MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bff28338bbadacd9bd733c2d87b16357874b8e9ff7cccdca89a330193fabc9f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bff28338bbadacd9bd733c2d87b16357874b8e9ff7cccdca89a330193fabc9f5
SHA3-384 hash: 4fb8b01c766bed8ee5c09354f9d1addfc8d3e3170f4c91ec5b1d5c91f5d13003b2a53d95e301d67643ef1e8c2b39dc1f
SHA1 hash: 7062d79504f3f465017f96cb7b12a5d03a8d4627
MD5 hash: d613c29610a615da305dc498f166508a
humanhash: muppet-texas-triple-papa
File name:bff28338bbadacd9bd733c2d87b16357874b8e9ff7cccdca89a330193fabc9f5
Download: download sample
Signature njrat
Create hunting rule
File size:221'696 bytes
First seen:2020-11-10 11:28:26 UTC
Last seen:2024-07-24 21:05:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 720f62ecaae027b5c3ec6686644322e9 (12 x njrat, 8 x RevengeRAT, 4 x AgentTesla)
ssdeep 6144:piEj2B/PrtBMctTB9vj48ylt89HDU/TGbxVhw1cuN:pihBn5mYTrvj4/ltIHVu1BN
Threatray 56 similar samples on MalwareBazaar
TLSH 3624D01435C0C2B3C4BB113A48E5CB799A2174365BAEE5D3FB991FA66E113D097322CE
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a process with a hidden window
Creating a window
DNS request
Enabling the 'hidden' option for recently created files
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices by creating a special LNK file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/529286
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 313740 Sample: 0S6AZ6nuMu Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 48 ahmadx9.no-ip.biz 2->48 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 Antivirus / Scanner detection for submitted sample 2->56 58 10 other signatures 2->58 9 0S6AZ6nuMu.exe 2 6 2->9         started        12 system.exe 3 2->12         started        14 system.exe 2 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\system.exe, PE32 9->38 dropped 40 C:\Users\user\...\system.exe:Zone.Identifier, ASCII 9->40 dropped 42 C:\Users\user\AppData\...\0S6AZ6nuMu.exe.log, ASCII 9->42 dropped 18 system.exe 2 8 9->18         started        44 C:\...\dae31c02cb06222e776b9ccb9207edb1.exe, PE32 12->44 dropped 46 dae31c02cb06222e77...exe:Zone.Identifier, ASCII 12->46 dropped 22 netsh.exe 3 12->22         started        24 netsh.exe 14->24         started        26 netsh.exe 3 16->26         started        process6 dnsIp7 50 ahmadx9.no-ip.biz 18->50 60 Antivirus detection for dropped file 18->60 62 Multi AV Scanner detection for dropped file 18->62 64 Protects its processes via BreakOnTermination flag 18->64 66 3 other signatures 18->66 28 netsh.exe 1 3 18->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 26->34         started        signatures8 process9 process10 36 conhost.exe 28->36         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bff28338bbadacd9bd733c2d87b16357874b8e9ff7cccdca89a330193fabc9f5/
Threat name:
Win32.Backdoor.Zapchast
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 00:04:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7zigof3vwwntplthqwypmldk6duxdu767gm3sujumybsp5lzh2q._file
Verdict:
unknown
Similar samples:
110fa520e5db8df04353392a845e64808d2ce2a95de989bc44e2d66abadc1497
njrat
2028ddda2340b3b970746b54e87062982d668a9314d84175d2a759426d2b23f9
njrat
3764a8690d829b849cc82babfb6dc75a3b6f812e46d3d9535c380c187534094e
njrat
3f421e5ab11f7b67712cd164a875e0c78c4f13d697999392cab260bb73ca3a5a
njrat
43a0c2443d1a63d4cc498bae9d459590b37379d5dd57a625545fa484a99d3fb6
njrat
5c883c457a3dc0ddd6ae66380087c57fb714bdf90ff79185ae0cac329677fe26
njrat
66b8f85747edc77fbfabe6b383e11e5284b185dab2257b7c2a127fbfda839edc
njrat
b8fbf85d1eab97ed168f99eb07d13294594675a051c2056b5374630d81fd974d
njrat
d873f30f48805a3dbab8c976665c26fc9c661e23f3b82f143fdd7346268b595a
njrat
eedded196860d1ef5a143268a85bc3951af23e55da8c12b8b1b58b42b9f443f1
njrat
+ 46 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201110-lzlp2z9mx2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
bff28338bbadacd9bd733c2d87b16357874b8e9ff7cccdca89a330193fabc9f5
MD5 hash:
d613c29610a615da305dc498f166508a
SHA1 hash:
7062d79504f3f465017f96cb7b12a5d03a8d4627
Link:
https://www.unpac.me/results/d7363776-b0f2-461c-a55c-a23286df9642/
SH256 hash:
b5986204a11e255d9df80d81dc45584d7eae82c94e8726583f4a50ad47e2b0e1
MD5 hash:
b623e453eed5dabdcfdb1762c2e90862
SHA1 hash:
1b8bef0e0c06a9f1b5cf43b2b15b1818dd6e222a
Link:
https://www.unpac.me/results/d7363776-b0f2-461c-a55c-a23286df9642/
SH256 hash:
7cfc70d09da47af9a2a11ccc4adef918d5b4b9dd4d2aa5370d456f5ace7e2b34
MD5 hash:
8e16800c059b84b691a95cf71a3f1cb6
SHA1 hash:
40d60705098962a3602c8d729776e3b6acce495b
Link:
https://www.unpac.me/results/d7363776-b0f2-461c-a55c-a23286df9642/
SH256 hash:
2bb851ae03b081a6f6388f0878904856c815d165e173b7f2cc11b4b31b2ac304
MD5 hash:
e14dc2907a4e9d835a7efdbf821dc5a0
SHA1 hash:
c0b35ec7bad6afa2b3b1cabd1be21a4c7635e3f3
Detections:
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/d7363776-b0f2-461c-a55c-a23286df9642/
Parent samples :
bff28338bbadacd9bd733c2d87b16357874b8e9ff7cccdca89a330193fabc9f5
a31dfcb36d457e6e8cb5d6d26c864d6fc36dc6eda9a1de0788b45a00e1a5b859
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments