MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc7f689cc6adbf5d8e36008390ed2a79d59d0d3411f9e353ddacf236e695a615. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc7f689cc6adbf5d8e36008390ed2a79d59d0d3411f9e353ddacf236e695a615
SHA3-384 hash: 944767c73f2e47a467cef87d2176ff5be9aa52bf22065f9d31fe095da838cc25f34700372c84fbd3af717f017575ed32
SHA1 hash: 098e6c6008a22f8cd3ba23b13432e877b7e8f24c
MD5 hash: 61d98360d8543a31b296a56bd2c451b6
humanhash: thirteen-beryllium-cold-lake
File name:WOT565-16BOB-PDF.exe
Download: download sample
Signature njrat
Create hunting rule
File size:240'128 bytes
First seen:2020-08-05 12:04:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:5Sxe/50BB+TWzVYj9q5j5DTYEx/ClBCcWY72:5Sg/u+a2jIpYExMfi
Threatray 44 similar samples on MalwareBazaar
TLSH 7C34BF1C36A0A51EF6BA1E3F4C3101839E22F85FDE22D64B6A7111BD457E69CBC60F61
Reporter abuse_ch
Tags:ESP exe geo NjRAT RAT Santander


Avatar
abuse_ch
Malspam distributing njrat:

HELO: mail119.areaproject.net
Sending IP: 185.55.249.119
From: Factoring y Confirming - Grupo Santander <fycout@gruposantander.com>
Subject: Confirming - Aviso de pago
Attachment: WOT565-16BOB-PDF.GZ (contains "WOT565-16BOB-PDF.exe")

NjRAT C2:
yenhack.ddns.net:16051 (216.38.2.193)

Intelligence

File Origin
# of uploads :
1
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39530/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.4924.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Creating a process with a hidden window
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching the process to change the firewall settings
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/411127
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM_3
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dc7f689cc6adbf5d8e36008390ed2a79d59d0d3411f9e353ddacf236e695a615/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 11:28:14 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3r7wrhggvw7v3drwacbzb3jkphkz2djuch46gu65vtzdnzuvuykq._file
Verdict:
malicious
Similar samples:
25f59abfbdb775126b69112b260fae983e35bd6da0e6e13ad8fc7343da8540ec
njrat
5947d6a7fc4014628b957c4ed8ffff7c961f37f155cb814224a89e1f3700f060
njrat
62a5cd1fc65cdb2b773565e9861a48f139ee961156b38e26016c28a23fc896cc
njrat
abafeafa173768d556241bb6797fc4555b2358ce8d0dfdd81bab9f5f152c077f
njrat
b3a40e1d85f1e1608acf07414a8dea2730c0de0d824bc6165856b8fe00e8ed3d
njrat
ba38f08588d75d7ffd054253f4afd1d9803c2c0f5f390f35214c0b552840793d
njrat
dfa0c14670f8df1eac3e005262e901622c0ec1ccdcc91fd8aedb93da5a32ad64
njrat
e7e5f0ac865dd8cec6539a3defbd09f15df7822b647fcd2e2f53555be98ad8e2
njrat
ed34d4eba0bc7d434f32bb9bca0147632592656ddf0c2aa892fbee54b0850ff1
njrat
f0caf48005d504dfb402e3ef4b137187e9ffa0d903099222560d7f4a8885358d
njrat
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200805-h7lk6wq266/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Modifies service
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.55
Link:
https://yomi.yoroi.company/submissions/dc7f689cc6adbf5d8e36008390ed2a79d59d0d3411f9e353ddacf236e695a615

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

gz 91b17a7ee859b19e35795d6cc3446562d59d00a821fd03697d87f4b2b49efebe

njrat

Executable exe dc7f689cc6adbf5d8e36008390ed2a79d59d0d3411f9e353ddacf236e695a615

(this sample)

  
Dropped by
MD5 b8ec1d791041ad9e4031c062f17be55c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39530/
  
Dropped by
SHA256 91b17a7ee859b19e35795d6cc3446562d59d00a821fd03697d87f4b2b49efebe

Comments