MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7539ee3de7912cb1f36da8154ac1afb3f08938de2ca58fc990260d064b811f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b7539ee3de7912cb1f36da8154ac1afb3f08938de2ca58fc990260d064b811f8
SHA3-384 hash: 00b2fd84a54101ad30dc52ad9f41b74573de6065b1f28c2c2d991f8903eeb270065cd344ab0005ab7b074f3004a59bd9
SHA1 hash: 92ba3c1de49d037b810664f09287125904f20630
MD5 hash: b5c41264328415aa2dd556bd096194d8
humanhash: uniform-johnny-orange-california
File name:Order10-2022.exe
Download: download sample
Signature njrat
Create hunting rule
File size:677'376 bytes
First seen:2022-10-17 10:55:37 UTC
Last seen:2022-10-17 12:22:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:NB4LKpgl0/YqyHQluN4UN+Yh1T2YX43undnvtNhs9UKv1fWxzsnuf1gKTNiWSe:Os/rluN4u1jI3udn1va1fgInIHJi4
Threatray 1'826 similar samples on MalwareBazaar
TLSH T1E3E428B611D65617E4257275C8C3D2F32AFBAE606061D1C39AD72F2FBC450BB921338A
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
185.216.71.242:8080

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.216.71.242:8080 https://threatfox.abuse.ch/ioc/891561/

Intelligence

File Origin
# of uploads :
2
# of downloads :
280
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/320943/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.1625.25747.26980.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Sending a custom TCP request
Unauthorized injection to a recently created process
Launching a process
Creating a process with a hidden window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/634d34c4339362a6061ac019/reports/abb94415-f2f3-4bcf-b5a7-1535147d2463/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0aa6271a-fd66-49cb-ab42-0cfbba9b8ea4
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1091752
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Drops PE files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Yara detected AntiVM3
Yara detected Njrat
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 724371 Sample: Order10-2022.exe Startdate: 17/10/2022 Architecture: WINDOWS Score: 100 63 money2022.ddns.net 2->63 69 Malicious sample detected (through community Yara rule) 2->69 71 Multi AV Scanner detection for dropped file 2->71 73 Yara detected AntiVM3 2->73 75 9 other signatures 2->75 11 Order10-2022.exe 3 2->11         started        15 update.exe 2 2->15         started        17 Windows.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 61 C:\Users\user\...\Order10-2022.exe.log, ASCII 11->61 dropped 89 Uses cmd line tools excessively to alter registry or file data 11->89 21 Order10-2022.exe 2 4 11->21         started        25 update.exe 15->25         started        27 update.exe 15->27         started        29 Windows.exe 17->29         started        31 Windows.exe 17->31         started        33 update.exe 19->33         started        signatures6 process7 file8 55 C:\Users\user\AppData\Roaming\update.exe, PE32 21->55 dropped 83 Uses cmd line tools excessively to alter registry or file data 21->83 35 update.exe 3 21->35         started        38 attrib.exe 1 21->38         started        signatures9 process10 signatures11 77 Machine Learning detection for dropped file 35->77 79 Uses cmd line tools excessively to alter registry or file data 35->79 81 Drops PE files to the startup folder 35->81 40 update.exe 5 4 35->40         started        45 conhost.exe 38->45         started        process12 dnsIp13 65 money2022.ddns.net 185.216.71.242, 49702, 49703, 49704 CLOUDCOMPUTINGDE Germany 40->65 67 192.168.2.1 unknown unknown 40->67 57 C:\Users\user\AppData\Roaming\...\Windows.exe, PE32 40->57 dropped 59 C:\Users\user\AppData\Local\Temp\SQL.exe, PE32 40->59 dropped 85 Uses cmd line tools excessively to alter registry or file data 40->85 87 Creates multiple autostart registry keys 40->87 47 attrib.exe 40->47         started        49 attrib.exe 40->49         started        file14 signatures15 process16 process17 51 conhost.exe 47->51         started        53 conhost.exe 49->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b7539ee3de7912cb1f36da8154ac1afb3f08938de2ca58fc990260d064b811f8/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2022-10-17 10:56:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=w5jz5y66pejmwhzw3kavjla27m7qre4n4lffr7ezajqnazfych4a._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1e9b2dab23e487f9f8442ab474b4ec7b56d5bbeca861d37c936a6bbbe2e84bdb
njrat
3322f0adecd7f6e55f7d22ff1b6601eb7818285e21f96e0102a24a87c92d347a
njrat
5260cdeaf4465a57fe46cd497f2c668b73ba985f6ac8f58da0a271dfa9513765
njrat
709fadc9b117a1a600f71c727e8c2c879434d118f79e033f7a2aca969068c9cc
njrat
b673ccbb584d0c5bc0f052883d2235b6eec5a68cb7c8c78c3b6faf6be863de3d
njrat
bbd879991b1f6519e7fa6949fcb98604afe48667720394e3bec4e44cab9b3bea
njrat
c8621ed33fd881102eeaab471e0f5a3e5c766665262da60e69c0221707cd4ff2
njrat
e15b4c36878dd4b68d7875fd502d4259a53ab0e0d7b800df5fcbcdee3d9e9db4
njrat
+ 1'816 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:update persistence trojan
Link:
https://tria.ge/reports/221017-m1n8cabfa7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
njRAT/Bladabindi
Malware Config
C2 Extraction:
money2022.ddns.net:8080
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5b4dd39d-1244-4431-98ea-329868648827
Unpacked files
SH256 hash:
060228c2b4e16ffdf2659f94d94c284106ca4c2053ef36c7250797ef3fe51f2a
MD5 hash:
84e5df813fa5f33221510dc4317c619c
SHA1 hash:
0fe37204a84c72cb3025be8b7794552114fd9a7c
Link:
https://www.unpac.me/results/7486c21e-02f5-4ff8-8b83-4df7f031c96d/
SH256 hash:
853561222f4f67f4f33f0209653b0c415337aaf1f92065cf5aed0fe85675cb20
MD5 hash:
2f3004dd669efa323ea930ed06f04f8d
SHA1 hash:
75399341d46aeab72de284dd3db8b7fb5809a8f0
Link:
https://www.unpac.me/results/7486c21e-02f5-4ff8-8b83-4df7f031c96d/
SH256 hash:
6b5034059889253241b8dbf608120ef0f40b9b87f387546308e64eb9c33e0ed7
MD5 hash:
dacecb2e319f55142a9997feff227853
SHA1 hash:
130373763732ea6df3361a1191fa71c5f351b3fb
Link:
https://www.unpac.me/results/7486c21e-02f5-4ff8-8b83-4df7f031c96d/
SH256 hash:
347c71a885aacff47b8bb1a9541285e0500300a148242253ec7bef5cccd33309
MD5 hash:
b39d9fa083c19cba940d5de20eeef0d8
SHA1 hash:
0d4e63bd5f4841f09ca8ddb2aee4f289a7904d1c
Link:
https://www.unpac.me/results/7486c21e-02f5-4ff8-8b83-4df7f031c96d/
SH256 hash:
e20ec8f3c957bcb6a194ef688bae8af2015cfffb20e7baf8b2114d7b70ade4ee
MD5 hash:
35cb29046968faca7f3f3b4463449b6c
SHA1 hash:
088c8c30ec1bece0a4b5bbfe3982b073f8b95598
Link:
https://www.unpac.me/results/7486c21e-02f5-4ff8-8b83-4df7f031c96d/
SH256 hash:
b7539ee3de7912cb1f36da8154ac1afb3f08938de2ca58fc990260d064b811f8
MD5 hash:
b5c41264328415aa2dd556bd096194d8
SHA1 hash:
92ba3c1de49d037b810664f09287125904f20630
Link:
https://www.unpac.me/results/7486c21e-02f5-4ff8-8b83-4df7f031c96d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b7539ee3de7912cb1f36da8154ac1afb3f08938de2ca58fc990260d064b811f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/320943/

Comments