MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cec4f834904872bea22fc5be10142a10accab72e4fb882a86d91db46891caaa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 9

Intelligence 9 IOCs 2 YARA 4 File information Comments

SHA256 hash:	cec4f834904872bea22fc5be10142a10accab72e4fb882a86d91db46891caaa7
SHA3-384 hash:	336c6268952acfcf27f1fce71149348b3f77b01766f885f943dde8627fa9ea6677c1cc5db0fa2f2ff52af508a9caf9f7
SHA1 hash:	7fcd540417a05abbe213a35cc2f12fe5364e938e
MD5 hash:	a73a9de9cc4aa5d58a26a2ef8980dfad
humanhash:	spring-six-carpet-wolfram
File name:	a73a9de9cc4aa5d58a26a2ef8980dfad.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	573'952 bytes
First seen:	2022-02-09 21:31:03 UTC
Last seen:	2022-02-10 00:19:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:37j9OMu7i4PLoEnzk2JcvxD7i7kLN27NIDPGXnh057OK3Nd9IZIxqwJnNC4tq8ap:Lj9OZ5xzkMos7oN27NIDPGXnh057OK3s
Threatray	487 similar samples on MalwareBazaar
TLSH	T12FC4B0583FC594D0E9390E37C6BB93102F67E970DD27CA26995A25F201FB12D7C89CA2
File icon (PE):
dhash icon	3474d4d4dcdcdcc4 (3 x Cryptbot, 3 x DanaBot, 2 x AveMariaRAT)
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
181.141.0.235:8050

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
181.141.0.235:8050	https://threatfox.abuse.ch/ioc/384607/
181.141.0.235:8071	https://threatfox.abuse.ch/ioc/384608/

Intelligence

File Origin

# of uploads :

# of downloads :

312

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/239912/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.25327.18183.23935.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

DNS request

Sending a custom TCP request

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Using the Windows Management Instrumentation requests

Creating a file

Searching for the window

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6204329b36f99219183331bd/reports/ca9bccef-7242-46c8-8183-f58ba055ba92/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/1e002be2-aa30-424a-b52c-a2ae9b37c6d6

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/937252

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Encrypted powershell cmdline option found

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Encoded PowerShell Command Line

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cec4f834904872bea22fc5be10142a10accab72e4fb882a86d91db46891caaa7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-02-09 21:32:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=z3cpqneqjbzl5irpyw7bafbkccwmvnzoj64ifkdnshnunci4vktq._file

Verdict:

malicious

Label(s):

asyncrat

njrat

447a360df02395eed4be5ed1552c279f80c2c12cb10fc80759992caf70e75605

njrat

4dfcffc647f3ad92ed307b8896b270b36634a5da12a3fea4ac89b51243e2b02f

njrat

7f94c21c8bb8b634df7616ec35572439237604fae7e049e1fad38403955996b9

njrat

aa9233aa16889193c6d866d7dc25f1eba29498b7f6a56820abca133e98a8b7f7

njrat

c76b712c50ace3cc44091a1626df49f74d0d3ce793a4667d78f4deb86adf50b7

njrat

f9da50e312fa2e25247a7caf3ca482a2dd55a743bf246d99692bd4a0f0148f2c

njrat

+ 477 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat persistence rat

Link:

https://tria.ge/reports/220209-1c3ygsbeg7/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Suspicious use of SetThreadContext

Adds Run key to start application

Checks computer location settings

AsyncRat

Unpacked files

SH256 hash:

9f01d9f2ed07e630ec078efa5d760762c3c8ad3b06e9e8a9062a37d63d57b026

MD5 hash:

9fbb8cec55b2115c00c0ba386c37ce62

SHA1 hash:

e2378a1c22c35e40fd1c3e19066de4e33b50f24a

Link:

https://www.unpac.me/results/fe4d4808-c2df-4fd6-9e13-822f7a69f30d/

SH256 hash:

09f3021597a5defb8d69cdd043bd7dbdf12f3eee83708f4863c1db45eda83af1

MD5 hash:

ddb78076991bbc03769cb7ba9a92fb74

SHA1 hash:

4f71ebca285fd203f563a187ab9a60aac16c16c2

Detections:

win_asyncrat_w0

Link:

https://www.unpac.me/results/fe4d4808-c2df-4fd6-9e13-822f7a69f30d/

SH256 hash:

8c30982e65218d122ce891d9087db39f49924baf9ea05bce87498458ad15c703

MD5 hash:

b83707bbf302e7319a6cda6bbf04cb73

SHA1 hash:

433a54ddbc555b5391ce571f46d3e90d9a4ce70a

Link:

https://www.unpac.me/results/fe4d4808-c2df-4fd6-9e13-822f7a69f30d/

SH256 hash:

cec4f834904872bea22fc5be10142a10accab72e4fb882a86d91db46891caaa7

MD5 hash:

a73a9de9cc4aa5d58a26a2ef8980dfad

SHA1 hash:

7fcd540417a05abbe213a35cc2f12fe5364e938e

Link:

https://www.unpac.me/results/fe4d4808-c2df-4fd6-9e13-822f7a69f30d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/cec4f8349048/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Typical_Malware_String_Transforms Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

Rule name:	Typical_Malware_String_Transforms_RID3473 Create hunting rule
Author:	Florian Roth
Description:	Detects typical strings in a reversed or otherwise modified form
Reference:	Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/239912/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample