MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs 5 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc
SHA3-384 hash: 96b302f8a63fc2013db236c284c82ce76d54a2774273ba51a60f50853a0ebadf5ab4d4c7a94a4441fe7af706b9e2f746
SHA1 hash: 238ed88b706987043038b7c965395b69bc290219
MD5 hash: 95605c11d4b59cb6b8a4661d91dd19de
humanhash: september-potato-hamper-early
File name:95605c11d4b59cb6b8a4661d91dd19de.exe
Download: download sample
Signature njrat
Create hunting rule
File size:167'936 bytes
First seen:2021-10-27 19:36:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:x4CL7/kEm/XTji9K6X9dibE2o/MCSbRihoPlDGp:GCIizX9dlJ/ubEhoxGp
Threatray 367 similar samples on MalwareBazaar
TLSH T158F3395A778A4B21E57C0870D1FBA63403F1DAC35933EAC92F84659D9E122D35E0C7DA
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.22.53.161:11046

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.22.53.161:11046 https://threatfox.abuse.ch/ioc/238662/
3.131.207.170:11046 https://threatfox.abuse.ch/ioc/238663/
13.59.15.185:11046 https://threatfox.abuse.ch/ioc/238664/
3.128.107.74:11046 https://threatfox.abuse.ch/ioc/238665/
52.14.18.129:11046 https://threatfox.abuse.ch/ioc/238666/

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/200711/
Detection(s):
Win.Packed.Barys-6880522-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a process from a recently created file
Enabling the 'hidden' option for recently created files
Creating a window
DNS request
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling a "Do not show hidden files" option
Verdict:
Malicious
Threat level:
  10/10
Confidence:
80%
Tags:
anti-vm autorun barys bladabindi greyware keylogger njrat obfuscated packed rat
Link:
https://www.filescan.io/uploads/6179aa609a5a1e91c5d7f235/reports/0b36f4dc-1024-4070-8e8a-8be37b25f46b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/09e5bbed-0b86-4780-9d16-9ccbd97a676c
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/878105
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510539 Sample: tfa0aLyS2B.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 5 other signatures 2->66 7 tfa0aLyS2B.exe 1 4 2->7         started        11 tfa0aLyS2B.exe 3 2->11         started        13 tfa0aLyS2B.exe 2 2->13         started        15 tfa0aLyS2B.exe 2 2->15         started        process3 file4 50 C:\Users\user\AppData\Roaming\Client.exe, PE32 7->50 dropped 68 Uses schtasks.exe or at.exe to add and modify task schedules 7->68 17 Client.exe 7->17         started        20 schtasks.exe 1 7->20         started        22 schtasks.exe 1 7->22         started        52 C:\Users\user\AppData\...\tfa0aLyS2B.exe.log, ASCII 11->52 dropped 24 schtasks.exe 1 11->24         started        26 schtasks.exe 1 11->26         started        28 schtasks.exe 1 13->28         started        30 schtasks.exe 1 13->30         started        32 schtasks.exe 1 15->32         started        34 schtasks.exe 15->34         started        signatures5 process6 signatures7 54 Antivirus detection for dropped file 17->54 56 Multi AV Scanner detection for dropped file 17->56 58 Machine Learning detection for dropped file 17->58 36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-10-26 20:13:55 UTC
AV detection:
33 of 44 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vmxru37cay3rmhjqenzg5nuepi43j7n7xxs4ms7fbq6qkpfzdga._file
Verdict:
malicious
Similar samples:
61533b73815b598a020c3922d50dc7deb20d16afd5764c30acc8e887a50c87ff
njrat
618f4050d767d0c8f835ec3fa9e46b85b9291062a2e381122852238fa84c95f7
njrat
6d2f1a98b77181cb675c0f3cd3ae6824fdd90e150c46d6fcee0ed16f7cd855df
njrat
8040940621af7b77ecbb66d16ca8fc924900960d48665247aa3f77d4de560c9a
njrat
95a191b5e1728a1dc9a0007719ae7adba5be88b1ae5e8919185c91a201148a51
njrat
b1eb6dca624a1a78cd91360e6af46b0d7bc0afaca59ddf35cfff0ed2b9df4119
njrat
c582b5864a67c2d63f8d3a8faf08b47e94646a96cd81abe507d8d08df13e40c4
njrat
cd8ed20c2ffe0e086d3a0b640e4950e48583f297b6356c14de62623a4322fe12
njrat
e5c5ed9b49632298fb4d1927636e7a97fae95bdb5b13e1a5942a5b93dd21d2f5
njrat
f9a1b925c26b0765469b644d8b856a314641c312098ed995c3439a79cffa5fd4
njrat
+ 357 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat persistence trojan
Link:
https://tria.ge/reports/211027-ybs1sagda9/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
njRAT/Bladabindi
Unpacked files
SH256 hash:
d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc
MD5 hash:
95605c11d4b59cb6b8a4661d91dd19de
SHA1 hash:
238ed88b706987043038b7c965395b69bc290219
Link:
https://www.unpac.me/results/4c8485ab-689b-4d95-a005-0e0cff543e0e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d55978d37f1031b8b0e9811b9375b423d1cda7edfdef2e325f2861e829e5c8cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/200711/

Comments