MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d91b9f6fad1dbd9908d180fcb1409e74df5a26be8e4074723d16e273406a0c20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 17


Intelligence 17 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d91b9f6fad1dbd9908d180fcb1409e74df5a26be8e4074723d16e273406a0c20
SHA3-384 hash: 6f77c2ea224c45e98fb8ab0951079c8bcc3ce5f8fef8ef373eb44e49c7357339f415b1fbec70fdd7291d39b93483c4d5
SHA1 hash: 5f28a49b36bfd346c0bb451ed7e50d323be4d52f
MD5 hash: fdb04abe35eac33994bc426a3cf394fb
humanhash: oranges-sad-stream-romeo
File name:MrCheats.exe
Download: download sample
Signature njrat
Create hunting rule
File size:2'006'528 bytes
First seen:2023-04-16 00:41:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:FHgtwaT8Fd03he9I+FXfPZ7MMNYt+NaxLbsi0eM:FHgV+iRe9h2MNYgcLbsiH
Threatray 25 similar samples on MalwareBazaar
TLSH T1349568C63D1D1F2EBAF883EF1120772F8454E7969A2F524812FD2A976924CF48D84397
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter Chainskilabs
Tags:exe MSIL NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
519
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
MrCheats.exe
Verdict:
Malicious activity
Analysis date:
2023-04-16 00:25:58 UTC
Tags:
rat njrat bladabindi evasion
Link:
https://app.any.run/tasks/5d79fea6-6c1d-4c9c-b164-9c5feaf8bc93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/382520/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.25637.3159.17474.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Creating a window
DNS request
Searching for synchronization primitives
Sending an HTTP GET request
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Creating a process with a hidden window
Searching for the window
Launching the process to change network settings
Running batch commands
Launching a process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/643b445bf4a1f6ede14ef146/reports/3433587e-fd48-4b21-a11f-62979a0dd635/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/d91b9f6fad1dbd9908d180fcb1409e74df5a26be8e4074723d16e273406a0c20
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00bba8be-3eb8-4e85-ac23-448d421edd49
Result
Threat name:
njRat, XWorm
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1214467
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Generic Downloader
Yara detected Njrat
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 847395 Sample: MrCheats.exe Startdate: 16/04/2023 Architecture: WINDOWS Score: 100 61 care-strictly.at.ply.gg 2->61 81 Snort IDS alert for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 21 other signatures 2->87 10 MrCheats.exe 6 2->10         started        13 svchost.exe 2->13         started        signatures3 process4 file5 45 C:\Users\user\AppData\Roaming\f.exe, PE32 10->45 dropped 47 C:\Users\user\AppData\Roaming\client.exe, PE32 10->47 dropped 49 C:\Users\user\...\Windows Defender.exe, PE32 10->49 dropped 51 2 other malicious files 10->51 dropped 15 client.exe 1 5 10->15         started        19 Payload.exe 5 10 10->19         started        22 f.exe 2 10->22         started        24 Windows Defender.exe 14 2 10->24         started        process6 dnsIp7 55 C:\ProgramData\svchost.exe, PE32 15->55 dropped 69 Antivirus detection for dropped file 15->69 71 Machine Learning detection for dropped file 15->71 73 Drops PE files with benign system names 15->73 26 svchost.exe 3 5 15->26         started        63 147.185.221.181, 24308, 49698 SALSGIVERUS United States 19->63 57 C:\Users\user\AppData\Roaming\...\Windows.exe, PE32 19->57 dropped 59 C:\Users\user\AppData\Roaming\...\Windows.exe, PE32 19->59 dropped 75 Protects its processes via BreakOnTermination flag 19->75 77 Creates multiple autostart registry keys 19->77 79 Drops PE files to the startup folder 19->79 31 cmd.exe 19->31         started        33 netsh.exe 19->33         started        65 ip-api.com 208.95.112.1, 49697, 80 TUT-ASUS United States 24->65 file8 signatures9 process10 dnsIp11 67 care-strictly.at.ply.gg 209.25.141.223, 18672, 49699, 49700 COGECO-PEER1CA Canada 26->67 53 C:\...\5a672b7781063f50291c4d9175c05dc4.exe, PE32 26->53 dropped 89 Antivirus detection for dropped file 26->89 91 System process connects to network (likely due to code injection or exploit) 26->91 93 Protects its processes via BreakOnTermination flag 26->93 99 6 other signatures 26->99 35 netsh.exe 26->35         started        95 Uses ping.exe to sleep 31->95 97 Uses ping.exe to check the status of other devices and networks 31->97 37 conhost.exe 31->37         started        39 PING.EXE 31->39         started        41 conhost.exe 33->41         started        file12 signatures13 process14 process15 43 conhost.exe 35->43         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d91b9f6fad1dbd9908d180fcb1409e74df5a26be8e4074723d16e273406a0c20/
Threat name:
ByteCode-MSIL.Trojan.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2023-04-16 00:42:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
22 of 37 (59.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3enz635ndw6zscgrqd6lcqe6otpvujv6rzahi4r5c3rhgqdkbqqa._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
43eee6ad4f470b65b2a79760306c073f7e827d8b1f7ad1c95cbfa03298e27df2
njrat
4b9d11ad0a32fd2d76d4d8e9256f13df37b7628df9eb50b21dd11016d0a4ca22
njrat
57f4c5126700392a7d6e6fa24d8c8f1c9efcf960e3019a84237ae1b54f9e9c69
njrat
6179a69d0e85480eba50e73b18cea33da9a88d5e36c590d525a7b0474e7c2e07
njrat
6f2e22d541680c151da164b02f916a3d72da0517b2f052f7356d05e8b374690b
njrat
7f8e216231c8e0e57f4d6e06edb5c20fbed0cfa36c44058ad5809935c4a06448
njrat
9e243e905334ba6b11064b13d28ee2141f6c940aee3f4665b5ecac426d80a009
njrat
cd06c5cab073f32aad0de1af7ca1356d3a7ca18858d54981e1156ebe17939fce
njrat
+ 15 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:xworm botnet:hacked botnet:lammer cheats evasion persistence rat trojan
Link:
https://tria.ge/reports/230416-a2b8yshh9x/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Xworm
njRAT/Bladabindi
Malware Config
C2 Extraction:
considered-arrest.at.ply.gg:19159
care-strictly.at.ply.gg:18672
147.185.221.181:24308
Unpacked files
SH256 hash:
64aac315133d05b60db082ead7c20ad522e498d978de9ddd9070b7046ecd54bb
MD5 hash:
943f9fa7b9dde057cb5abf5f59df5cbf
SHA1 hash:
e9414a78a297685a18237a3ea40f19beeb49ea00
Link:
https://www.unpac.me/results/be2a7e6b-829e-4fab-b3bb-32d14539c09a/
SH256 hash:
b2f98d14507a86410a89f851b985542ed4dc76deaf7a6ea968daf6debb874f05
MD5 hash:
ade46150f73b885511e5c140b2f9dcb1
SHA1 hash:
3871ab926b789ae8c62d55718fd3602727bf513e
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/be2a7e6b-829e-4fab-b3bb-32d14539c09a/
SH256 hash:
d91b9f6fad1dbd9908d180fcb1409e74df5a26be8e4074723d16e273406a0c20
MD5 hash:
fdb04abe35eac33994bc426a3cf394fb
SHA1 hash:
5f28a49b36bfd346c0bb451ed7e50d323be4d52f
Link:
https://www.unpac.me/results/be2a7e6b-829e-4fab-b3bb-32d14539c09a/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d91b9f6fad1d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/d91b9f6fad1dbd9908d180fcb1409e74df5a26be8e4074723d16e273406a0c20

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/5d79fea6-6c1d-4c9c-b164-9c5feaf8bc93/#
Cape
Cape
https://www.capesandbox.com/analysis/382520/

Comments