MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcdd81a6d0deebe09f613e09664008c1b16785091595590ad803d8822f5207f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcdd81a6d0deebe09f613e09664008c1b16785091595590ad803d8822f5207f2
SHA3-384 hash: 9d52fe3993501ab6480f6e9533d2f2e30926f2b4cce73c62377512ee13a5a446907a32db7a41eaab6d5c4f571b0f55b3
SHA1 hash: ff8234ebd77d0f46ac1d6b5da3d714dc6fa04557
MD5 hash: 80c3f2fc2aa66d8160bb3910e74a435a
humanhash: fifteen-chicken-michigan-arkansas
File name:80c3f2fc2aa66d8160bb3910e74a435a.exe
Download: download sample
Signature njrat
Create hunting rule
File size:21'672 bytes
First seen:2021-06-22 14:41:53 UTC
Last seen:2021-06-22 16:01:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 384:2PfYBETKgRmaUlC8TL9ewkTRZzZQPGF6fqQ9Rd0hhL:2PQXKUsiNgR1ZQPGIqQ8hL
Threatray 899 similar samples on MalwareBazaar
TLSH 27A28E05F7CC4AA2F8F6667430F12A1247B396C2AB86D21A3F4EC5D29D03287569C35E
Reporter abuse_ch
Tags:exe NjRAT RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
274
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
80c3f2fc2aa66d8160bb3910e74a435a.exe
Verdict:
Malicious activity
Analysis date:
2021-06-22 15:14:29 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/f5ec8b5e-1812-44ee-8e70-20529c32d646

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/167623/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.1306.16955.19340.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aa7f1a7f-85ee-4a0d-8542-da09a8ecd998
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/806073
Signature
Adds a directory exclusion to Windows Defender
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates an autostart registry key pointing to binary in C:\Windows
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Powershell adding suspicious path to exclusion list
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses dynamic DNS services
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 438483 Sample: ZLT4uMbNxX.exe Startdate: 22/06/2021 Architecture: WINDOWS Score: 100 66 dontreachme.duckdns.org 2->66 78 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->78 80 Multi AV Scanner detection for domain / URL 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 9 other signatures 2->84 8 ZLT4uMbNxX.exe 24 18 2->8         started        13 svchost.exe 2->13         started        15 svchost.exe 2->15         started        17 6 other processes 2->17 signatures3 process4 dnsIp5 68 apdocroto.gq 172.67.158.27, 49732, 49749, 49752 CLOUDFLARENETUS United States 8->68 56 C:\Windows\Resources\Themes\...\svchost.exe, PE32 8->56 dropped 58 C:\Users\user\AppData\...\f4zfdG31784Gd5.exe, PE32 8->58 dropped 60 C:\Users\user\AppData\...\sw2y515f.newcfg, XML 8->60 dropped 62 2 other files (1 malicious) 8->62 dropped 90 Drops PE files to the startup folder 8->90 92 Creates an autostart registry key pointing to binary in C:\Windows 8->92 94 Adds a directory exclusion to Windows Defender 8->94 98 3 other signatures 8->98 19 ZLT4uMbNxX.exe 8->19         started        22 powershell.exe 8->22         started        25 powershell.exe 8->25         started        29 10 other processes 8->29 96 Multi AV Scanner detection for dropped file 13->96 27 WerFault.exe 15->27         started        file6 signatures7 process8 dnsIp9 48 C:\ProgramData\svchost.exe, PE32 19->48 dropped 50 C:\Users\user\AppData\...\ZLT4uMbNxX.exe.log, ASCII 19->50 dropped 52 C:\ProgramData\svchost.exe:Zone.Identifier, ASCII 19->52 dropped 32 svchost.exe 19->32         started        86 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 22->86 36 conhost.exe 22->36         started        38 conhost.exe 25->38         started        88 Tries to evade analysis by execution special instruction which cause usermode exception 27->88 70 apdocroto.gq 29->70 72 192.168.2.1 unknown unknown 29->72 54 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->54 dropped 40 AdvancedRun.exe 29->40         started        42 conhost.exe 29->42         started        44 conhost.exe 29->44         started        46 6 other processes 29->46 file10 signatures11 process12 dnsIp13 64 apdocroto.gq 32->64 74 System process connects to network (likely due to code injection or exploit) 32->74 76 Multi AV Scanner detection for dropped file 32->76 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcdd81a6d0deebe09f613e09664008c1b16785091595590ad803d8822f5207f2/
Threat name:
ByteCode-MSIL.Trojan.Tnega
Create hunting rule
Status:
Malicious
First seen:
2021-06-22 14:42:14 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtoydjwq33v6bh3bhyewmqaiygywpbijcwkvscwyapmiel2sa7za._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
02df79a95ca91898b809871d3e9efa617146cadd6fb57a97056fb9b6622f62f4
njrat
6427f0361a3101a575c54575674ca52a241b8b295954609ce2dd5d5200c0b3a8
njrat
918f9caeebb7bb5faea1014a288eb2010e07100dd5303aae002368c50dac370f
njrat
954988371d8cebea1a69f2c1a47d50b13b9eb82630e5fbc5069105bd12b7b541
njrat
9fc7649eec8fc91ad58d27badae903fce1dff83804a830b3606db194c232d653
njrat
a42ec09d5fcab03929ce3d0240cbc14f104c357c930fb2843521071df4827366
njrat
ac937327e25a96c0b3c79dfe0e8467444c87691910e0d90d89c81c9f830b0b02
njrat
b748c37f14082e151acc4c6677f19cdcd2cd26b6a8c7d6e768a090e8aecbb698
njrat
dbfb2fb740f0e4b05acc6074c798e65a6aa5ff8c9a8b7bed8f640aa1cd4153c7
njrat
dca1d9c848c823c2a06e7e4108c0b89c91b4f08a0909c91e537a060eba25b788
njrat
+ 889 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/210622-sbs3nhwf3x/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Modifies Windows Firewall
Nirsoft
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
bcdd81a6d0deebe09f613e09664008c1b16785091595590ad803d8822f5207f2
MD5 hash:
80c3f2fc2aa66d8160bb3910e74a435a
SHA1 hash:
ff8234ebd77d0f46ac1d6b5da3d714dc6fa04557
Link:
https://www.unpac.me/results/2e354fe5-ed4d-4d99-ab9d-881db77a5e26/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bcdd81a6d0deebe09f613e09664008c1b16785091595590ad803d8822f5207f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe bcdd81a6d0deebe09f613e09664008c1b16785091595590ad803d8822f5207f2

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1380445/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/167623/

Comments