MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2e347f7ecbcb94a4fe2e0ea86f92d0f60321be94441265b97f0e0b212c0efbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2e347f7ecbcb94a4fe2e0ea86f92d0f60321be94441265b97f0e0b212c0efbc
SHA3-384 hash: 85d5f7fb240616033eed75ae2f960a32034c0144539a8c94691cef537758f331fa05b31e491f03164b6e8d013f6ad63d
SHA1 hash: d923e3101ea5163a3a3a55ab9574be8dc28858ed
MD5 hash: b366f85b05450c42f7889322f651a9e6
humanhash: carpet-wyoming-table-purple
File name:b366f85b05450c42f7889322f651a9e6.exe
Download: download sample
Signature njrat
Create hunting rule
File size:118'784 bytes
First seen:2021-07-31 08:08:51 UTC
Last seen:2021-07-31 08:52:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:jU7oLtuE64uA6nJMCekPQCYWnusti89CIjt92U+LioQQduqA:j95/6U7CRQCFi8I+tArLioQQduqA
Threatray 3 similar samples on MalwareBazaar
TLSH T1FAC3E79D766072DFC86BC876CEA82C74EA60747B431B9243905316AEDE0D99BCF150F2
Reporter abuse_ch
Tags:exe NjRAT RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
965
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b366f85b05450c42f7889322f651a9e6.exe
Verdict:
No threats detected
Analysis date:
2021-07-31 08:09:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea0c4bf1-77a1-4fa0-9c81-cc5eea1c518c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175440/
Detection(s):
SecuriteInfo.com.Trojan.MulDrop18.8070.16322.30833.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/30c5d445-8b0e-4b94-b86b-1e815107500e
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/824859
Signature
Drops PE files with benign system names
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457272 Sample: xeJiZ0qrOF.exe Startdate: 31/07/2021 Architecture: WINDOWS Score: 72 43 patria.duckdns.org 2->43 49 Multi AV Scanner detection for submitted file 2->49 51 Uses dynamic DNS services 2->51 53 Sigma detected: System File Execution Location Anomaly 2->53 55 Sigma detected: Suspicious Svchost Process 2->55 9 xeJiZ0qrOF.exe 3 6 2->9         started        14 file.exe 2 2->14         started        16 file.exe 1 2->16         started        signatures3 process4 dnsIp5 45 patria.duckdns.org 46.246.12.15, 2020, 49712, 49716 PORTLANEwwwportlanecomSE Sweden 9->45 39 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 9->39 dropped 41 C:\Users\user\AppData\Roaming\file.exe, PE32+ 9->41 dropped 57 Drops PE files with benign system names 9->57 59 Multi AV Scanner detection for dropped file 14->59 18 svchost.exe 3 14->18         started        21 svchost.exe 1 16->21         started        file6 signatures7 process8 signatures9 47 Multi AV Scanner detection for dropped file 18->47 23 file.exe 1 18->23         started        25 file.exe 18->25         started        27 file.exe 18->27         started        29 file.exe 18->29         started        process10 process11 31 svchost.exe 23->31         started        33 svchost.exe 25->33         started        35 svchost.exe 27->35         started        37 svchost.exe 29->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2e347f7ecbcb94a4fe2e0ea86f92d0f60321be94441265b97f0e0b212c0efbc/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2021-07-31 01:17:26 UTC
AV detection:
12 of 45 (26.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lrup57mxs4uut7c4dvin6jnb5qdeg7jirasmw4x6dqleewa566a._file
Verdict:
unknown
Similar samples:
8d604d5419d217ecd6a9d5b4917e441069b433c8429323600a18b36df608f751
njrat
c4b1616a9391d3e3d70ce10bc7dcd2dcae4996fbd7f64c10ab470bbe81d9ad36
njrat
d8ab8eb6d9e9fdb54f5d72254eafb2732342f8883ee96749bb8615ca196963bb
njrat
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence
Link:
https://tria.ge/reports/210731-5313z7wbsx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Core1 .NET packer
Unpacked files
SH256 hash:
d2e347f7ecbcb94a4fe2e0ea86f92d0f60321be94441265b97f0e0b212c0efbc
MD5 hash:
b366f85b05450c42f7889322f651a9e6
SHA1 hash:
d923e3101ea5163a3a3a55ab9574be8dc28858ed
Link:
https://www.unpac.me/results/19772ff9-3c65-40fa-a11c-5c1fb19869e4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2e347f7ecbcb94a4fe2e0ea86f92d0f60321be94441265b97f0e0b212c0efbc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe d2e347f7ecbcb94a4fe2e0ea86f92d0f60321be94441265b97f0e0b212c0efbc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1470374/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/175440/

Comments