MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7ab8be4ae48937c0b4433d20253e1b4a1074a48dc7c18ca73ac8848182a3b01. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7ab8be4ae48937c0b4433d20253e1b4a1074a48dc7c18ca73ac8848182a3b01
SHA3-384 hash: 7eceb12524b274683eff41c8f6d88f00ca953d699ba20ce0c7bccad64efd5aa6ab297af5726525ec85ee9387aba90c5c
SHA1 hash: 6574884b52ee42bb3faef4013a660e55ef82a960
MD5 hash: 6eedc0ea22ef8aeb88c40985a6cea3c7
humanhash: artist-oxygen-summer-blossom
File name:6EEDC0EA22EF8AEB88C40985A6CEA3C7.exe
Download: download sample
Signature njrat
Create hunting rule
File size:447'380 bytes
First seen:2021-06-30 23:26:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep 6144:yQ+KaiKX2omqZEIvjzmW6rT+tGHYd1eH6UpwCp8aIJmWfaFPM5UoWPyJQzRA:eKry2/qZXzmLT+tGHBvp8hlaFUFWP1RA
Threatray 647 similar samples on MalwareBazaar
TLSH DE94E012B9D18471C472193856E99BB1663CBD301F258ECFA3983E2D6E301D17B36BA7
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
176.58.60.145:333

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
176.58.60.145:333 https://threatfox.abuse.ch/ioc/156573/

Intelligence

File Origin
# of uploads :
1
# of downloads :
315
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6EEDC0EA22EF8AEB88C40985A6CEA3C7.exe
Verdict:
Malicious activity
Analysis date:
2021-06-30 23:27:41 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/91335ca5-f1d1-4f87-b1b0-5409a1887c00

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169020/
Detection(s):
Win.Malware.Generic-9872030-0
Create hunting rule

Win.Malware.Generic-9874383-0
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0aefa656-3de7-44c5-b4ad-b28876831263
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810266
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442677 Sample: f9VOYnte7U.exe Startdate: 01/07/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Antivirus detection for dropped file 2->53 55 9 other signatures 2->55 9 f9VOYnte7U.exe 13 2->9         started        12 svchost.exe 2->12         started        15 svchost.exe 9 1 2->15         started        18 10 other processes 2->18 process3 dnsIp4 41 C:\Users\user\AppData\Local\...\Discord.exe, PE32 9->41 dropped 20 cmd.exe 1 9->20         started        71 Changes security center settings (notifications, updates, antivirus, firewall) 12->71 47 127.0.0.1 unknown unknown 15->47 file5 signatures6 process7 process8 22 Discord.exe 9 20->22         started        26 conhost.exe 20->26         started        file9 39 C:\Users\user\AppData\Local\...\svchost.exe, PE32 22->39 dropped 65 Multi AV Scanner detection for dropped file 22->65 67 Machine Learning detection for dropped file 22->67 69 Drops PE files with benign system names 22->69 28 svchost.exe 1 3 22->28         started        signatures10 process11 file12 43 C:\Users\user\AppData\Roaming\svchost.exe, PE32 28->43 dropped 73 Antivirus detection for dropped file 28->73 75 Multi AV Scanner detection for dropped file 28->75 77 Machine Learning detection for dropped file 28->77 79 Drops PE files with benign system names 28->79 32 svchost.exe 3 3 28->32         started        signatures13 process14 dnsIp15 45 176.58.60.145, 2703, 49724 MTW-ASRU Russian Federation 32->45 37 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 32->37 dropped 57 Antivirus detection for dropped file 32->57 59 System process connects to network (likely due to code injection or exploit) 32->59 61 Multi AV Scanner detection for dropped file 32->61 63 4 other signatures 32->63 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7ab8be4ae48937c0b4433d20253e1b4a1074a48dc7c18ca73ac8848182a3b01/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-06-27 01:04:52 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6vyxzfojcjxyc2egpjaeu7bwsqqossi3r6brsttvseeqgbkhmaq._file
Verdict:
malicious
Similar samples:
06aba312b446bf01180d633c94686c5ab2d102d40156b5cd9a9255cc6fd5b69c
njrat
10af2cacc6d5057ff24acfd6811ba45568d6542de1fcfb526f7b9029661f4df9
njrat
226d74c26853c95905bc66fc0697e424cc3f0197a09bc072b3b5df022ba45dd8
njrat
36157bcd02a5c23a3d161cef0e3aacc07c73e91e0a98cfb9f68852d144d43404
njrat
4a5d2a74803de9f7a73d47ada67ab4e03a466e4bef5dc12ca5ba35343b9a0500
njrat
84b6b4da902eec98b042c06c69527db1319a37d4d1e12e1fea314d514392fda4
njrat
b71723aa5fc1153d43c609e12a68182f8d5216b9bfde70a3342562ffe59867a3
njrat
bffa8c77d1dac6b0b0af3c5653a5190ea5d0bc0c0b22f44237bfd66bf351a0d6
njrat
db5b68be18809752d92bc7720216b24922f597363d21e4ac36a0a697342da460
njrat
f47e5170400f759777d84d93b114348b904aed870ee7d39a697f8b1f884d77ae
njrat
+ 637 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210630-nzz3kggc1j/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d2d718ee5c83852fa908f79160ced1c40abaeedaa4dcc24ce6aecfdfdda0ef5b
MD5 hash:
3b25ae0419ede0c95545f8d8dc00e1af
SHA1 hash:
b8c5867c4e32a935dd52358a54e440e4c4c6e7e6
Link:
https://www.unpac.me/results/c96b0828-6184-41fd-ac21-7b44db2f6f3e/
SH256 hash:
c7ab8be4ae48937c0b4433d20253e1b4a1074a48dc7c18ca73ac8848182a3b01
MD5 hash:
6eedc0ea22ef8aeb88c40985a6cea3c7
SHA1 hash:
6574884b52ee42bb3faef4013a660e55ef82a960
Link:
https://www.unpac.me/results/c96b0828-6184-41fd-ac21-7b44db2f6f3e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c7ab8be4ae48937c0b4433d20253e1b4a1074a48dc7c18ca73ac8848182a3b01

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/169020/

Comments