MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7
SHA3-384 hash: 8c6d9e80961d522b925ef6c097feabe3795f23a5cfecdc7b888f151f054ada7cfaa005e9a56dc9c6e30100506490ffaa
SHA1 hash: d798cbb3084ac826c36f59e928309e71a7f2729d
MD5 hash: 80e466fb2d90c34306fa44f7e927d7ed
humanhash: purple-happy-october-fifteen
File name:Itinerary.pdf.exe
Download: download sample
Signature njrat
Create hunting rule
File size:440'832 bytes
First seen:2021-01-06 06:31:39 UTC
Last seen:2021-01-06 08:34:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 12288:1CkvGVjbaqUmT12MIWdrrgru1V8GN9CTmo/+lRwCh1YUWtsW87:1ql1vIbu1bNITmo/+lRlh1YUWtsD
Threatray 6 similar samples on MalwareBazaar
TLSH FE94F63C6AB04970C1B488718E9F472053D26E066F7AFDC039568B59291CB6FCEDE68D
Reporter abuse_ch
Tags:exe NjRAT nVpn RAT


Avatar
abuse_ch
NjRAT C2:
zolanet.ddns.net:5355 (79.134.225.30)

Pointing to nVpn:

% Information related to '79.134.225.0 - 79.134.225.127'

% Abuse contact for '79.134.225.0 - 79.134.225.127' is 'abuse@privacyfirst.sh'

inetnum: 79.134.225.0 - 79.134.225.127
netname: PRIVACYFIRST-EU
country: EU
remarks: This prefix is assigned to The PRIVACYFIRST Project, which
remarks: operates infrastructure jointly used by various VPN service
remarks: providers. We have a very strong focus on privacy and freedom.
remarks: In case of abuse, we encourage all international law enforcement
remarks: agencies to get in touch with our abuse contact. Due to the fact
remarks: that we keep no logs of user activities and only share data when
remarks: it is legally required under our jurisdiction, it is very unlikely
remarks: for a demand of user information to be successful. Still, that
remarks: should not deter you from reaching out.
admin-c: TPP15-RIPE
tech-c: TPP15-RIPE
status: ASSIGNED PA
mnt-by: AF15-MNT
org: ORG-TPP6-RIPE
created: 2020-07-14T15:26:02Z
last-modified: 2020-07-14T15:31:06Z
source: RIPE

Intelligence

File Origin
# of uploads :
2
# of downloads :
265
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Itinerary.pdf.exe
Verdict:
No threats detected
Analysis date:
2021-01-06 06:33:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c259fe8b-b01d-4464-8564-2dd4472c0682

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110648/
Detection(s):
SecuriteInfo.com.Backdoor.Win32.Bladabindiml.10139.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Neshta Quasar
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574788
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Hides that the sample has been downloaded from the Internet (zone.identifier)
Infects executable files (exe, dll, sys, html)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Yara detected Neshta
Yara detected Quasar RAT
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 336452 Sample: Itinerary.pdf.exe Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 90 zolanet.ddns.net 2->90 92 tools.keycdn.com 2->92 94 prda.aadg.msidentity.com 2->94 100 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->100 102 Malicious sample detected (through community Yara rule) 2->102 104 Antivirus detection for dropped file 2->104 106 16 other signatures 2->106 11 Windows Update notification.exe 5 2->11         started        15 Itinerary.pdf.exe 1 6 2->15         started        signatures3 process4 file5 78 C:\Windows\svchost.com, PE32 11->78 dropped 80 C:\Users\user\AppData\Roaming\...behaviorgraph.exe, PE32 11->80 dropped 82 C:\Users\...\Windows Update notification.exe, PE32 11->82 dropped 86 100 other malicious files 11->86 dropped 120 Creates an undocumented autostart registry key 11->120 122 Drops executable to a common third party application directory 11->122 124 Infects executable files (exe, dll, sys, html) 11->124 17 Windows Update notification.exe 11->17         started        84 C:\Users\user\...\Itinerary.pdf.exe.log, ASCII 15->84 dropped 126 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->126 128 Drops PE files to the startup folder 15->128 20 Itinerary.pdf.exe 4 5 15->20         started        signatures6 process7 dnsIp8 98 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->98 24 Windows Update notification.exe 17->24         started        96 zolanet.ddns.net 79.134.225.30, 1900, 49745, 49758 FINK-TELECOM-SERVICESCH Switzerland 20->96 76 C:\Users\...\Windows Update notification.exe, PE32 20->76 dropped 26 svchost.com 20->26         started        29 svchost.com 20->29         started        31 svchost.com 20->31         started        33 3 other processes 20->33 file9 signatures10 process11 signatures12 116 Sample is not signed and drops a device driver 26->116 35 Windows Update notification.exe 26->35         started        39 Windows Update notification.exe 29->39         started        41 Windows Update notification.exe 31->41         started        118 Tries to harvest and steal browser information (history, passwords, etc) 33->118 43 Windows Update notification.exe 33->43         started        45 Windows Update notification.exe 33->45         started        process13 file14 68 C:\Users\user\AppData\Local\Temp\SQL.exe, PE32 35->68 dropped 70 C:\Users\user\AppData\Local\...\setup.exe, PE32 35->70 dropped 72 C:\ProgramData\...\vcredist_x86.exe, PE32 35->72 dropped 74 6 other malicious files 35->74 dropped 108 Drops executable to a common third party application directory 35->108 110 Infects executable files (exe, dll, sys, html) 35->110 47 svchost.com 35->47         started        112 Drops executables to the windows directory (C:\Windows) and starts them 39->112 49 svchost.com 39->49         started        52 svchost.com 41->52         started        54 svchost.com 43->54         started        signatures15 process16 file17 56 Windows Update notification.exe 47->56         started        66 C:\Windows\directx.sys, ASCII 49->66 dropped 59 Windows Update notification.exe 49->59         started        61 Windows Update notification.exe 52->61         started        64 Windows Update notification.exe 54->64         started        process18 file19 88 C:\Users\...\Windows Update notification.exe, PE32 61->88 dropped 114 Hides that the sample has been downloaded from the Internet (zone.identifier) 61->114 signatures20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xqyr6paz4qd6axgaqldryw2wsgr65nktgoeqnnws3tu5yw4pjptq._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
5e511e5ef8d11046dae403ecb2299c18320d9ccc1ede9fdaff63ef5d42672753
njrat
7c911b4d457b1b6124a1211cd4737c056e9a12dc930a05edfe7289cbed11e86c
njrat
a4bd1ce6832e9cfa0078b39e7dc035047ff593ff4f875fd19ed7ab54508fa7e4
njrat
e38724644ed4643ebcdea6b0ae8345bf094d9f6e6d81b0acb244f96a3129077e
njrat
f5773e4517ef94e87022bae134a0298f6f9e688561c41e0ef5d4dd75d8defd51
njrat
f9a4ca25bc03af4718bd0304a26b877569839e4d328b4355f26f1537bfcca6fe
njrat
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210106-wnvz1adkxe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Unpacked files
SH256 hash:
bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7
MD5 hash:
80e466fb2d90c34306fa44f7e927d7ed
SHA1 hash:
d798cbb3084ac826c36f59e928309e71a7f2729d
Link:
https://www.unpac.me/results/423e179c-54de-48a5-a5ae-3bdd809b1246/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Executable exe bc311f3c19e407e05cc082c71c5b5691a3eeb553338906b6d2dce9dc5b8f4be7

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/110648/

Comments