MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 db5b68be18809752d92bc7720216b24922f597363d21e4ac36a0a697342da460. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
njrat
Vendor detections: 6
| SHA256 hash: | db5b68be18809752d92bc7720216b24922f597363d21e4ac36a0a697342da460 |
|---|---|
| SHA3-384 hash: | 51560f775f296ba357792c8dd53ad0bf13b6b1f24ff625558b3749e8cfc5726dc4751c7c4a60cf6cfeb2bab4d5b1fb19 |
| SHA1 hash: | b64b6aa83ea0a5d0e2e94953a32180b43e52d675 |
| MD5 hash: | 6ce3ab25635d397fc2c8e8bb67fc7bc1 |
| humanhash: | asparagus-oscar-carpet-lion |
| File name: | 6CE3AB25635D397FC2C8E8BB67FC7BC1.exe |
| Download: | download sample |
| Signature | njrat |
| File size: | 6'620'672 bytes |
| First seen: | 2021-04-23 17:26:03 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader) |
| ssdeep | 98304:4viz/27qWGq/TzuqCDl2Ptao7jkEEwh3QxaBpqZYRNm6lRv28xDULPtrvNv:4viq75/Tzuftg3k6Ksm6vu8gLPJNv |
| Threatray | 87 similar samples on MalwareBazaar |
| TLSH | F9663382F4D80843D5364B7528FE62CA2FA5B87711774782B24F79AA41DE0B177B7C88 |
| Reporter |  abuse_ch |
| Tags: | exe NjRAT RAT |
Indicators Of Compromise (IOCs)
Below is a list of indicators of compromise (IOCs) associated with this malware samples.
| IOC | ThreatFox Reference |
|---|---|
| 3.14.182.203:11421 | https://threatfox.abuse.ch/ioc/9765/ |
| 3.22.30.40:11421 | https://threatfox.abuse.ch/ioc/9766/ |
| 3.13.191.225:11421 | https://threatfox.abuse.ch/ioc/9767/ |
| 3.134.125.175:11421 | https://threatfox.abuse.ch/ioc/9768/ |
Intelligence
File Origin
# of uploads :
1
# of downloads :
165
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Delayed reading of the file
Searching for the window
Sending a UDP request
Unauthorized injection to a recently created process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Detected njRat
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Njrat
Behaviour
Behavior Graph:
Threat name:
Win32.Backdoor.NanoBot
Status:
Malicious
First seen:
2021-04-21 00:49:33 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
suspicious
Similar samples:
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
8/10
Tags:
persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d323e799f6b013256444588126cf7a6c115c7bad6aba688d796ac78fe37c2e4f
MD5 hash:
123684b252b261a681734b8f6f1b0d70
SHA1 hash:
c99468b13422cdac61635ef99eda3acee6f2ce6d
SH256 hash:
f0c987699137bfd529d737baf94658ccfd051afc2f0cae0dbea1110fba8564b0
MD5 hash:
693a1dc7237e3594305cf65384dc6f1c
SHA1 hash:
42bd03acd23241e2a5ec11ba676b846f01e17af4
SH256 hash:
db5b68be18809752d92bc7720216b24922f597363d21e4ac36a0a697342da460
MD5 hash:
6ce3ab25635d397fc2c8e8bb67fc7bc1
SHA1 hash:
b64b6aa83ea0a5d0e2e94953a32180b43e52d675
Please note that we are no longer able to provide a coverage score for Virus Total.
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection
1) [C0046] File System Micro-objective::Create Directory
2) [C0048] File System Micro-objective::Delete Directory
3) [C0047] File System Micro-objective::Delete File
4) [C0049] File System Micro-objective::Get File Attributes
5) [C0051] File System Micro-objective::Read File
6) [C0050] File System Micro-objective::Set File Attributes
7) [C0052] File System Micro-objective::Writes File
8) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
9) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
10) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
11) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
12) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
13) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
14) [C0042] Process Micro-objective::Create Mutex
15) [C0017] Process Micro-objective::Create Process
16) [C0038] Process Micro-objective::Create Thread
17) [C0018] Process Micro-objective::Terminate Process
18) [C0039] Process Micro-objective::Terminate Thread