MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1c52d3fbaeda3236a4eed16c8fc0f0e3df5da1f514caf6b2cf24d88580748b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1c52d3fbaeda3236a4eed16c8fc0f0e3df5da1f514caf6b2cf24d88580748b7
SHA3-384 hash: 34bf04f78302af21b85c3904401e2258507413f39bdc5336af8ddab4065a961ad161d32dc15fab45c0adf066263931b2
SHA1 hash: 71b28d48f9050d3201f68bbb551a60322cea115e
MD5 hash: 06a04906e04767306e1c0f3f66fe6501
humanhash: speaker-vegan-steak-robin
File name:06a04906e04767306e1c0f3f66fe6501.exe
Download: download sample
Signature njrat
Create hunting rule
File size:307'200 bytes
First seen:2021-07-03 14:17:56 UTC
Last seen:2021-07-03 14:38:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:xbb0N67BcIQhpgiAzPGmUZkdOXc0l4VmFcN6Q4ulCbGSSSSVj1sSY:xft7J2pLAzem3dn0l4gFK6uhTTY
TLSH 356401107A298923C2FAAA33C593E404C371DDDBA162C01A7AACFFFD78363C55A5C595
Reporter abuse_ch
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
06a04906e04767306e1c0f3f66fe6501.exe
Verdict:
Suspicious activity
Analysis date:
2021-07-03 14:19:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d3220b86-fc6a-4b74-adec-cfc7681719c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.13529.10076.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NanoCoreRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/86a6a7a6-b346-4859-895d-9d8d6b6d7760
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/811435
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Detected njRat
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Wscript starts Powershell (via cmd or directly)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d1c52d3fbaeda3236a4eed16c8fc0f0e3df5da1f514caf6b2cf24d88580748b7/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-07-03 14:18:10 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion
Link:
https://tria.ge/reports/210703-21df22djqx/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
6cc22d89e90e4c9342faa3918d7011a982b4c474550d9cd858cd8752c2ae3955
MD5 hash:
d56a5460d2c372621377554205bc6c07
SHA1 hash:
0813877c24052b9956ea81a8423ed4f9b8fd98c5
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/e9d1b5c3-f4e6-4444-9f42-2edb816be3a8/
SH256 hash:
d06b278bea95f04da2d395f6ce69a46d597579d93852de2f935adbaa38a8b817
MD5 hash:
57b95ca2e58d34ea71c5076b1f55b85b
SHA1 hash:
d1c500a6e74f3326544acb0221eca74bff6f38e7
Link:
https://www.unpac.me/results/e9d1b5c3-f4e6-4444-9f42-2edb816be3a8/
SH256 hash:
fef44e17ce51260e454c7c446d0e8ed3bdcc19e28a4230a80051a165e71f3819
MD5 hash:
9f4fed1b0a66c29a7033143514e90ac3
SHA1 hash:
d0bde08c776aacd5f73097787dfccac14fd10bca
Link:
https://www.unpac.me/results/e9d1b5c3-f4e6-4444-9f42-2edb816be3a8/
SH256 hash:
d1c52d3fbaeda3236a4eed16c8fc0f0e3df5da1f514caf6b2cf24d88580748b7
MD5 hash:
06a04906e04767306e1c0f3f66fe6501
SHA1 hash:
71b28d48f9050d3201f68bbb551a60322cea115e
Link:
https://www.unpac.me/results/e9d1b5c3-f4e6-4444-9f42-2edb816be3a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1c52d3fbaeda3236a4eed16c8fc0f0e3df5da1f514caf6b2cf24d88580748b7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe d1c52d3fbaeda3236a4eed16c8fc0f0e3df5da1f514caf6b2cf24d88580748b7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1380445/
  
Delivery method
Distributed via web download

Comments