MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 baf26fd01ae7499dc6fce1917bd2f61375fe80a570b4f26447c862d088e03ebc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: baf26fd01ae7499dc6fce1917bd2f61375fe80a570b4f26447c862d088e03ebc
SHA3-384 hash: 4539396989dbe24119e637c0cb61d14d0e53c4bc8374e763119fa5b31cbd6df454f08fdf6075939c0d7ec340385113c0
SHA1 hash: 2bc6af59a6790ad806863240cf64569e02809cc3
MD5 hash: a72d3ef38b9b0d80d375ac97883f7470
humanhash: thirteen-apart-yankee-sweet
File name:baf26fd01ae7499dc6fce1917bd2f61375fe80a570b4f26447c862d088e03ebc
Download: download sample
Signature njrat
Create hunting rule
File size:3'465'801 bytes
First seen:2021-09-30 07:38:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ab6770b0a8635b9d92a5838920cfe770 (84 x Formbook, 30 x AgentTesla, 15 x Loki)
ssdeep 98304:nIUmUYbzF8vmqC5m8rU2g85SuFmrdLKz20lDebsXU:nK8PWm8g2IMmBeyQebsXU
Threatray 1'859 similar samples on MalwareBazaar
TLSH T1C6F523683BDADC5FC5521CB91DF1E628E1B5AD001D698203BB223F9F6F782D4AA443C5
File icon (PE):PE icon
dhash icon 96ccccf0f0703010 (1 x njrat)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/193376/
Detection(s):
PUA.Win.Packed.ConfuserEx-6391397-0
Create hunting rule

Win.Trojan.Generic-6417450-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% directory
Launching a process
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Creating a window
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c7297fda-af3f-4bc4-83f0-926956c1e839
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/861634
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Creates multiple autostart registry keys
Drops PE files to the startup folder
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 494068 Sample: KxBYEkbbyb Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 52 conqhook.ddns.net 2->52 64 Malicious sample detected (through community Yara rule) 2->64 66 Antivirus detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 5 other signatures 2->70 10 KxBYEkbbyb.exe 22 2->10         started        13 System.exe 3 2->13         started        15 System.exe 2->15         started        signatures3 process4 file5 44 C:\Users\user\AppData\Roaming\...\System.exe, PE32 10->44 dropped 46 C:\Users\user\AppData\...\ConqHook.GUI.exe, PE32 10->46 dropped 48 C:\Users\user\AppData\...asyLoad64.dll, PE32+ 10->48 dropped 50 9 other files (none is malicious) 10->50 dropped 17 System.exe 2 7 10->17         started        21 ConqHook.GUI.exe 2 10->21         started        process6 file7 40 C:\Users\user\AppData\Roaming\System.exe, PE32 17->40 dropped 56 Antivirus detection for dropped file 17->56 58 Machine Learning detection for dropped file 17->58 60 Uses cmd line tools excessively to alter registry or file data 17->60 23 System.exe 4 6 17->23         started        28 attrib.exe 1 17->28         started        62 Multi AV Scanner detection for dropped file 21->62 signatures8 process9 dnsIp10 54 conqhook.ddns.net 197.57.222.79, 49741, 49742, 49743 TE-ASTE-ASEG Egypt 23->54 42 C:\Users\user\AppData\Roaming\...\System.exe, PE32 23->42 dropped 72 Antivirus detection for dropped file 23->72 74 Protects its processes via BreakOnTermination flag 23->74 76 Machine Learning detection for dropped file 23->76 78 3 other signatures 23->78 30 attrib.exe 1 23->30         started        32 attrib.exe 1 23->32         started        34 conhost.exe 28->34         started        file11 signatures12 process13 process14 36 conhost.exe 30->36         started        38 conhost.exe 32->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/baf26fd01ae7499dc6fce1917bd2f61375fe80a570b4f26447c862d088e03ebc/
Threat name:
Win32.Backdoor.NjRAT
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 14:58:14 UTC
AV detection:
30 of 45 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xlzg7ua245ez3rx44gixxuxwcn275affoc2pezchzbrnbchah26a._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
18cd7de0cac9b4d2ef7e0078fff0f0263859799b0e5ed93a3bb1d50c2c324752
njrat
3441e66bd2febee7b35a6268f466b526628cdc2de0abab93b5cbf8a4c239d50a
njrat
410bfd3ac457f14f653b82ad2090dbdd24c5d689d4bb766f6c18e1c1ee8c171a
njrat
418b71760c6de41ed293744610e252c7474decd221371ffa449411dde751be46
njrat
5325cdea20361dac7b59b75dd03c25274ae0e40629155f1112ce71549bf0b3e8
njrat
61a8385def4eb1be1e85b3f1bdb3b98721af8f522c675c89f18a24707ad5905a
njrat
d60845023b6f4924993a60e60e1db49c5b6cc9ede4e09560d3542dd5f1bee603
njrat
e61195d0d4b897536f0cc090d36140099db443b5b913894d13cd76f7abee36b6
njrat
fe962c612248fb612bcca5eb506dd010e4799fc5f290aa00887644cd9154d05c
njrat
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
njrat
+ 1'849 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hook persistence trojan
Link:
https://tria.ge/reports/210930-jgem1shabn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
njRAT/Bladabindi
Malware Config
C2 Extraction:
conqhook.ddns.net:6522
Unpacked files
SH256 hash:
83e11501a042ac6f6b00155a39e138f51717759c9a29bfdd482f9b1fe8075b61
MD5 hash:
a89670f783f344004a3342f01770cc82
SHA1 hash:
5ad773f03aef3af1f8ceee2e9ab2ab37b86bae54
Link:
https://www.unpac.me/results/72d68bb0-dda4-4fcc-b677-3a7d6f01f04c/
SH256 hash:
baf26fd01ae7499dc6fce1917bd2f61375fe80a570b4f26447c862d088e03ebc
MD5 hash:
a72d3ef38b9b0d80d375ac97883f7470
SHA1 hash:
2bc6af59a6790ad806863240cf64569e02809cc3
Link:
https://www.unpac.me/results/72d68bb0-dda4-4fcc-b677-3a7d6f01f04c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/baf26fd01ae7499dc6fce1917bd2f61375fe80a570b4f26447c862d088e03ebc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/193376/

Comments