MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c403653d9365244e3cd40e72e2e1c173cc2698176393e7cc8246f7c02c508953. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c403653d9365244e3cd40e72e2e1c173cc2698176393e7cc8246f7c02c508953
SHA3-384 hash: 302d7c8ac2bbe6f847ed3987f0aa590cf084d00a781b94eb31246f050ebfa68d7c112a5d4c7ae3672b845020cb8bf5c0
SHA1 hash: df989fddd3db0c6a6b3ed36cdbc27013f9355491
MD5 hash: b6eba1815eaba52e4ef10b6f80e2cb14
humanhash: alaska-charlie-sad-golf
File name:c403653d9365244e3cd40e72e2e1c173cc2698176393e7cc8246f7c02c508953
Download: download sample
Signature njrat
Create hunting rule
File size:457'969 bytes
First seen:2020-11-15 23:18:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 6144:KFfGC2+P4wwMvfhuI53RSIT+t7UUHZIoh/ipIiGK1qftoPWc9:sf2+P4wwK5lT+t7DH+DpIiGKjPWc9
Threatray 442 similar samples on MalwareBazaar
TLSH 6DA4E002FAD285F2E5220936462E9B50B53D7D381F75CEABF3D82E5DD8311A09634B63
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file
Running batch commands
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Creating a file in the %AppData% directory
Creating a process with a hidden window
Connection attempt
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Creating a file in the mass storage device
Enabling threat expansion on mass storage devices by creating the autorun.inf autorun file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/536935
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Creates autorun.inf (USB autostart)
Detected njRat
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 317567 Sample: gnIlB1KMsa Startdate: 16/11/2020 Architecture: WINDOWS Score: 100 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 9 other signatures 2->55 11 gnIlB1KMsa.exe 4 2->11         started        process3 file4 39 C:\Charmy.sfx.exe, PE32 11->39 dropped 14 cmd.exe 1 11->14         started        process5 process6 16 Charmy.sfx.exe 3 14->16         started        20 conhost.exe 14->20         started        file7 35 C:\Charmy.exe, PE32 16->35 dropped 47 Multi AV Scanner detection for dropped file 16->47 22 Charmy.exe 1 5 16->22         started        signatures8 process9 file10 37 C:\Users\user\AppData\Roaming\server.exe, PE32 22->37 dropped 57 Antivirus detection for dropped file 22->57 59 Multi AV Scanner detection for dropped file 22->59 61 Machine Learning detection for dropped file 22->61 26 server.exe 8 22->26         started        signatures11 process12 dnsIp13 45 192.168.1.4, 5552 unknown unknown 26->45 41 C:\svchost.exe, PE32 26->41 dropped 43 C:\autorun.inf, Microsoft 26->43 dropped 63 Antivirus detection for dropped file 26->63 65 Multi AV Scanner detection for dropped file 26->65 67 Creates autorun.inf (USB autostart) 26->67 69 2 other signatures 26->69 31 netsh.exe 1 3 26->31         started        file14 signatures15 process16 process17 33 conhost.exe 31->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c403653d9365244e3cd40e72e2e1c173cc2698176393e7cc8246f7c02c508953/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-15 23:22:03 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yqbwkpmtmuse4pgubzzofyobopgcngaxmoj6pteci334alcqrfjq._file
Verdict:
malicious
Similar samples:
1292e5a45426d40909dc8199da5fc6346a4b8a652baff6bacee9e64bb253f16c
njrat
2d6a60fa56688f81b3b1ecebf2eb1ae9b44f41a9e070916c93e3f85dd841d174
njrat
329c2259d6015d98464322b873b783d18da6ac1a13d7ec40d1de9f143659b1bb
njrat
6cb0c6c55411375878184fba0feeee93c99c7f184818449e548ef875486ec38a
njrat
8b2c5362887dbc350aae004bee2ea50b83aee63bdb1d88c2559672e9ca5b91d5
njrat
a43c0d39f01808746f82c041edad38edbb89334c098311331d3e2733824f6259
njrat
d0d7b0c01eaa5af4698c21f599a3266da87672cb27e01c954e2813c31707ccfc
njrat
d98190863e8f53c385de8531ac7e5e89dc61cdaf17df688614ded12c24c78d31
njrat
ed34d4eba0bc7d434f32bb9bca0147632592656ddf0c2aa892fbee54b0850ff1
njrat
ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439
njrat
+ 432 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201115-tqhtpl424e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops autorun.inf file
Modifies service
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
c403653d9365244e3cd40e72e2e1c173cc2698176393e7cc8246f7c02c508953
MD5 hash:
b6eba1815eaba52e4ef10b6f80e2cb14
SHA1 hash:
df989fddd3db0c6a6b3ed36cdbc27013f9355491
Link:
https://www.unpac.me/results/b0ec6a34-aada-4cf4-9aaf-2b7bf782023a/
SH256 hash:
9be679c3bb3c62c1395f693291fb96696631fcfde8937dd0c04d3bfd99b15cbc
MD5 hash:
6dc76e49b93cf1155219148adc0de2e1
SHA1 hash:
f94ed37807660dfd7297bfcd882d0bfe753d1e78
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/b0ec6a34-aada-4cf4-9aaf-2b7bf782023a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c403653d9365244e3cd40e72e2e1c173cc2698176393e7cc8246f7c02c508953

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments