MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4
SHA3-384 hash: 0a35c7e76c74156b9b94f59b39f60a658b55eff0e0b8faa719b31b0552f33ffe650f8210db9ac1744eecea7d301b67cd
SHA1 hash: 802296f4944a765d71c2b969df549b2fe561819a
MD5 hash: 426f94c2250dfc1e6e796bfbe81bef0b
humanhash: fourteen-jig-autumn-sixteen
File name:C582B5864A67C2D63F8D3A8FAF08B47E94646A96CD81A.exe
Download: download sample
Signature njrat
Create hunting rule
File size:2'436'336 bytes
First seen:2021-08-17 19:56:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 49152:Mh+ZkldoPK1Xav4aWGh+ZkldoPK1XadtV+XcM:d2cPK1daWf2cPK1RV
Threatray 1'396 similar samples on MalwareBazaar
TLSH T101B58C03739D8065FEAA917F5B59B20156BD7C2500E3872F12983D6DA9F03A11E3EE63
dhash icon 3b73cb09718c5575 (2 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
192.169.69.26:3344

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.26:3344 https://threatfox.abuse.ch/ioc/191754/

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
C582B5864A67C2D63F8D3A8FAF08B47E94646A96CD81A.exe
Verdict:
Malicious activity
Analysis date:
2021-08-17 19:58:19 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/68879c16-b355-4933-88d3-d053f8f3569b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Remcos
Create hunting rule
Link:
https://www.capesandbox.com/analysis/180148/
Detection(s):
Win.Malware.Nymeria-6988663-0
Create hunting rule

Win.Malware.Nymeria-6988372-1
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Creating a file
Launching a process
Sending a UDP request
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the %temp% directory
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c0e5aaca-33ef-4972-927f-2b0144c880c5
Result
Threat name:
Remcos Njrat
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/834707
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Contains functionality to capture and log keystrokes
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Detected Remcos RAT
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries random domain names (often used to prevent blacklisting and sinkholes)
Sigma detected: Drops script at startup location
Sigma detected: Suspicious Process Start Without DLL
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Njrat
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 467136 Sample: C582B5864A67C2D63F8D3A8FAF0... Startdate: 17/08/2021 Architecture: WINDOWS Score: 100 45 2ffahbg8eydhr96hx3x2lje2ymygt5iq.duckdns.org 2->45 67 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 14 other signatures 2->73 8 C582B5864A67C2D63F8D3A8FAF08B47E94646A96CD81A.exe 6 2->8         started        12 wscript.exe 1 2->12         started        14 wscript.exe 2->14         started        signatures3 process4 file5 41 C:\Users\user\AppData\...\IMESEARCH.exe, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\LastFudCy.exe, PE32 8->43 dropped 75 Contains functionality to inject code into remote processes 8->75 77 Writes to foreign memory regions 8->77 79 Allocates memory in foreign processes 8->79 81 Injects a PE file into a foreign processes 8->81 16 LastFudCy.exe 4 8->16         started        20 RegSvcs.exe 2 4 8->20         started        23 IMESEARCH.exe 2 12->23         started        25 ActiveSyncCsp.exe 14->25         started        signatures6 process7 dnsIp8 37 C:\Users\user\...\ActiveSyncCsp.exe, PE32 16->37 dropped 53 Antivirus detection for dropped file 16->53 55 Multi AV Scanner detection for dropped file 16->55 57 Binary is likely a compiled AutoIt script file 16->57 65 5 other signatures 16->65 27 LastFudCy.exe 2 3 16->27         started        30 LastFudCy.exe 16->30         started        47 2ffahbg8eydhr96hx3x2lje2ymygt5iq.duckdns.org 20->47 39 C:\Users\user\AppData\Roaming\...\advpack.url, MS 23->39 dropped 59 Writes to foreign memory regions 23->59 61 Allocates memory in foreign processes 23->61 63 Injects a PE file into a foreign processes 23->63 32 LastFudCy.exe 1 23->32         started        35 RegSvcs.exe 23->35         started        file9 signatures10 process11 dnsIp12 49 2ffahbg8eydhr96hx3x2lje2ymygt5iq.duckdns.org 192.169.69.26, 3344, 4431, 49710 WOWUS United States 27->49 51 Injects a PE file into a foreign processes 32->51 signatures13
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4/
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 19:15:29 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ywbllbskm7bnmp4nhkh26cfup2kgi2uwzwa2xzih3dii34j6idca._file
Verdict:
suspicious
Similar samples:
2b554ef8cede0aaf90b2eba967599dede6795344ae5c7e876e5c3a5776894a16
njrat
2bce8926e878a8464f8c19ffe1ac202e02331ed4f9983aa0b6e55a24e87da7b6
njrat
4c9649ae4b47567cd6630632e78c45f2bb863c4fe8a2229866392f9e735706b3
njrat
788439bb46a147272e39cdd6a8a8ecdc68dbb3317e4d058526d6feda09d64613
njrat
87be6f628553d89007fd8f7d0758d42906f2ee7d84ca18e961cb463921061a42
njrat
a93a71cdc90f1ab2f2c80db6f0c55b95f43bad13faff06c89f2c728cab630773
njrat
c11353e4ef1fff0cbee888271cc6435f816e6922c0020b983cb94f0c4579bb8b
njrat
cbeec64cdd31f94e46005a27c264248f12a22102d6e8b9f4187e92fedb2db373
njrat
d8a3df5d5ed44873fc091b44a64f98c6c54dae8356d747cddee51b88df9f1d2e
njrat
f9a0da63b5f5ea367b450c422340aa478d6920d797e95a2379bf7d2a8471d6c8
njrat
+ 1'386 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
suricata upx
Link:
https://tria.ge/reports/210817-3vlxflerda/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
autoit_exe
Drops startup file
Loads dropped DLL
Executes dropped EXE
UPX packed file
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Unpacked files
SH256 hash:
9a1b6544f864071063ff6352267492786443c2f3930009e39adfdd5bf1c906c8
MD5 hash:
ece006a1b6bc5becb4b4b7215c3c89fd
SHA1 hash:
2332f9f2f070d0dfa0a1c92e621c3ed02febcf3d
Detections:
win_remcos_g0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/0347ed36-8baf-4cc5-b914-4ded4ca693c8/
Parent samples :
c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4
ba941d09fd153b7a9c5184333bb789e321679d736db2f1f457e41e65e7d59789
f59e0f40f585fb82cde0dd687415d778c27b944d936a13a91e4b4894df738be1
bc28df3a25377a42fb70eb261ff90a7708834e60b10068cb35904d3da58ce5f6
6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df
SH256 hash:
b36ff786562c196652de121876646ef8107679ec03c427fd198546076326984c
MD5 hash:
dba0a1f2753325cfbc49d93a0a6bbb0e
SHA1 hash:
709aefab525bdfabbdfda7c55d1fa3127b567f13
Link:
https://www.unpac.me/results/0347ed36-8baf-4cc5-b914-4ded4ca693c8/
SH256 hash:
c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4
MD5 hash:
426f94c2250dfc1e6e796bfbe81bef0b
SHA1 hash:
802296f4944a765d71c2b969df549b2fe561819a
Link:
https://www.unpac.me/results/0347ed36-8baf-4cc5-b914-4ded4ca693c8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c582b5864a67/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/180148/

Comments