MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b71723aa5fc1153d43c609e12a68182f8d5216b9bfde70a3342562ffe59867a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs 2 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b71723aa5fc1153d43c609e12a68182f8d5216b9bfde70a3342562ffe59867a3
SHA3-384 hash: 073c0709826a46a23e9538f0e2fc8268e1c8a2a2afbf6bb36a5ed2f0b2a52ef32a896d4a352ad9bfd78feec548cc0271
SHA1 hash: ce19494b18ab28b6c8e50e9323a55a1f9e2eb5a8
MD5 hash: a669ca52229633af0ae7b5a3fb203e68
humanhash: november-blue-seven-double
File name:a669ca52229633af0ae7b5a3fb203e68.exe
Download: download sample
Signature njrat
Create hunting rule
File size:44'032 bytes
First seen:2021-05-18 21:10:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 384:uZy3QNU1SoycwJGdRbWhYY06o2ErvhY8Gzz0Iij+ZsNO3PlpJKkkjh/TzF7pWnUV:UTqglcwJstXpZYHuXQ/oB/+L
Threatray 77 similar samples on MalwareBazaar
TLSH 4013E88CB794E174D5FF8BF1B492B2890B71A01BA902930F99F154D94B73EC09611EE7
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.131.147.49:19882

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.131.147.49:19882 https://threatfox.abuse.ch/ioc/48082/
3.133.207.110:19882 https://threatfox.abuse.ch/ioc/48083/

Intelligence

File Origin
# of uploads :
1
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a669ca52229633af0ae7b5a3fb203e68.exe
Verdict:
Malicious activity
Analysis date:
2021-05-18 21:12:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b0f0ad2e-2b5f-4e36-a76e-02aef39cd16f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/158193/
Detection(s):
Win.Trojan.Generic-6417450-0
Create hunting rule

Win.Packed.Krypt-6888233-0
Create hunting rule

Win.Packed.Generic-7672855-0
Create hunting rule

Win.Packed.njRAT-7672853-1
Create hunting rule

Win.Packed.Msilperseus-9220094-0
Create hunting rule

Win.Packed.Generic-9795615-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/deec2a6a-2c89-442d-9900-463afed6e118
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/784372
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 416768 Sample: H4Q0I1RIuW.exe Startdate: 18/05/2021 Architecture: WINDOWS Score: 100 43 4.tcp.ngrok.io 2->43 51 Multi AV Scanner detection for domain / URL 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 11 other signatures 2->57 9 H4Q0I1RIuW.exe 1 3 2->9         started        13 Server.exe 1 2->13         started        15 svchost.exe 2->15         started        17 11 other processes 2->17 signatures3 process4 dnsIp5 37 C:\Users\user\AppData\Roaming\svchost.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\...\H4Q0I1RIuW.exe.log, ASCII 9->39 dropped 67 Drops PE files with benign system names 9->67 20 svchost.exe 3 4 9->20         started        69 Antivirus detection for dropped file 13->69 71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 75 Changes security center settings (notifications, updates, antivirus, firewall) 15->75 25 MpCmdRun.exe 15->25         started        41 127.0.0.1 unknown unknown 17->41 file6 signatures7 process8 dnsIp9 45 4.tcp.ngrok.io 3.129.187.220, 19882, 49721, 49722 AMAZON-02US United States 20->45 47 3.136.65.236, 19882, 49723, 49729 AMAZON-02US United States 20->47 49 3.22.15.135, 19882, 49741, 49742 AMAZON-02US United States 20->49 33 C:\Users\user\AppData\...\Java update.exe, PE32 20->33 dropped 35 C:\Users\user\AppData\Local\Temp\Server.exe, PE32 20->35 dropped 59 Antivirus detection for dropped file 20->59 61 System process connects to network (likely due to code injection or exploit) 20->61 63 Multi AV Scanner detection for dropped file 20->63 65 4 other signatures 20->65 27 schtasks.exe 1 20->27         started        29 conhost.exe 25->29         started        file10 signatures11 process12 process13 31 conhost.exe 27->31         started       
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-05-18 02:57:40 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w4lshks7yekt2q6gbhqsu2ayf6gvefvzx7phbizuevrp7zmym6rq._file
Verdict:
unknown
Similar samples:
05ceabfcdfd5657ab74ef80a752f47b6c9e30231fd8f923b6ff536d046d36400
njrat
06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c
njrat
10af2cacc6d5057ff24acfd6811ba45568d6542de1fcfb526f7b9029661f4df9
njrat
84b6b4da902eec98b042c06c69527db1319a37d4d1e12e1fea314d514392fda4
njrat
9765d205b8b16a05e807f239217a734f37a1d7b263a116ee336d39688bb2ce58
njrat
aad1019189d0f856e1a35c778a446a3aea6b0e704d175d677f523da6c0242b40
njrat
be3acd23cffe0baa73da9501728b70240077320fe57f729e46111e06ef67f2ef
njrat
bffa8c77d1dac6b0b0af3c5653a5190ea5d0bc0c0b22f44237bfd66bf351a0d6
njrat
dc8ddcd4db035fa647001a01cab6a2866d092fcaad18279835751ee0396da041
njrat
f47e5170400f759777d84d93b114348b904aed870ee7d39a697f8b1f884d77ae
njrat
+ 67 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210518-6ek5y9rccx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/158193/

Comments