MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b5dd67a462b9994b0596e8b4aef43ae616077aa900315b0a565e58bc6347aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 15

Intelligence 15 IOCs 1 YARA 10 File information Comments

SHA256 hash:	c7b5dd67a462b9994b0596e8b4aef43ae616077aa900315b0a565e58bc6347aa
SHA3-384 hash:	77b1ef3f6d775b92255e9d7475052fb25068813b2db08164118e6aa13f9f2716b7173da0a4a753eac0687371a2f0b27d
SHA1 hash:	e72c6b56783e5c7b31c0c718b8bde591f1a1588e
MD5 hash:	1ddf5bc8b999caccac333762d1710237
humanhash:	cup-two-foxtrot-item
File name:	1ddf5bc8b999caccac333762d1710237.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	24'064 bytes
First seen:	2022-05-10 18:37:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	384:6c6ze6e1PAhJVzC3tC1im/BsTx46PgZ0rap9HBmRvR6JZlbw8hqIusZzZ8lJ:6e9EJLN/yRpcnul
Threatray	16 similar samples on MalwareBazaar
TLSH	T1E3B2190E3FB98856C5BC177486A5965003B491470423EE2FCCC564CBAFB3BD92D48AF9
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13101/52/3) 8.6% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
141.255.144.172:5553

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
141.255.144.172:5553	https://threatfox.abuse.ch/ioc/549371/

Intelligence

File Origin

# of uploads :

# of downloads :

373

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

1ddf5bc8b999caccac333762d1710237.exe

Verdict:

Malicious activity

Analysis date:

2022-05-10 19:00:13 UTC

Tags:

rat njrat bladabindi trojan

Link:

https://app.any.run/tasks/e4fdbb15-bbdd-4bee-a81e-a71db59fc079

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

njRat

Link:

https://www.capesandbox.com/analysis/269522/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a process from a recently created file

Creating a file

Sending a custom TCP request

Creating a process with a hidden window

Creating a window

Searching for synchronization primitives

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Launching the process to change the firewall settings

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Query of malicious DNS domain

Sending a TCP request to an infection source

Enabling autorun by creating a file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

bladabindi cmd.exe fingerprint greyware keylogger netsh.exe njrat obfuscated packed rat replace.exe stealer update.exe

Link:

https://www.filescan.io/uploads/627ab0da4b517e213c29668b/reports/92654aee-6516-4b97-8178-b13dd6c1ca82/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/16f47617-f4c4-44ee-9a35-5eef1113b340

Result

Threat name:

njRat

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/991310

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Creates autostart registry keys with suspicious names

Detected njRat

Drops PE files to the startup folder

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Protects its processes via BreakOnTermination flag

Snort IDS alert for network traffic

Uses netsh to modify the Windows network and firewall settings

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/c7b5dd67a462b9994b0596e8b4aef43ae616077aa900315b0a565e58bc6347aa/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2022-05-08 06:03:40 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

39 of 41 (95.12%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=y6252z5emk4zssyfs3uljlxuhltbmb32veadcwykkzpfrpddi6va._file

Verdict:

malicious

Label(s):

njrat

131bc80decadc83b3eabb56fb0f69a715d12bd72a6ef321d0c6ac61db244d62f

njrat

1857c7aef05e1ea2d590a42c55fe60f910b6a7473b7f4443d03d3f46759121bd

njrat

273ad5a2b3f62bd80b72a345fc153d30f3852301ed8d60ad40584086d7ee7735

njrat

49fbf9884299fbc6b09e640449fdc834f82a752908d381a68e2057a9861e3618

njrat

722c230238d0f92f038abcd5c63f1c36664241df74c20eb008c9bf47fcb01ac9

njrat

93015eaddcf1cfed7c9e455cecebc51e85a5de3035282bafbfdd2b0979e46021

njrat

a3fa04d27872b1fea175ee7ca2665ee3b8384db4b6a93f8015cc47e6dddf757d

njrat

+ 6 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:valorant evasion persistence suricata trojan

Link:

https://tria.ge/reports/220510-w913yafdb7/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Adds Run key to start application

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

Modifies Windows Firewall

njRAT/Bladabindi

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Capture)

suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)

suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Get Passwords)

suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)

Malware Config

C2 Extraction:

system123.linkpc.net:5553

Unpacked files

SH256 hash:

c7b5dd67a462b9994b0596e8b4aef43ae616077aa900315b0a565e58bc6347aa

MD5 hash:

1ddf5bc8b999caccac333762d1710237

SHA1 hash:

e72c6b56783e5c7b31c0c718b8bde591f1a1588e

Detections:

win_njrat_g1

win_njrat_w1

Link:

https://www.unpac.me/results/05b7fa26-2689-45a6-b8c3-61fad5ac7145/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.88

Link:

https://yomi.yoroi.company/submissions/c7b5dd67a462b9994b0596e8b4aef43ae616077aa900315b0a565e58bc6347aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	CN_disclosed_20180208_c_RID2E71 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	malware_Njrat_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi

Rule name:	MAL_njrat Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_LightDefender_Njrat_Rule Create hunting rule
Author:	Skystars LightDefender
Description:	Detects Njrat

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_netsh_firewall_command Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/269522/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample