MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
SHA3-384 hash: 454fb4500d7996c22171af6fd1635645ae1a20e06759a1ec46c08b920784966905e2432129c13b110d1598a4ae68c189
SHA1 hash: 99d985c1562944169823da75a5b8246e83cf7232
MD5 hash: 09f5e3fc4a15fbf25724fc2f95394166
humanhash: twelve-berlin-fruit-kentucky
File name:09f5e3fc4a15fbf25724fc2f95394166
Download: download sample
Signature njrat
Create hunting rule
File size:5'178'368 bytes
First seen:2022-03-03 13:16:27 UTC
Last seen:2022-03-20 05:26:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 140094f13383e9ae168c4b35b6af3356 (32 x DCRat, 11 x CoinMiner, 10 x njrat)
ssdeep 98304:ul0Voa2E41ASpFmcjP/R92nqC65Lt9ZdPRPk:80eahobR9H5LHVk
Threatray 36 similar samples on MalwareBazaar
TLSH T177363388B6FF063DFA8A707C841545A437C14BB335E6127A8D3C619EB5C929D6EB7230
Reporter zbetcheckin
Tags:32 exe NjRAT

Intelligence

File Origin
# of uploads :
4
# of downloads :
319
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://disk.yandex.ru/d/psICxFf4Sx60qQ
Verdict:
Malicious activity
Analysis date:
2022-02-12 19:26:33 UTC
Tags:
rat njrat bladabindi trojan
Link:
https://app.any.run/tasks/2de12752-62da-4987-8cb7-086bf87d5d3c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/246986/
Detection(s):
SecuriteInfo.com.Variant.ExNuma.1.7242.31751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a file in the Windows directory
Modifying an executable file
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the Program Files subdirectories
Sending a custom TCP request
Creating a process with a hidden window
Creating a window
Searching for synchronization primitives
DNS request
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Infecting executable files
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/8118/overview
Behaviour
MalwareBazaar
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Neshta
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fc6b0c89-7f9e-4571-9ad5-0f5bfd23fc50
Result
Threat name:
njRat Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/949966
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Detected njRat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with a suspicious file extension
Found malware configuration
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Sample is not signed and drops a device driver
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: New RUN Key Pointing to Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Neshta
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 582449 Sample: W2mZuF0hV0 Startdate: 03/03/2022 Architecture: WINDOWS Score: 100 79 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->79 81 Found malware configuration 2->81 83 Malicious sample detected (through community Yara rule) 2->83 85 17 other signatures 2->85 12 W2mZuF0hV0.exe 3 2->12         started        16 svchost.com 2->16         started        18 svchost.com 2->18         started        20 2 other processes 2->20 process3 dnsIp4 75 192.168.2.1 unknown unknown 12->75 69 C:\Users\user\AppData\Local\Temp\KLNR.exe, PE32 12->69 dropped 71 C:\Users\user\...behaviorgraphRAND THEFT AUTO 5.exe, PE32 12->71 dropped 22 KLNR.exe 3 2 12->22         started        26 GRAND THEFT AUTO 5.exe 4 12->26         started        28 server.exe 16->28         started        30 server.exe 18->30         started        32 server.exe 20->32         started        file5 process6 file7 55 C:\Users\user\AppData\Local\Temp\...\KLNR.exe, PE32 22->55 dropped 57 C:\ProgramData\...\VC_redist.x64.exe, PE32 22->57 dropped 93 Antivirus detection for dropped file 22->93 95 Machine Learning detection for dropped file 22->95 97 Infects executable files (exe, dll, sys, html) 22->97 34 svchost.com 1 22->34         started        59 C:\Windows\svchost.com, PE32 26->59 dropped 61 C:\Users\user\AppData\Local\...\setup.exe, PE32 26->61 dropped 63 C:\Users\user\...behaviorgraphRAND THEFT AUTO 5.exe, PE32+ 26->63 dropped 65 10 other malicious files 26->65 dropped 99 Creates an undocumented autostart registry key 26->99 101 Drops executable to a common third party application directory 26->101 103 Hides threads from debuggers 28->103 signatures8 process9 file10 53 C:\Windows\directx.sys, ASCII 34->53 dropped 87 Antivirus detection for dropped file 34->87 89 Machine Learning detection for dropped file 34->89 91 Sample is not signed and drops a device driver 34->91 38 KLNR.exe 2 5 34->38         started        signatures11 process12 file13 67 C:\Users\user\AppData\Local\Temp\server.exe, PE32 38->67 dropped 105 Antivirus detection for dropped file 38->105 107 Detected unpacking (changes PE section rights) 38->107 109 Detected unpacking (overwrites its own PE header) 38->109 111 4 other signatures 38->111 42 svchost.com 38->42         started        signatures14 process15 process16 44 server.exe 2 5 42->44         started        dnsIp17 77 82.202.167.67, 49752, 7790 THEFIRST-ASRU Russian Federation 44->77 73 C:\...\c8a9da7fa674aa389aad9af7feb5a543.exe, PE32 44->73 dropped 113 Antivirus detection for dropped file 44->113 115 Detected unpacking (changes PE section rights) 44->115 117 Detected unpacking (overwrites its own PE header) 44->117 119 8 other signatures 44->119 49 netsh.exe 1 3 44->49         started        file18 signatures19 process20 process21 51 conhost.exe 49->51         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470/
Threat name:
Win32.Trojan.ExNuma
Create hunting rule
Status:
Malicious
First seen:
2022-03-02 08:32:00 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
30 of 42 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zmkvqwvmmip66vyq27blntdrjv6tfa2xm4l425zyucey2w3durya._file
Verdict:
malicious
Similar samples:
4322b25b29f160a08e809764a5dd86deda2289623331867004f85a905ce47769
njrat
5261874485f9fe16a78a558734e8652f93db1d544f3be331e7f6adc06f43ee98
njrat
6013c0ccf38e7be9221db0bc51597cd034cc07ca5c8ca1d0bc16d7b665700512
njrat
6c3d282a6a943f1b052246f5b3ceec91e400c0fdd04c22d1e44556e1150b3a5a
njrat
798eab01e5d7f1c78e3f7db514f3611ae85e468405af144245f55c8f2657c6d9
njrat
7fb40d2c4011f9aa66d25183702ac6872fff070ff9c7433fab6d3785ebc95f4c
njrat
9cda5e5ad6ca68a803516013fbf62e6b06383b20fccf1ee6aed4730c916a3b55
njrat
d162aea95889e147b96c2ab4da7cf27ec2538abd149a08f96d993fb7a41b002f
njrat
d92f632b039d42bfe46c284f35b8ce4f898576d840fd366becc1d9bcd4ed6a3a
njrat
+ 26 additional samples on MalwareBazaar
Result
Malware family:
neshta
Create hunting rule
Score:
  10/10
Tags:
family:neshta persistence spyware stealer
Link:
https://tria.ge/reports/220303-qjdbasbda7/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Detect Neshta Payload
Modifies system executable filetype association
Neshta
Unpacked files
SH256 hash:
d5ece52a71f0de749b31eb99c506c8b9147f2b690b1f85a88c1ad0357540a6a9
MD5 hash:
b01db2780c5a1bbeb3b76e97eb5ea754
SHA1 hash:
c75b2d4e0c81fb42ccf8b6d7da6e3134b480c7dc
Detections:
win_neshta_auto
Create hunting rule
Link:
https://www.unpac.me/results/6e276922-e1bf-413d-a078-2555a69b112e/
Parent samples :
811d169ec93c76795798353e6fdf509271d61d3424acb7d709c34cc83511b0f9
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
4dcd84003dc7b4d627193ce18034c71a3ee35980495d755d9bcf80a672eb544e
2e5b9ebfb2b81c5e512248e2e9224d1054defc4b027c0108fc10d268312ce290
68652defc71770065997b7d60a64a3959446a114a2ee17a443a15ae8b767f150
640315d3ee04d383d4b8702b0d29a11846139cb9505078440f2e67b2d9bc3cce
4608c3c211744ce283dac6c36cb7a2c0fd584ee440fa4f671bc270f1bc737ff0
c8bb8271adc398661a408fc99b14a7d3797bd546b0b836f68a059c2f72948937
cd23680ab97a8fa8c459690061e90ea0d48d19975900f1a0ee41ffcd76bbb311
313cabf464e7edf69744f94c3ea234fbb5d7b99daf2aff5492131a4ca9d08e00
60292e6be9d0d5e5f82a3382e4b69fcd19362b4c30a1829787dfc6ea5462a117
ec2ec99d719ccde3972abb4db0ef83eae6462f4697861529ead23d304c527d29
a8df709495ab9ea938880b1ebe744b33bc163b2fe576ce7e585caef7c846b718
a6077288d1353daaab0bf9092c357cd7f0712537def3ff3be60fa68da4e436ac
SH256 hash:
cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470
MD5 hash:
09f5e3fc4a15fbf25724fc2f95394166
SHA1 hash:
99d985c1562944169823da75a5b8246e83cf7232
Link:
https://www.unpac.me/results/6e276922-e1bf-413d-a078-2555a69b112e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.16
Link:
https://yomi.yoroi.company/submissions/cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:MALWARE_Win_Neshta
Create hunting rule
Author:ditekSHen
Description:Detects Neshta
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe cb15585aac621fef5710d7c2b6cc714d7d3283576717cd7738a0898d5b63a470

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2072458/
  
URLhaus
https://urlhaus.abuse.ch/url/2072459/
  
URLhaus
https://urlhaus.abuse.ch/url/2072718/
  
URLhaus
https://urlhaus.abuse.ch/url/2073285/
  
URLhaus
https://urlhaus.abuse.ch/url/2073252/
Cape
Cape
https://www.capesandbox.com/analysis/246986/

Comments


Avatar
zbet commented on 2022-03-03 13:16:28 UTC

url : hxxp://193.233.48.64:20001/bot/cache/88535906.exe