MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d60e5c1906d5a872d5342c64ab76b0417420c6324c495629be60fee5fcce1f2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d60e5c1906d5a872d5342c64ab76b0417420c6324c495629be60fee5fcce1f2b
SHA3-384 hash: 918f09edcc4edd34cdaa34ab2d86ef91c1e3fdfafddc36864c5ef1c1972761e5dd5acce2f26eecf92b70959a02c68352
SHA1 hash: a8083acfb9bfa8c251d9e35e226982e10aaee0e6
MD5 hash: c8d663db597f3f0a515f316c2fd0b675
humanhash: mountain-maryland-ten-seventeen
File name:c8d663db597f3f0a515f316c2fd0b675.exe
Download: download sample
Signature njrat
Create hunting rule
File size:762'368 bytes
First seen:2021-06-15 14:10:10 UTC
Last seen:2021-06-15 14:53:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5QPt94uSXvFmWafkN++aJ9n7BXiM9Bt0rGy5NXoOm423YFGF69vquwaHp+akW:5yJt0ZzXFmvrFUquPHp+akW
Threatray 312 similar samples on MalwareBazaar
TLSH 68F49D512EA8AB89F4F99B347EE0431503F77D227B27D3DDAE8871CD1967E808621352
Reporter abuse_ch
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c8d663db597f3f0a515f316c2fd0b675.exe
Verdict:
Malicious activity
Analysis date:
2021-06-15 14:32:47 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eebc82d0-6bf3-4477-b699-bbadda4d462d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.15487.27986.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/96376ffc-eada-4c16-a972-4a7d75b7b030
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/802494
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d60e5c1906d5a872d5342c64ab76b0417420c6324c495629be60fee5fcce1f2b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-06-15 14:10:28 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yhfygig2wuhfvjufrskw5vqif2cbrrsjrevmkn6md7ol7god4vq._file
Verdict:
unknown
Similar samples:
058d5fa44050ac0a0544a77a57785ea08fa963b205a0cd9fae4538f8f4cc0ae5
njrat
2e826b4ff8b272db629c4983e9edd53656cc4a2e9d24178ebd2b6a8890d1e864
njrat
2fe26662d53b976914fd7bd9fbb589f5bd4114f47753c9437593b29fcd04c236
njrat
31f7d71ca24fbde43953ebf5e0518c065b795cef8e7b021ca7fbf31a06ce9348
njrat
6bc296fc9ae6bdb27ca23398f69bfb7b44d69734ff0e03a3322fdf688117e2f5
njrat
8bf0629c5fa2fc821172ac5131d559debbffd89ed9cdcaa2e3963dbb67d2f734
njrat
911f22d0fdceeec6e8e6426b0111c1632e6b70f21940584aa05345ac470c4c4f
njrat
acc92fd3a929ed4c52b41547b60563cd68b73701998071c3653424df8f51a474
njrat
c3c62460fce1e7c6964339da00bc229e02872c21de66a35c3aba8592ef7a8872
njrat
f535414d7bdcacff5db6ba209be888ebcd7996b1602a3b78a574b72d03cca147
njrat
+ 302 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/210615-j6j8srgfja/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Unpacked files
SH256 hash:
82fe42ffa7c2160c4ba79b666ba52f6dce210e0be5cbbb1419ddf3058215568b
MD5 hash:
a7c717e07a9e8fc3408914687859cf8a
SHA1 hash:
862f0e3f4f99c7674a540327ba08792e8a6cf5a1
Link:
https://www.unpac.me/results/4f5d19b4-1697-45a3-b8b0-d83cdfd231eb/
SH256 hash:
d60e5c1906d5a872d5342c64ab76b0417420c6324c495629be60fee5fcce1f2b
MD5 hash:
c8d663db597f3f0a515f316c2fd0b675
SHA1 hash:
a8083acfb9bfa8c251d9e35e226982e10aaee0e6
Link:
https://www.unpac.me/results/4f5d19b4-1697-45a3-b8b0-d83cdfd231eb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d60e5c1906d5a872d5342c64ab76b0417420c6324c495629be60fee5fcce1f2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe d60e5c1906d5a872d5342c64ab76b0417420c6324c495629be60fee5fcce1f2b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1346800/
  
Delivery method
Distributed via web download

Comments