MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d01e5dc3618708c0affe1be008e9d356fe7d113289dc68bc832d556788adeba1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d01e5dc3618708c0affe1be008e9d356fe7d113289dc68bc832d556788adeba1
SHA3-384 hash: aefe11714b0b290e5379bf90219f3b871aa2b2baf3bfb95c4fc4bca42624c63200b8db8d1a3cc076f7b0de56843f44fe
SHA1 hash: 2fa62ad88fe9ed8ff915087692020ea0b84f56ae
MD5 hash: d38a592a34803dd43fec1722a4467822
humanhash: low-solar-carolina-whiskey
File name:d38a592a34803dd43fec1722a4467822.exe
Download: download sample
Signature njrat
Create hunting rule
File size:448'540 bytes
First seen:2021-09-12 14:25:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:ohqxSLo5C1Ps4Xh+yb8x7+DRd9wStLA21B5/1o/:oHLmCiIhrAEd9w65O/
Threatray 2'120 similar samples on MalwareBazaar
TLSH T17594DF02B9C18472D57239B25926A750697DBC200F248A8FA3F4796D9B311D3FE34B7B
dhash icon 1761d5b6b4693337 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
103.254.96.194:147

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
103.254.96.194:147 https://threatfox.abuse.ch/ioc/220692/

Intelligence

File Origin
# of uploads :
1
# of downloads :
544
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d38a592a34803dd43fec1722a4467822.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-12 14:28:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b4e7298c-7eea-43f1-9a2d-0e7de1227928

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
WarzoneRAT
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187141/
Detection(s):
SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the Windows directory
Creating a process from a recently created file
Creating a file in the %AppData% directory
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/6174f8809a5a1e91c5d1f655/reports/962e671c-7d4e-4bc5-88a8-aef766c397c7/overview
Malware family:
AVE_MARIA
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d008379a-5be3-4b9e-9b5e-87d0022aa7db
Result
Threat name:
AveMaria Njrat UACMe
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/849366
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates files in alternative data streams (ADS)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Increases the number of concurrent connection per server for Internet Explorer
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Powershell Defender Exclusion
Uses dynamic DNS services
Yara detected AveMaria stealer
Yara detected Njrat
Yara detected UACMe UAC Bypass tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 481793 Sample: kTUsgg2Z1u.exe Startdate: 12/09/2021 Architecture: WINDOWS Score: 100 61 pubg.ddns.net 2->61 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for dropped file 2->69 71 13 other signatures 2->71 10 kTUsgg2Z1u.exe 1 6 2->10         started        14 imagesghr.exe 2->14         started        16 FixWindowsUpdate.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 file5 55 C:\Windows\windll.exe, PE32 10->55 dropped 57 C:\Windows\win.exe, PE32 10->57 dropped 59 C:\Windows\TVTools_AlterID.exe, PE32 10->59 dropped 83 Drops executables to the windows directory (C:\Windows) and starts them 10->83 20 windll.exe 5 7 10->20         started        24 win.exe 1 3 10->24         started        26 TVTools_AlterID.exe 2 12 10->26         started        signatures6 process7 file8 45 C:\ProgramData\imagesghr.exe, PE32 20->45 dropped 47 C:\ProgramData:ApplicationData, PE32 20->47 dropped 49 C:\Users\user\AppData\...\programs.bat:start, ASCII 20->49 dropped 51 C:\Users\user\AppData\...\programs.bat, ASCII 20->51 dropped 73 Antivirus detection for dropped file 20->73 75 Multi AV Scanner detection for dropped file 20->75 77 Creates files in alternative data streams (ADS) 20->77 81 7 other signatures 20->81 28 imagesghr.exe 20->28         started        32 powershell.exe 24 20->32         started        53 C:\Users\user\...\FixWindowsUpdate.exe, PE32 24->53 dropped 79 Machine Learning detection for dropped file 24->79 34 FixWindowsUpdate.exe 24->34         started        signatures9 process10 dnsIp11 63 pubg.ddns.net 103.254.96.194, 147, 5201 IRIISNET-ASIriisNetcommunicationPvtLtdIN India 28->63 85 Antivirus detection for dropped file 28->85 87 Multi AV Scanner detection for dropped file 28->87 89 Machine Learning detection for dropped file 28->89 93 4 other signatures 28->93 37 powershell.exe 28->37         started        39 conhost.exe 32->39         started        43 C:\Users\user\...\Microsoft update.exe, PE32 34->43 dropped 91 Drops PE files to the startup folder 34->91 file12 signatures13 process14 process15 41 conhost.exe 37->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d01e5dc3618708c0affe1be008e9d356fe7d113289dc68bc832d556788adeba1/
Threat name:
Win32.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 14:51:11 UTC
AV detection:
27 of 45 (60.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2apf3q3bq4embl76dpqar2otk37h2ejsrhogrpedfvkwpcfn5oqq._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Similar samples:
07915b1a44803fc9bd86d2d9ddad19434440b3d73f5c77f3400c84a935dd0255
njrat
0823e54b076d1359145b0060fe0d0f80b73220ddec8cc23d4901bd1e448e6ad6
njrat
29c359a430263d1482f855d74d16a653f7bdcd6ab01abcb6090c1163a1568f71
njrat
2b04dc24a677c5892b077491d6e794fe8758341919d363067aaed539f3dec2db
njrat
7104a4df53b683b1a99c9767c743a53d3ffe200f31279ee3d31f1514fb5fa95e
njrat
8d98f6090c83a627a2922f45047ad42e91002e7a54abe5f5f55dd91a3d14476f
njrat
9d43e942f513a32e1c0db58de3d63abb24a8a4bc7bef3da4a6106656b9a64a5f
njrat
a67866e26c35be123728faf13ab166a05eb79ad7e8c6c79768ea059326d5cb60
njrat
c512bba369f7480f1682546ba31ac48e290887f1209a8dbbfdd1ed3de2544095
njrat
dbb9d26d8d9eb357f53db3913bbcacb0153a23aa1b23c2b3290e4ade823dc5c1
njrat
+ 2'110 additional samples on MalwareBazaar
Result
Malware family:
warzonerat
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:warzonerat botnet:x1x1x1x1x1 infostealer persistence rat suricata trojan
Link:
https://tria.ge/reports/210912-rrvqzsfdbm/
Behaviour
Modifies registry class
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Warzone RAT Payload
WarzoneRat, AveMaria
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
pubg.ddns.net:5201
pubg.ddns.net:147
Unpacked files
SH256 hash:
320d6dcf82a4e24763691ad53989ea12a68c3e97eb2ba822807eea377895a058
MD5 hash:
fb71890d51bc97d78aa496135d570c0d
SHA1 hash:
3990c26cd19057f5adf7096a8eb140bb76264945
Detections:
win_ave_maria_g0
Create hunting rule
win_ave_maria_auto
Create hunting rule
Link:
https://www.unpac.me/results/e1fb6706-aefc-46c6-b614-ace815b315e7/
SH256 hash:
fc0c90044b94b080f307c16494369a0796ac1d4e74e7912ba79c15cca241801c
MD5 hash:
6b906764a35508a7fd266cdd512e46b1
SHA1 hash:
2a943b5868de4facf52d4f4c1b63f83eacd882a2
Link:
https://www.unpac.me/results/e1fb6706-aefc-46c6-b614-ace815b315e7/
SH256 hash:
94ac5551c02b9ccc42aef28922a1045f6a5411852a464087ca1cb98a7b835c51
MD5 hash:
bc4fd52445b7f27f293790e7f04aa289
SHA1 hash:
12d6a1e9306634298c8e38339946015dfb3ad36d
Link:
https://www.unpac.me/results/e1fb6706-aefc-46c6-b614-ace815b315e7/
SH256 hash:
6a4180d82f9fc37d87bf56d6e8dbb3b11513e84c4890657e3c59af89bfdb5faa
MD5 hash:
e2602c2c2e29a091da1c256a5fdfdd40
SHA1 hash:
fc905684defcd2a04c4b8dda8a940a9d6e285e00
Link:
https://www.unpac.me/results/e1fb6706-aefc-46c6-b614-ace815b315e7/
SH256 hash:
65f277fe461a5201d358541085c3f50c823a92baa440f74626c9d3183b916852
MD5 hash:
54093a5f8d372fc9ce22bb486c6861cf
SHA1 hash:
2fca43ea4c964aab28b9ade2d55cfb04e9373d9b
Link:
https://www.unpac.me/results/e1fb6706-aefc-46c6-b614-ace815b315e7/
SH256 hash:
b7afbb3bc3f734f6deb76311a189f3975194dc763117a20ad7740efa2916072f
MD5 hash:
eda9fd8ec9a78270197038e6c10f5b5b
SHA1 hash:
3db9eefdbcc2ce962419d0585061b1f644dde6fb
Link:
https://www.unpac.me/results/e1fb6706-aefc-46c6-b614-ace815b315e7/
SH256 hash:
d01e5dc3618708c0affe1be008e9d356fe7d113289dc68bc832d556788adeba1
MD5 hash:
d38a592a34803dd43fec1722a4467822
SHA1 hash:
2fa62ad88fe9ed8ff915087692020ea0b84f56ae
Link:
https://www.unpac.me/results/e1fb6706-aefc-46c6-b614-ace815b315e7/
Malware family:
Warzone
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d01e5dc36187/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187141/

Comments