MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ca8d1c80409ce5194ecf75c7a67b90bf3aee57154963ef172e4d7e08b3c1d011. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ca8d1c80409ce5194ecf75c7a67b90bf3aee57154963ef172e4d7e08b3c1d011
SHA3-384 hash: c2cd2abeb8124a0a5b2702cd09897739d5a05cc66171d39f37422a4870080f81636760c57c050ccbd205c37602097ad8
SHA1 hash: 8c1a5676137736e33248344ea77c01b740c1da13
MD5 hash: 45c55b8be8ac55957d412f70b9575c4f
humanhash: xray-september-fillet-oranges
File name:ca8d1c80409ce5194ecf75c7a67b90bf3aee57154963ef172e4d7e08b3c1d011
Download: download sample
Signature njrat
Create hunting rule
File size:3'864'576 bytes
First seen:2022-03-23 08:03:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4328f7206db519cd4e82283211d98e83 (533 x RedLineStealer, 18 x Arechclient2, 15 x DCRat)
ssdeep 98304:xYfIG8vKR3ZmV4Ltam6NsSqzYAyL7aGhmmXMBlAdNK/K:SAyKZ6nyL2WFYmNK/
Threatray 13'619 similar samples on MalwareBazaar
TLSH T15906330FF36F722DC678B23AD75B9718535ACD2284B43F4B9209A865DE1C735AC01AD8
File icon (PE):PE icon
dhash icon c8c0e0b85ecab030 (1 x njrat)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
server_protected.exe
Verdict:
Suspicious activity
Analysis date:
2022-02-27 21:18:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e27cd09-19d3-4ba9-b341-de552bba9806

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/255429/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Сreating synchronization primitives
Searching for analyzing tools
Sending a custom TCP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/623ad493b94fb38cb4d7951a/reports/19b220c7-93f3-42ba-9525-89dabe367d4e/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/962770
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ca8d1c80409ce5194ecf75c7a67b90bf3aee57154963ef172e4d7e08b3c1d011/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-03-14 15:04:23 UTC
File Type:
PE (Exe)
Extracted files:
12
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
075811c1b041821aa0902e5035ab2177e6c97c451896ee954d98486d049face6
njrat
0a223aa68af0c2af0baabda61d82748629078720a017ef4836f3322a76cb691a
njrat
108cad79cd5bd2a947c5b877a55b7d3a6a4ce579aae3f298c0618154c27eb3d4
njrat
12505bb6e3c63202f22db1d60afd4a0a386ddff8807bf0d1f8583ba57f6413ba
njrat
1c031533f2717560f8bc0cb2019ec55ae7423490e51c811e30b85d382cbff5ec
njrat
314259cc43c8619b5f8e1ec548b34b64d6b8084342cdd6d8a970718c2d791da8
njrat
9642c83319b6f287e5feaca3edb50bd447a9cd41cdb88d6e588aa569bff23552
njrat
f1df708a846482e0d856754d5178d80109b068dc589494e6e831e2cfa2148b30
njrat
ff721387c09c52da9e700f8c45a576b3bb23fd9235de81ebc5259793ac643eef
njrat
+ 13'609 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion themida trojan
Link:
https://tria.ge/reports/220323-jx94vsechk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Unpacked files
SH256 hash:
6851e02d3f4b8179b975f00bbc86602a2f2f84524f548876eb656db7ea5eaa9c
MD5 hash:
c5124caf4aea3a83b63a9108fe0dcef8
SHA1 hash:
a43a5a59038fca5a63fa526277f241f855177ce6
Link:
https://www.unpac.me/results/8cbb073c-a1fb-4c3a-b409-21c7ff89ef77/
SH256 hash:
ca8d1c80409ce5194ecf75c7a67b90bf3aee57154963ef172e4d7e08b3c1d011
MD5 hash:
45c55b8be8ac55957d412f70b9575c4f
SHA1 hash:
8c1a5676137736e33248344ea77c01b740c1da13
Link:
https://www.unpac.me/results/8cbb073c-a1fb-4c3a-b409-21c7ff89ef77/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.60
Link:
https://yomi.yoroi.company/submissions/ca8d1c80409ce5194ecf75c7a67b90bf3aee57154963ef172e4d7e08b3c1d011

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/255429/

Comments