MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bedceb6fcbd83a80d95fb370f0655fc65ff2a476a97f48e8c646555e01505e78. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bedceb6fcbd83a80d95fb370f0655fc65ff2a476a97f48e8c646555e01505e78
SHA3-384 hash: c1d87e00c8df4d5c1de5ab30a06cb3a49b50095e5cd73e6f4dc2ed5ca56e3e93212d9eafde28335fe86fc20c48def86c
SHA1 hash: a5f23c4bc98e66d5256a961a1673f844bc7077c1
MD5 hash: 23d9044046f74cdad2d7a3e192fed7f6
humanhash: freddie-floor-arkansas-yankee
File name:536789.exe
Download: download sample
Signature njrat
Create hunting rule
File size:383'488 bytes
First seen:2021-08-17 16:51:08 UTC
Last seen:2021-08-17 20:45:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:hzQJjUdA5BgHu0A01eqKTdVqsedaMAHzutx9vJF7NPPrgEBsY6TbwKat:hI1gHF1efXq7daMAuvzZlsYOa
Threatray 87 similar samples on MalwareBazaar
TLSH T17B84383915F89727E17BD2748458030AE3F1ADD2FCC8D927F8D3648699726E2298472F
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
79.134.225.117:2227

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
79.134.225.117:2227 https://threatfox.abuse.ch/ioc/191600/

Intelligence

File Origin
# of uploads :
3
# of downloads :
235
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
536789.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 16:51:44 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/32791379-def6-44ee-96d4-89e939a10ae7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180133/
Detection(s):
SecuriteInfo.com.Variant.Bulz.612553.14738.16628.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the Windows subdirectories
Deleting a recently created file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Connection attempt to an infection source
Sending a TCP request to an infection source
Enabling autorun by creating a file
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/65f62c39-88a5-41f7-b732-743ceef46385
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834634
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Changes the view of files in windows explorer (hidden files and folders)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 467061 Sample: 536789.exe Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 7 536789.exe 3 2->7         started        11 svchost.exe 2->11         started        13 svchost.exe 2->13         started        15 8 other processes 2->15 process3 dnsIp4 34 C:\Users\user\AppData\...\536789.exe.log, ASCII 7->34 dropped 52 Injects a PE file into a foreign processes 7->52 18 536789.exe 3 7->18         started        21 536789.exe 7->21         started        54 Antivirus detection for dropped file 11->54 56 System process connects to network (likely due to code injection or exploit) 11->56 58 Machine Learning detection for dropped file 11->58 60 Changes security center settings (notifications, updates, antivirus, firewall) 13->60 42 127.0.0.1 unknown unknown 15->42 file5 signatures6 process7 file8 30 C:\Users\user\Desktop\UCHXX.exe, PE32 18->30 dropped 32 C:\Users\user\Desktop\CZTEY.exe, PE32 18->32 dropped 23 CZTEY.exe 1 8 18->23         started        28 UCHXX.exe 2 5 18->28         started        process9 dnsIp10 40 79.134.225.117, 2178, 2227, 49706 FINK-TELECOM-SERVICESCH Switzerland 23->40 36 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 23->36 dropped 38 C:\Users\user\AppData\Local\...\svchost.exe, PE32 23->38 dropped 62 Antivirus detection for dropped file 23->62 64 Machine Learning detection for dropped file 23->64 66 Changes the view of files in windows explorer (hidden files and folders) 23->66 68 3 other signatures 23->68 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bedceb6fcbd83a80d95fb370f0655fc65ff2a476a97f48e8c646555e01505e78/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-17 16:52:06 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x3oow36l3a5ibwk7wnypazk7yzp7fjdwvf7ur2ggizkv4akqlz4a._file
Verdict:
suspicious
Similar samples:
296cb7c456c55688de080e9940722307f1ee92acbfec61696e21ec985794a3ff
njrat
375b7639c4540b562c82494ffefe34ed936a61178a172121e175f28e038cc43a
njrat
3d532943225b4d95f3e125112bb2e2cdee16d81de8f89f6cfc22b754c47a5a16
njrat
5dd84f1b06035d821efa70ac5fc4348df6c39b31e1557841fecadb478264bce5
njrat
762a75264264053e242f49a7f00cf8faf45c06cca8f8eb5284f38bb2151da3c8
njrat
767093d7e2d1a9257fd480fc0c44b3988b08ea07ac4a42eb26e1b9c80349ac8f
njrat
ce65e72af04a48622898819f6b4917d1de4eeef8cee4917d4354f1e80de5796f
njrat
d0c77742b157afdf17a6f216f672cac3c56c2c53220f6c3fef07fadf0da502a4
njrat
d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c
njrat
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
njrat
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210817-62wdwazx12/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d36a520a8ad6aef11a6c1d9a8e8a663ff3f62353e9432a4d5966d357561f5977
MD5 hash:
3ebc9544395a4f30d3f41afd221052ae
SHA1 hash:
a6ba03e48f10d3c624f10ade628e54861b69ca14
Link:
https://www.unpac.me/results/3b25015f-be6c-4493-8ea5-4d46880adf42/
SH256 hash:
e994fa31196d5bf091a0850c3eda89e1c261a07910975c4b673ab0dcbb375778
MD5 hash:
0bfb642858ef0e58c80dcebcc23cdd70
SHA1 hash:
6569714749b816502678886a2d55877dee9054be
Detections:
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/3b25015f-be6c-4493-8ea5-4d46880adf42/
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/3b25015f-be6c-4493-8ea5-4d46880adf42/
SH256 hash:
84916a41345989690532b4559ca8951bdcba9869d438943d2824e5c39031876e
MD5 hash:
bc39fa0a661be1ec41511f0f90e74800
SHA1 hash:
57e62e1f0d2eeaabe615d0bc3af60a3615ad11b0
Link:
https://www.unpac.me/results/3b25015f-be6c-4493-8ea5-4d46880adf42/
SH256 hash:
e5cd22dc1c34b40bdfc4de4deb211fcf52e3cd5fff24539d7cb849b4d178f14a
MD5 hash:
0837e183fb2a4fe633fac39670ab51ab
SHA1 hash:
3bd1201f607ae13a027b5d0f423419c174863aac
Link:
https://www.unpac.me/results/3b25015f-be6c-4493-8ea5-4d46880adf42/
SH256 hash:
bedceb6fcbd83a80d95fb370f0655fc65ff2a476a97f48e8c646555e01505e78
MD5 hash:
23d9044046f74cdad2d7a3e192fed7f6
SHA1 hash:
a5f23c4bc98e66d5256a961a1673f844bc7077c1
Link:
https://www.unpac.me/results/3b25015f-be6c-4493-8ea5-4d46880adf42/
Malware family:
Winnti Group
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bedceb6fcbd8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bedceb6fcbd83a80d95fb370f0655fc65ff2a476a97f48e8c646555e01505e78

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180133/

Comments