MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cd7951f7292506e314834d7c82e290f84a9f55ba2feac4fa4ef545d9cbf79864. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 9

Intelligence 9 IOCs YARA 5 File information Comments

SHA256 hash:	cd7951f7292506e314834d7c82e290f84a9f55ba2feac4fa4ef545d9cbf79864
SHA3-384 hash:	dd5a429e44c20f3296963358e1b5c433eb02fa3d04a6d496722506f97b1ccdd203937ec926db34e477d649681e93971d
SHA1 hash:	d5f40066bb7e1b603d4947dbe83784c0d69fe1f5
MD5 hash:	78fe8097d78bf46836ebdebb96477d93
humanhash:	xray-pennsylvania-september-uniform
File name:	cd7951f7292506e314834d7c82e290f84a9f55ba2feac4fa4ef545d9cbf79864
Download:	download sample
Signature	njrat Create hunting rule
File size:	1'178'120 bytes
First seen:	2020-11-14 18:26:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:+0M9u5FGWsNXrP+AoGbeOx6cGmHa37aWtDv395E:15FYP+5DOx6JYa371DvnE
TLSH	4F45BE427391C071FFAA96739B2AF61146BD6D790133C41F13A83DBAAD711B1263DA23
Reporter	seifreed
Tags:	NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Autoit-8000278-0

Win.Trojan.Autoit-9790152-0

Win.Trojan.Autoit-9790155-0

Win.Trojan.Autoit-9790166-0

Win.Trojan.Autoit-9790168-0

Win.Trojan.Autoit-9790176-0

Win.Trojan.Autoit-9790232-0

Win.Trojan.Autoit-9790239-0

Win.Trojan.Autoit-9790240-0

Win.Trojan.Autoit-9790242-0

Win.Trojan.Autoit-9790245-0

Win.Trojan.Autoit-9790251-0

Win.Trojan.Autoit-9790262-0

Win.Trojan.Autoit-9790267-0

Win.Trojan.Autoit-9790695-0

Win.Trojan.Autoit-9791035-0

Win.Trojan.Autoit-9791037-0

Win.Trojan.Autoit-9792204-0

Win.Trojan.Autoit-9792227-0

Win.Trojan.Autoit-9792274-0

Win.Trojan.Autoit-9792861-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a process with a hidden window

Creating a file in the %temp% subdirectories

Enabling the 'hidden' option for files in the %temp% directory

Creating a process from a recently created file

Launching the process to change the firewall settings

Unauthorized injection to a system process

Enabling autorun by creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

njRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/535191

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

AutoIt script contains suspicious strings

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Detected njRat

Malicious sample detected (through community Yara rule)

Modifies the windows firewall

Multi AV Scanner detection for submitted file

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cd7951f7292506e314834d7c82e290f84a9f55ba2feac4fa4ef545d9cbf79864/

Threat name:

Win32.Hacktool.Generic

Status:

Suspicious

First seen:

2020-11-14 18:30:19 UTC

AV detection:

38 of 48 (79.17%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zv4vd5zjeudogfedjv6ifyuq7bfj6vn2f7vmj6so6vc5ts7xtbsa._file

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat evasion persistence trojan

Link:

https://tria.ge/reports/201114-fb91kzg8be/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Executes dropped EXE

Modifies Windows Firewall

njRAT/Bladabindi

Unpacked files

SH256 hash:

cd7951f7292506e314834d7c82e290f84a9f55ba2feac4fa4ef545d9cbf79864

MD5 hash:

78fe8097d78bf46836ebdebb96477d93

SHA1 hash:

d5f40066bb7e1b603d4947dbe83784c0d69fe1f5

Link:

https://www.unpac.me/results/801ef975-9180-4eed-b82a-12f28d05ead1/

SH256 hash:

540601cebaa24f199932322590f6084667ab3f7245924c74234f17adeb76a37f

MD5 hash:

0623a978c4595f76ec438afaa8164107

SHA1 hash:

05fa6bf7119767462174b42da8c419e404bfa3e1

Detections:

win_njrat_w1

win_njrat_g1

Link:

https://www.unpac.me/results/801ef975-9180-4eed-b82a-12f28d05ead1/

Parent samples :

0c3d29652f673f9b41240038596e57ffb280e3ba0c5e519be3aead68ebd398e8
42a140cd4f88d3fd5db132a7ca258148031b917bb1207bd1570e53f800c55cb8
4c14d8137e225d03bcc84f9296d86ab32c67b2fefe72049abf6f4e431acf70e0
a584da6092123600c08e861ac0f14cd0ea41b95e4cd058b37ec70fc8dcf542d0
869f916839342a43032ac51d3574f7a9c057f73e319f8033c6338094376cab11
7c4e3cb6cdc2fd013561f3b657d7d660e5bb3d2f10b701c4dddbdea4fdd49e61
2bcfe505fb789c4ff8642b74897b70027367570c63680f2d77509543f6e4433d
60e0af6395d28a899bbb2d9b7a61761d9cf1de85ddca77a114dca46054b0e8cd
d30b0d89c5e93b5bee54918d04d57370f1625455d7859f4061c47f13b9a779aa
1ecde0b85ddc9e37bdc3004b732f73d2dd12f0e101f91ebda16cbbf30ddd4a9d
57590a0d56dc1a2ddc1f73db742f4106f4cbb6e2f247020c5d4e12d78b1775d2
c964e9d4711c1cf0fb66db61b717b4215c5916355aed5fa44613d2f3251ccdf5
045323a02bf0cd8ffa742ba71963d87aa8c00eba637dad7c86757f0656e296a5
46650f8381483afc61f1bed735c56dfa6deace36bd272c123ab83edf7243aa80
cd7951f7292506e314834d7c82e290f84a9f55ba2feac4fa4ef545d9cbf79864
707d2a9dc17cfe0734dc3ef46a4e7761d8c873de5496243b7b435ac3c9c0b209
ffd3401a514ab70fe36ce5f3e25c814a8b9fbf7982f21c6d7bb5f82c82fd2009
0ab667dc59ad6ac24333bab211bf1bf9c85f90be59f12cfc7ca46b1ee2e9393d
8bc1e289657c8d1bbbc902bd0315dc20ae52a58cd045bfff5a550fab62ef56f2

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

NJRat

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cd7951f7292506e314834d7c82e290f84a9f55ba2feac4fa4ef545d9cbf79864

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE).

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample