MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b
SHA3-384 hash: 89b6a62d910e21f28e06ae0e74a8ddfe9e3b40af136be5bc173f0706b124627c9804bf85ac48d900dc2b37d7611fafc6
SHA1 hash: 641d3456dc9d0d329a3b28fdc3ba6fb247d1f42d
MD5 hash: bb3d3b2bddc91a0e37fa0eb640e5bbec
humanhash: tango-carbon-robin-west
File name:b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b
Download: download sample
Signature njrat
Create hunting rule
File size:5'323'189 bytes
First seen:2021-02-28 07:13:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:+sFCbdQwrKm4gHuqO0xMHUwt4obAt30kodAfkKlt3/q5lw4Gz7UO:zc6KFOAxMHB4obEZMlKltvqyzwO
Threatray 13 similar samples on MalwareBazaar
TLSH 4236330366818473C51354785554BA62AEF9BD205FBB8ADFB3F8A42ECA752D018383F7
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b
Verdict:
Suspicious activity
Analysis date:
2021-02-28 09:11:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6923a78c-72a1-48b5-a6d5-5431e8dd2655

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119848/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621047
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Detected njRat
Detected VMProtect packer
Drops PE files to the startup folder
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect debuggers by setting the trap flag for special instructions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359516 Sample: A5AaUQJD6c Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for dropped file 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 8 other signatures 2->51 9 A5AaUQJD6c.exe 8 2->9         started        12 Java update.exe 3 2->12         started        process3 file4 37 C:\Users\user\AppData\...\joined.vmp.exe, PE32 9->37 dropped 14 joined.vmp.exe 3 10 9->14         started        process5 file6 41 C:\Users\user\AppData\...\Server.sfx.exe, PE32 14->41 dropped 71 Antivirus detection for dropped file 14->71 73 Multi AV Scanner detection for dropped file 14->73 75 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->75 77 4 other signatures 14->77 18 Server.sfx.exe 8 14->18         started        22 notepad.exe 14->22         started        signatures7 process8 file9 33 C:\Users\user\AppData\Local\Temp\Server.exe, PE32 18->33 dropped 53 Multi AV Scanner detection for dropped file 18->53 55 Machine Learning detection for dropped file 18->55 24 Server.exe 1 5 18->24         started        signatures10 process11 file12 35 C:\Users\user\AppData\Local\...\Inject32.exe, PE32 24->35 dropped 57 Antivirus detection for dropped file 24->57 59 Multi AV Scanner detection for dropped file 24->59 61 Machine Learning detection for dropped file 24->61 28 Inject32.exe 1 5 24->28         started        signatures13 process14 dnsIp15 43 127.0.0.1 unknown unknown 28->43 39 C:\Users\user\AppData\...\Java update.exe, PE32 28->39 dropped 63 Antivirus detection for dropped file 28->63 65 Multi AV Scanner detection for dropped file 28->65 67 Machine Learning detection for dropped file 28->67 69 Drops PE files to the startup folder 28->69 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b/
Threat name:
Win32.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 19:58:11 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wzk5hooebojqzbayxzbildptqrso2v2dkc666jg4thirlhtiryfq._file
Verdict:
suspicious
Similar samples:
1b189602123e4dba4522d442877fb0862a8fbbc4cc6d187954ba27039bea7d9c
njrat
22a49fd2468178e5b33cad08985adde50f0530a33260affc58bee6b2401005a9
njrat
2aaad8177d08507b09dc3d419b4d31f65db6fe6bc6314ffce650b9fc57f0817c
njrat
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
njrat
2c9e0f6e90b663293874332acd2cab44b8a28011337c99e828e86e3b9d1585c2
njrat
6ec3141a5eef6fc33126818ea4a1dec85358523854a5467543d87e029773d5f9
njrat
81d14d241a35f52dae782c57784168f5295776984eb55d9f88f9f0cf12e67f72
njrat
84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04
njrat
a3c2207806f9be710f3a1d1cbf1149a708bb080946e2368c8e826f5cef2293e4
njrat
a482e9723d71b2d6c24b51d821ad28e70017c7f99d67173aafccce64a87f22b6
njrat
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
vmprotect
Link:
https://tria.ge/reports/210228-l4ydy5p6se/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops startup file
Loads dropped DLL
Executes dropped EXE
VMProtect packed file
Unpacked files
SH256 hash:
123e983ab053cb0df46eb0fc13a0e18b62788a0d7edbfbe71769f648d894c5d4
MD5 hash:
bae6764f29a5bea41e8bef6bb3bd920b
SHA1 hash:
0243eb6fc579f5da08f20ddf35577e39ca39bc7e
Link:
https://www.unpac.me/results/8126421a-b426-48a6-a042-c38433210524/
SH256 hash:
00b7bd94a27c55d38aea5c847c07600ad2b969f7ad96941179a2df2c98994909
MD5 hash:
8a48148f84a2f91a90e5de39f5dfbe3f
SHA1 hash:
c7f74ba92eae642fcef828142744d32fca8e8f01
Link:
https://www.unpac.me/results/8126421a-b426-48a6-a042-c38433210524/
SH256 hash:
b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b
MD5 hash:
bb3d3b2bddc91a0e37fa0eb640e5bbec
SHA1 hash:
641d3456dc9d0d329a3b28fdc3ba6fb247d1f42d
Link:
https://www.unpac.me/results/8126421a-b426-48a6-a042-c38433210524/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/b655d3b9c40b930c8418be42858df38464ed574350bdef24dc99d1159e688e0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119848/

Comments