MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0c544ec31c32ab8d58ec086cbc500c0ef6fcc37ccf279f60a758b53b9ccdc73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0c544ec31c32ab8d58ec086cbc500c0ef6fcc37ccf279f60a758b53b9ccdc73
SHA3-384 hash: ed129be6a487bd135829c5a2c580004f1cc43246a619636110abd9bdf2c232c2ffcc514cce8f42b55998e152157054c2
SHA1 hash: f813198f730091ec87deb18a0ae2303b70b7c695
MD5 hash: 20b954c8468b90955b7e392c612daa7e
humanhash: texas-stairway-skylark-louisiana
File name:d0c544ec31c32ab8d58ec086cbc500c0ef6fcc37ccf279f60a758b53b9ccdc73
Download: download sample
Signature njrat
Create hunting rule
File size:225'492 bytes
First seen:2020-11-10 11:40:13 UTC
Last seen:2024-07-24 21:39:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:YsXRmUIMitPqQcZe27vc+Eld+xZp2vPRL1tT06zJoxAWBcKpSP//dwBm4:ZR5ITqQcZeGk7RZBGxAycKpSPX2b
Threatray 43 similar samples on MalwareBazaar
TLSH 2B245CA534AE6709D93EDBF0D2E520A087B562657216D2BA6C8153EFC051FF11F82C3E
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Packed.Bladabindi-6888152-0
Create hunting rule

Win.Packed.Bladabindi-9754048-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file
Creating a process from a recently created file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Running batch commands
Adding an access-denied ACE
Launching a process
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Launching a service
Using the Windows Management Instrumentation requests
Connection attempt
Modifying a system executable file
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/528611
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes the view of files in windows explorer (hidden files and folders)
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Disable Task List ballon tips (likely to surpress security warnings)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 313405 Sample: wW6X91VrH6 Startdate: 10/11/2020 Architecture: WINDOWS Score: 100 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 Multi AV Scanner detection for submitted file 2->92 94 6 other signatures 2->94 8 wW6X91VrH6.exe 2 8 2->8         started        12 wW6X91VrH6.exe 2->12         started        14 wW6X91VrH6.exe 2->14         started        16 4 other processes 2->16 process3 file4 64 C:\Users\user\AppData\...\asferror32.exe, PE32 8->64 dropped 76 3 other malicious files 8->76 dropped 104 Creates autostart registry keys with suspicious names 8->104 106 Creates multiple autostart registry keys 8->106 18 asferror32.exe 28 7 8->18         started        22 cmd.exe 1 8->22         started        24 cmd.exe 1 8->24         started        66 C:\Users\user\AppData\...\ddpchunk32.exe, PE32 12->66 dropped 68 C:\Users\...\ddpchunk32.exe:Zone.Identifier, ASCII 12->68 dropped 70 C:\Users\user\...\ddpchunk32.exe.config, XML 12->70 dropped 26 ddpchunk32.exe 12->26         started        32 2 other processes 12->32 72 C:\Users\user\AppData\...\TtlsAuth32.exe, PE32 14->72 dropped 78 2 other malicious files 14->78 dropped 28 TtlsAuth32.exe 14->28         started        34 2 other processes 14->34 74 C:\Users\user\AppData\Local\...\C_114132.exe, PE32 16->74 dropped 80 2 other malicious files 16->80 dropped 30 C_114132.exe 16->30         started        36 2 other processes 16->36 signatures5 process6 dnsIp7 82 213.183.58.4, 5558 MELBICOM-EU-ASMelbikomasUABNL Lithuania 18->82 84 paste.ee 104.18.49.20, 443, 49718, 49719 CLOUDFLARENETUS United States 18->84 86 2 other IPs or domains 18->86 96 Antivirus detection for dropped file 18->96 98 Creates an undocumented autostart registry key 18->98 100 Machine Learning detection for dropped file 18->100 102 6 other signatures 18->102 38 InstallUtil.exe 18->38         started        40 schtasks.exe 18->40         started        42 InstallUtil.exe 18->42         started        44 conhost.exe 22->44         started        46 timeout.exe 1 22->46         started        48 conhost.exe 24->48         started        52 3 other processes 32->52 54 2 other processes 34->54 50 conhost.exe 36->50         started        signatures8 process9 process10 56 conhost.exe 38->56         started        58 WerFault.exe 38->58         started        60 conhost.exe 40->60         started        62 conhost.exe 44->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0c544ec31c32ab8d58ec086cbc500c0ef6fcc37ccf279f60a758b53b9ccdc73/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-11-10 16:49:00 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a9b159c9210f631ce9963a5ad26bcb33f15bb0bbd3a17d080f41f8c7f294117
njrat
1ddb36c08dc8281daaa61db30622c10aafe22ce74d57a120dfd68876c12ee0eb
njrat
2aab2c226afa316a1bf2acf61a425dbe741007b6712b5ef0c8f969bb1cc39717
njrat
431ecb18d6ffeafbf69a79c32166607d24fcdafc9f4fd29b437d41b6272c07c5
njrat
57f7751d3e603698a3a53a30ffc0dff8ba5591f17ecdad8a53e169585c46c041
njrat
715b982e68ba71b962e694ab87e386a1b527d0ebeff3f6aced8badeba8a6a4d5
njrat
74730cf408bf94965b783eb01a1489939694100e01ecea7c332d3efcc30fd768
njrat
af4cf51f4a1e29d76867b510c0d7fae11f20b43e2405c85986b5e957ea6f00cb
njrat
dd14a1096956425515cd7231df84a23f3b8a99aacd272d10994c592404d46ca2
njrat
fb80a3973312b0ca4905ccba10408931846a3517d6afc64cb05271da85190aba
njrat
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware
Link:
https://tria.ge/reports/201110-x6tks1p326/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Deletes itself
Reads user/profile data of web browsers
Executes dropped EXE
ServiceHost packer
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments