MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd5fa7ccde2dbc145685b36d66c3c6161e7e780308bd6ec29666139908e7db26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd5fa7ccde2dbc145685b36d66c3c6161e7e780308bd6ec29666139908e7db26
SHA3-384 hash: f931a88a1eea0e26097141336578d14bf12456b6557022a77b23d974d96a6a5fd95ab35075291ada146dfb5bea0d56c3
SHA1 hash: 669cba3048a250fdb53c4a708ae7b92006072942
MD5 hash: 6a5f6fba52919a8f6f8e371284c3458b
humanhash: spring-leopard-alanine-item
File name:6a5f6fba52919a8f6f8e371284c3458b.exe
Download: download sample
Signature njrat
Create hunting rule
File size:107'008 bytes
First seen:2021-10-02 02:32:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:xXt0IG2xRTrkPYJ1h2OY4CoN8dyP1VaxUs:xd0IjTl3Y4h8dyP1VaxU
TLSH T1E3A3299C7660B2DFC86BC9B68EA52CB4E650747B830BC203A45315EE9D0D99BCF141F2
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
46.246.6.3:2054

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
46.246.6.3:2054 https://threatfox.abuse.ch/ioc/229647/

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a5f6fba52919a8f6f8e371284c3458b.exe
Verdict:
No threats detected
Analysis date:
2021-10-02 02:34:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/49e4b90f-8cde-4f9b-bffa-0bd4988b1df3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/194088/
Detection(s):
SecuriteInfo.com.Artemis6A5F6FBA5291.10277.5982.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Enabling the 'hidden' option for recently created files
Creating a window
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c73768fe-3f40-49e9-aa22-58fd0d9f4c14
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/862994
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found malware configuration
Multi AV Scanner detection for dropped file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 495419 Sample: OjlrZVMKDV.exe Startdate: 02/10/2021 Architecture: WINDOWS Score: 92 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Yara detected Njrat 2->50 52 4 other signatures 2->52 8 OjlrZVMKDV.exe 3 6 2->8         started        13 file.exe 2 2->13         started        15 file.exe 1 2->15         started        process3 dnsIp4 42 paomarca.duckdns.org 46.246.6.3, 2054, 49769 PORTLANEwwwportlanecomSE Sweden 8->42 38 C:\Users\user\AppData\Local\svchost.exe, PE32+ 8->38 dropped 40 C:\Users\user\AppData\Local\file.exe, PE32+ 8->40 dropped 54 Drops PE files with benign system names 8->54 56 Multi AV Scanner detection for dropped file 13->56 17 svchost.exe 3 13->17         started        20 svchost.exe 1 15->20         started        file5 signatures6 process7 signatures8 44 Multi AV Scanner detection for dropped file 17->44 22 file.exe 1 17->22         started        24 file.exe 17->24         started        26 file.exe 17->26         started        28 2 other processes 17->28 process9 process10 30 svchost.exe 22->30         started        32 svchost.exe 24->32         started        34 svchost.exe 26->34         started        36 svchost.exe 28->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd5fa7ccde2dbc145685b36d66c3c6161e7e780308bd6ec29666139908e7db26/
Threat name:
ByteCode-MSIL.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-02 02:33:14 UTC
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvp2ptg6fw6bivufwnwwnq6gcyph46adbc6w5quwmyjzschh3mta._file
Verdict:
unknown
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat persistence trojan
Link:
https://tria.ge/reports/211002-c1w8vaddf7/
Behaviour
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Core1 .NET packer
njRAT/Bladabindi
Malware Config
C2 Extraction:
paomarca.duckdns.org:2054
Unpacked files
SH256 hash:
bd5fa7ccde2dbc145685b36d66c3c6161e7e780308bd6ec29666139908e7db26
MD5 hash:
6a5f6fba52919a8f6f8e371284c3458b
SHA1 hash:
669cba3048a250fdb53c4a708ae7b92006072942
Link:
https://www.unpac.me/results/89fc0433-d623-4056-963f-e3515c2148da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd5fa7ccde2dbc145685b36d66c3c6161e7e780308bd6ec29666139908e7db26

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe bd5fa7ccde2dbc145685b36d66c3c6161e7e780308bd6ec29666139908e7db26

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1470374/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/194088/

Comments