MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcc2ea60410ac0611ddb3b6fe3be3006ef39793d1f4b084ef582082da8c26531. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs 4 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcc2ea60410ac0611ddb3b6fe3be3006ef39793d1f4b084ef582082da8c26531
SHA3-384 hash: 5706f9a233afd3c9e3bd118d94dd16096b4466e39663b9f790e8500107adbfc3793d258b4ebdd2eb438a3d489a0d4b9f
SHA1 hash: b8e0943130d2189c09f105d48051ee7bc29afdb4
MD5 hash: bccb174e69ed40ef353a1a80b68ad7a0
humanhash: california-wolfram-magnesium-juliet
File name:BCCB174E69ED40EF353A1A80B68AD7A0.exe
Download: download sample
Signature njrat
Create hunting rule
File size:157'538 bytes
First seen:2021-04-07 11:25:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6bac3cfe8acb6c6c4a30aaa022de2388 (308 x AveMariaRAT, 7 x njrat, 7 x Skeeeyah)
ssdeep 3072:Rf/J2ULiTehI8FrkZqIueBacKMXBZP4kQYgTOr33ioSex8bGV8Q:r2UL2i9FGat4rQU33QhEt
Threatray 751 similar samples on MalwareBazaar
TLSH A0F3125BD3F800A5F132D17DBCB131D62285F43AD9D6C6AE4B5DB00B9EA84600B96B37
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.142.129.56:12656

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.142.129.56:12656 https://threatfox.abuse.ch/ioc/7144/
3.142.167.54:12656 https://threatfox.abuse.ch/ioc/7145/
3.19.130.43:12656 https://threatfox.abuse.ch/ioc/7146/
13.58.157.220:12656 https://threatfox.abuse.ch/ioc/7147/

Intelligence

File Origin
# of uploads :
1
# of downloads :
197
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
duc_test_connect_VB.vbs
Verdict:
Malicious activity
Analysis date:
2021-03-27 22:25:59 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/21dada15-c736-4c32-bae8-ab445ef9fbed

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132849/
Detection(s):
PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Win.Malware.Poison-6986144-0
Create hunting rule

Win.Malware.Razy-7056533-0
Create hunting rule

Win.Trojan.Ulise-9792178-0
Create hunting rule

Win.Trojan.Ulise-9792179-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Forced system process termination
Replacing executable files
Creating a file in the %AppData% subdirectories
Sending a UDP request
Creating a file in the %AppData% directory
Creating a process from a recently created file
Launching a process
Creating a file
Moving a file to the %AppData% directory
Replacing files
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a recently created process
Moving of the original file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ac8b6cbf-f5d1-4ebd-9ca9-2ec0a4e7bd1e
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668581
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Command shell drops VBS files
Contain functionality to detect virtual machines
Contains functionality to inject code into remote processes
Deletes itself after installation
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383220 Sample: U49nsX8zQr.exe Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 52 8.tcp.ngrok.io 2->52 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Multi AV Scanner detection for domain / URL 2->62 64 Malicious sample detected (through community Yara rule) 2->64 66 6 other signatures 2->66 10 U49nsX8zQr.exe 1 2->10         started        14 DUIC_Connect.exe 1 2->14         started        signatures3 process4 file5 48 C:\Users\user\Desktop\U49nsX8zQr.exe, PE32 10->48 dropped 78 Tries to detect sandboxes / dynamic malware analysis system (file name check) 10->78 80 Contain functionality to detect virtual machines 10->80 82 Contains functionality to inject code into remote processes 10->82 84 Deletes itself after installation 10->84 16 U49nsX8zQr.exe 2 7 10->16         started        19 cmd.exe 2 10->19         started        50 C:\Users\user\AppData\...\DUIC_Connect.exe, PE32 14->50 dropped 86 Sample uses process hollowing technique 14->86 88 Injects a PE file into a foreign processes 14->88 22 cmd.exe 1 14->22         started        24 DUIC_Connect.exe 5 14->24         started        signatures6 process7 file8 44 C:\Users\user\AppData\...\U49nsX8zQr.exe.log, ASCII 16->44 dropped 26 DUIC_Connect.exe 1 16->26         started        29 attrib.exe 1 16->29         started        68 Command shell drops VBS files 19->68 70 Drops VBS files to the startup folder 19->70 31 conhost.exe 19->31         started        46 C:\Users\user\AppData\Roaming\...\x.vbs, ASCII 22->46 dropped 33 conhost.exe 22->33         started        signatures9 process10 signatures11 72 Tries to detect sandboxes / dynamic malware analysis system (file name check) 26->72 74 Contain functionality to detect virtual machines 26->74 76 Injects a PE file into a foreign processes 26->76 35 DUIC_Connect.exe 1 5 26->35         started        38 cmd.exe 1 26->38         started        40 conhost.exe 29->40         started        process12 dnsIp13 54 13.58.157.220, 12656, 49743, 49748 AMAZON-02US United States 35->54 56 8.tcp.ngrok.io 3.142.167.4, 12656, 49737, 49742 AMAZON-02US United States 35->56 58 3.142.167.54, 12656, 49761, 49768 AMAZON-02US United States 35->58 42 conhost.exe 38->42         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcc2ea60410ac0611ddb3b6fe3be3006ef39793d1f4b084ef582082da8c26531/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-03-29 15:07:00 UTC
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtbouycbblagcho3hnx6hprqa3xts6j5d5fqqtxvqiec3kgcmuyq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
0409769a5a6cdbb139bfcc900eb503ab0cc4250d7d90e9a6b7faca8ee828aee2
njrat
1ae8d7d60e8e1655ade9b9c5a3638b99c24c8fd393addec31845d42f13b035da
njrat
20fe42296f9029c30fca68a7ff0b2b81c8498c7df69c66f131232029c0277fb5
njrat
6ab925b9c76936556d7078116c24276531ecbfccf3a81d456173ad33d984c1c0
njrat
6abb519964bde0a1d422bd0430901c61e9b94c1d16f0364c4a8354547d9effb6
njrat
7b71b12d30d6ce6adb82e9f8c105c1f1cc36ed8744b0c21cfa8aa08d21119f08
njrat
8ceb5cc007f0a99fd5c92671f43184171e0fa11dda6479788ad53261a23b045d
njrat
9873f8a2a1cdb7c34dde321266bb205b614087d656a4193d519c55339e6eee6c
njrat
ae93db3af8d593b801a7f4fbb366d4f62cd66b355c3f4a048cad3ba79d390391
njrat
f72a3a205308a3446a78432854e1a3a022328ccb3bbb584f96bfafe4db12bf64
njrat
+ 741 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence upx
Link:
https://tria.ge/reports/210407-b69nl2tfta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
Unpacked files
SH256 hash:
df3d56ec16ab0aa62127b45667ed0c77f08c80a43fba0cdf0a43fa64faba44b5
MD5 hash:
52ffc95139b59b0f38e727373eacfa63
SHA1 hash:
e0ce5d70a4a21dc7ae435efb2656687143a9e8f3
Link:
https://www.unpac.me/results/d66bc6a5-ed29-4491-91a6-8f79751188c3/
Parent samples :
554f40d4d4e6d80d96c5fc1b41afb7268a0b09b375adc3bcb1e10b1ff2eed986
b8e35d21cd27c3f66b7e9dede80e2052299ffd45a7d160ac891277ff656dcb60
SH256 hash:
a17a204f51511144ca97d110dee827ff8fade1088983c30d0bc2fc5ddbe92e64
MD5 hash:
641ad4e559d3865a7db4f3bfdb368766
SHA1 hash:
8cdc17830d4d8462871c9fa30a05b1243b684aa9
Link:
https://www.unpac.me/results/d66bc6a5-ed29-4491-91a6-8f79751188c3/
SH256 hash:
02752952caf041d20eddc9f43529a3e7f692e2222a7e5f0705b8a198d2f3e5bb
MD5 hash:
94d07bee0e47dc5c9fd90041e91730f0
SHA1 hash:
33a8dcb49e634f59d3f7a7f176d9bbc8393a82a9
Link:
https://www.unpac.me/results/d66bc6a5-ed29-4491-91a6-8f79751188c3/
SH256 hash:
bcc2ea60410ac0611ddb3b6fe3be3006ef39793d1f4b084ef582082da8c26531
MD5 hash:
bccb174e69ed40ef353a1a80b68ad7a0
SHA1 hash:
b8e0943130d2189c09f105d48051ee7bc29afdb4
Link:
https://www.unpac.me/results/d66bc6a5-ed29-4491-91a6-8f79751188c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcc2ea60410ac0611ddb3b6fe3be3006ef39793d1f4b084ef582082da8c26531

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/132849/

Comments