MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
SHA3-384 hash: f6b49b68718eb4efc739d6df9c9877aa9effb5a801d5d816a027d8fe210a47b6bf195b1eafef1b0ae18ded3e712c342f
SHA1 hash: 0fd0f10d34c28a928e69343caeeed7803646be8f
MD5 hash: 6b5bc3eba86c9efbdf993773af3f593e
humanhash: king-artist-kitten-mississippi
File name:DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
Download: download sample
Signature njrat
Create hunting rule
File size:93'184 bytes
First seen:2021-09-16 17:40:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'857 x AgentTesla, 19'784 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 1536:mQiBcDfw692a5btKdKL2g4okY1rrZD3eJG53G73mxdvd6zAlycbMB20yo7hR8XPd:mQnQUcQNkIrF32GhNvAzAlycbMB20yaY
Threatray 596 similar samples on MalwareBazaar
TLSH T1AB93E005A2B4CB39C5FD03FA5C56A6A01375DE47DA92D62B7DDD21AE09333200F217EA
dhash icon c0c0e08cfef0d082 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
192.169.69.25:1177

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.25:1177 https://threatfox.abuse.ch/ioc/222387/

Intelligence

File Origin
# of uploads :
1
# of downloads :
550
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe
Verdict:
Malicious activity
Analysis date:
2021-09-16 17:42:44 UTC
Tags:
rat njrat bladabindi trojan
Link:
https://app.any.run/tasks/12be52c0-3ce3-4e26-80fd-00d639871942

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188492/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Creating a process with a hidden window
Creating a window
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/617524f09a5a1e91c5d206e5/reports/eefb7115-55af-4f54-8a89-9f46ab85665a/overview
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f2f10308-546b-48b4-9dee-e85cad1446ad
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/852297
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Injects a PE file into a foreign processes
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Schedule system process
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 484725 Sample: DBD5E126CAD149E95614507E63A... Startdate: 16/09/2021 Architecture: WINDOWS Score: 100 53 anunankis3.duckdns.org 2->53 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Antivirus detection for dropped file 2->65 67 13 other signatures 2->67 11 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe 3 2->11         started        15 svchost.exe 2 2->15         started        17 svchost.exe 2 2->17         started        19 7 other processes 2->19 signatures3 process4 dnsIp5 51 DBD5E126CAD149E956...6B9A4E539B7.exe.log, ASCII 11->51 dropped 83 Drops PE files with benign system names 11->83 22 DBD5E126CAD149E95614507E63A255F2B26B9A4E539B7.exe 1 4 11->22         started        85 Injects a PE file into a foreign processes 15->85 25 svchost.exe 2 15->25         started        27 svchost.exe 2 17->27         started        55 192.168.2.1 unknown unknown 19->55 29 svchost.exe 19->29         started        31 svchost.exe 19->31         started        33 svchost.exe 19->33         started        file6 signatures7 process8 file9 47 C:\Users\user\AppData\Local\...\svchost.exe, PE32 22->47 dropped 35 svchost.exe 3 22->35         started        process10 signatures11 69 Antivirus detection for dropped file 35->69 71 System process connects to network (likely due to code injection or exploit) 35->71 73 Multi AV Scanner detection for dropped file 35->73 75 3 other signatures 35->75 38 svchost.exe 4 7 35->38         started        process12 dnsIp13 57 anunankis3.duckdns.org 192.169.69.25, 1177, 49753, 49756 WOWUS United States 38->57 59 anunankis1.duckdns.org 85.86.181.192, 1177, 49752 EUSKALTELES Spain 38->59 49 C:\...\8746d62c81bb0c573a0a1086f9955c7b.exe, PE32 38->49 dropped 77 System process connects to network (likely due to code injection or exploit) 38->77 79 Protects its processes via BreakOnTermination flag 38->79 81 Creates autostart registry keys with suspicious names 38->81 43 schtasks.exe 1 38->43         started        file14 signatures15 process16 process17 45 conhost.exe 43->45         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2018-09-03 19:01:17 UTC
AV detection:
19 of 26 (73.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3pk6cjwk2fe6svqukb7ghisv6kzgxgsokonxxtjf47mkdyv5nydq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
136479f536e113fa8ec39d143cf72b7943f3aeb4994d21663b0186e0a2a676a8
njrat
1e77593073ce7c57226c55e20d5ca2e09c84c86a083a9d56b3dd1bb732305683
njrat
4f7ee2b1be709d2dfcfb894323ac4b6a3f3b0482c646d49b051769a6e3785239
njrat
6c8f0805290d03ab8fe1d2e21eaf62b80ab8677c430272f23dea52de6e4d8998
njrat
93a924da3e0e9c7cd63fc756581678664aea34e2f4a79bb1c7440be38445c037
njrat
a1912487964fbfa6a9004a0889bde004a7b3d007e98706b79688bbb6229af557
njrat
bc341eccbdfecf1616134d92035e90b0622ec6731e5c5f74418f00ce3033a689
njrat
c708eac65294c5cbda70ff5cdea537d06b798f4400f90e53f5c8a14041e84aca
njrat
d9009371df732bd8b3ccab8b38e9968069503292b112b2b27cb1c3c54814b3ab
njrat
+ 586 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked persistence suricata trojan
Link:
https://tria.ge/reports/210916-v9en9sggak/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
anunankis1.duckdns.org,anunankis3.duckdns.org,karmina112.sytes.net,karmina114.sytes.net,burdun.dynu.net,burdun114.dynu.net:1177
Unpacked files
SH256 hash:
2c23878d0c9da152f47dd1ce09938fa324c19e7ce2398ff43f3df95f6f1ee76d
MD5 hash:
7516be3a354e4d245e52ace1e905fc0c
SHA1 hash:
fc85df8cd7ceb0bc596e3dc0ae1e6029d85bdd9e
Link:
https://www.unpac.me/results/eeb0166a-d434-4452-b653-c2ee71b650f1/
SH256 hash:
4524bf7b9f0e16f8f057c9c2ccf26bbe6ea07caea290ae9c806c5fe683336927
MD5 hash:
c33e8d03a370573d08a64ae456adfdbc
SHA1 hash:
bb753b7ec7f53f1f8fc2e0e9e8c97ac1bbe7cca8
Link:
https://www.unpac.me/results/eeb0166a-d434-4452-b653-c2ee71b650f1/
SH256 hash:
dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07
MD5 hash:
6b5bc3eba86c9efbdf993773af3f593e
SHA1 hash:
0fd0f10d34c28a928e69343caeeed7803646be8f
Link:
https://www.unpac.me/results/eeb0166a-d434-4452-b653-c2ee71b650f1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dbd5e126cad149e95614507e63a255f2b26b9a4e539b7bcd25e7d8a1e2bd6e07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188492/

Comments