stealer
Yara detected Pony
Yara detected Raccoon Stealer
Yara detected RedLine Stealer
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 705066 Sample: WSAGkMD40E.exe Startdate: 18/09/2022 Architecture: WINDOWS Score: 100 99 yabynennet.xyz 2->99 101 kazya1.hopto.org 2->101 103 gfhhjgh.duckdns.org 2->103 121 Multi AV Scanner detection for domain / URL 2->121 123 Malicious sample detected (through community Yara rule) 2->123 125 Antivirus detection for URL or domain 2->125 127 33 other signatures 2->127 10 WSAGkMD40E.exe 11 2->10         started        13 Opus.exe 2->13         started        15 dhcpmon.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 87 C:\Users\user\AppData\Roaming\test.exe, PE32 10->87 dropped 89 C:\Users\user\AppData\Roaming\gay.exe, PE32 10->89 dropped 91 C:\Users\user\AppData\Roaming\aaa.exe, PE32 10->91 dropped 93 5 other malicious files 10->93 dropped 19 8f1c8b40c7be588389a8d382040b23bb.exe 16 10->19         started        23 gay.exe 1 5 10->23         started        25 aaa.exe 3 10->25         started        27 4 other processes 10->27 process6 dnsIp7 69 C:\Users\user\AppData\...\FFDvbcrdfqs.exe, PE32 19->69 dropped 71 C:\Users\user\AppData\Local\...\Dcvxaamev.exe, PE32 19->71 dropped 129 Antivirus detection for dropped file 19->129 131 Multi AV Scanner detection for dropped file 19->131 133 Machine Learning detection for dropped file 19->133 135 Maps a DLL or memory area into another process 19->135 30 Dcvxaamev.exe 19->30         started        33 FFDvbcrdfqs.exe 19->33         started        35 8f1c8b40c7be588389a8d382040b23bb.exe 19->35         started        73 C:\Users\user\AppData\Roaming\mediaget.exe, PE32 23->73 dropped 38 mediaget.exe 23->38         started        137 Drops / launches Pony Loader self-deletion script - malware possibly based on Pony Loader leaked source code 25->137 139 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->139 141 Injects a PE file into a foreign processes 25->141 41 aaa.exe 25->41         started        113 172.98.92.42, 49715, 49716, 49717 TOTAL-SERVER-SOLUTIONSUS United States 27->113 115 127.0.0.1 unknown unknown 27->115 117 gfhhjgh.duckdns.org 179.13.1.253, 8050 ColombiaMovilCO Colombia 27->117 75 C:\Users\user\AppData\Roaming\3.exe, PE32 27->75 dropped 77 C:\Program Files (x86)\...\dhcpmon.exe, PE32 27->77 dropped 79 C:\Users\user\AppData\Roaming\...\run.dat, data 27->79 dropped 81 C:\Users\user\AppData\Local\...\tmp147C.tmp, XML 27->81 dropped 143 Detected unpacking (changes PE section rights) 27->143 145 Query firmware table information (likely to detect VMs) 27->145 147 Uses schtasks.exe or at.exe to add and modify task schedules 27->147 149 2 other signatures 27->149 43 3.exe 27->43         started        45 schtasks.exe 1 27->45         started        47 schtasks.exe 1 27->47         started        file8 signatures9 process10 dnsIp11 151 Machine Learning detection for dropped file 30->151 153 Maps a DLL or memory area into another process 30->153 49 Dcvxaamev.exe 30->49         started        53 FFDvbcrdfqs.exe 33->53         started        105 91.219.236.148, 49738, 80 SERVERASTRA-ASHU Hungary 35->105 107 91.219.236.18, 80 SERVERASTRA-ASHU Hungary 35->107 111 3 other IPs or domains 35->111 109 kazya1.hopto.org 38->109 83 C:\...\a797c6ca3f5e7aff8fa1149c47fe9466.exe, PE32 38->83 dropped 155 Antivirus detection for dropped file 38->155 157 Multi AV Scanner detection for dropped file 38->157 159 Protects its processes via BreakOnTermination flag 38->159 169 4 other signatures 38->169 55 netsh.exe 38->55         started        161 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->161 163 Tries to harvest and steal ftp login credentials 41->163 165 Tries to harvest and steal browser information (history, passwords, etc) 41->165 57 cmd.exe 41->57         started        85 C:\MSOCache\All Users\yyPdbNJHvUFy.exe, PE32 43->85 dropped 167 Disables UAC (registry) 43->167 59 conhost.exe 45->59         started        61 conhost.exe 47->61         started        file12 signatures13 process14 dnsIp15 95 prepepe.ac.ug 49->95 119 Tries to harvest and steal browser information (history, passwords, etc) 49->119 63 WerFault.exe 49->63         started        97 pretorian.ac.ug 53->97 65 conhost.exe 55->65         started        67 conhost.exe 57->67         started        signatures16 process17
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f/
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2021-12-12 05:30:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
25
AV detection:
38 of 45 (84.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wt4g75eml5vqdyfnivb7w6hainpid47mfkwkrgdgqyqvpqg2z5hq._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
00b5c410d204d6a92f6636e23998777d2716e8928f96b56826b093c9177afaae
njrat
09abe799d30cdceab1600a1421583b1d7a5d3a9b14fb89e7dfa8d4ca4e5c85ac
njrat
09b10c88bbc3847d274f7b734a701248833fa92efddc669a7a82e0d1401f7245
njrat
13713a7b6d609042754fb59c1c9f3049c27c5ac8b052fd2e71f4025b8bc8e8ad
njrat
474a473bf46fdbfb5a9344937674c1455d764e74c2cd8892da7d59f68ffadd5c
njrat
6208bcf39112f17ddce04ccc8eafa989009cf857f9adac40345dadd8863a0850
njrat
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
njrat
8ec0380da8c47a1087d0dbc916ae648f1d5d6fcc5f08be4d9091b316780b76b1
njrat
+ 15'709 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:azorult family:dcrat family:nanocore family:njrat family:oski family:pony family:raccoon family:redline botnet:5781468cedb3a203003fdf1f12e72fe98d6f1c0f botnet:@zhilsholi botnet:default botnet:mediaget collection discovery evasion infostealer keylogger persistence rat spyware stealer trojan upx
Link:
https://tria.ge/reports/220918-wnkttsfean/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
outlook_win_path
Enumerates physical storage devices
Program crash
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
UPX packed file
Async RAT payload
DCRat payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
AsyncRat
Azorult
DcRat
NanoCore
Oski
Pony,Fareit
Process spawned unexpected child process
Raccoon
RedLine
RedLine payload
UAC bypass
njRAT/Bladabindi
Malware Config
C2 Extraction:
gfhhjgh.duckdns.org:8050
kazya1.hopto.org:1470
172.98.92.42:58491
127.0.0.1:58491
yabynennet.xyz:81
prepepe.ac.ug
http://195.245.112.115/index.php
http://londonpaerl.co.uk/yesup/gate.php
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8d1b60ea-dbf7-4128-bb47-56e51b3a2303
Unpacked files
SH256 hash:
b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f
MD5 hash:
6fb798f1090448ce26299c2b35acf876
SHA1 hash:
451423d5690cffa02741d5da6e7c45bc08aefb55
Detections:
AsyncRAT
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
win_nanocore_w0
Create hunting rule
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/ded83cb3-41e0-4ae7-8c68-d68c1d4dfdc0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4f86ff48c5f6b01e0ad4543fb78e0435e81f3ec2aaca89866862157c0dacf4f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_NanoCore
Create hunting rule
Author:abuse.ch
Rule name:AsyncRat
Create hunting rule
Author:kevoreilly, JPCERT/CC Incident Response Group
Description:AsyncRat Payload
Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:INDICATOR_EXE_DotNET_Encrypted
Create hunting rule
Author:ditekSHen
Description:Detects encrypted or obfuscated .NET executables
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:malware_asyncrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:malware_Nanocore_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Nanocore in memory
Reference:internal research
Rule name:MALWARE_Win_NanoCore
Create hunting rule
Author:ditekSHen
Description:Detects NanoCore
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:MALWARE_Win_Raccoon
Create hunting rule
Author:ditekSHen
Description:Raccoon stealer payload
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:MALWARE_Win_Vidar
Create hunting rule
Author:ditekSHen
Description:Detects Vidar / ArkeiStealer
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:nanocore_rat
Create hunting rule
Author:jeFF0Falltrades
Rule name:Nanocore_RAT_Gen_2
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:Nanocore_RAT_Gen_2_RID2D96
Create hunting rule
Author:Florian Roth
Description:Detetcs the Nanocore RAT
Reference:https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest3
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest4
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest5
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Record_Breaker_Similarities
Create hunting rule
Author:DigitalPanda
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Vidar
Create hunting rule
Author:kevoreilly
Description:Vidar Payload
Rule name:win_asyncrat_j1
Create hunting rule
Author:Johannes Bader @viql
Description:detects AsyncRAT
Rule name:win_asyncrat_w0
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect AsyncRat in memory
Reference:internal research
Rule name:win_nanocore_w0
Create hunting rule
Author:Kevin Breen <kevin@techanarchy.net>
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat
Rule name:win_oski_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.oski.
Rule name:win_raccoon_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.raccoon.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/311115/

Comments