MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 17


Intelligence 17 IOCs YARA 17 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9
SHA3-384 hash: d828294fa1ee6f470de05acbdeec30ff6fdc99beda3a41b15fecaebcb2ec31830bbdd9529bae22e9bdaa3fc7ea013e1c
SHA1 hash: 9af1c2b76477e9f417d563cfe600bdce227987ac
MD5 hash: 8a6607f6727f04bc2d700ab5f71a349f
humanhash: ten-autumn-orange-zulu
File name:DD095F4E5B447373D0159E35E3E9A7CD12B30D2225743.exe
Download: download sample
Signature njrat
Create hunting rule
File size:3'716'626 bytes
First seen:2024-06-14 02:20:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c9adc83b45e363b21cd6b11b5da0501f (82 x ArkeiStealer, 60 x RecordBreaker, 46 x RedLineStealer)
ssdeep 98304:kAI+3RFiuGHYZMHKpiqTQtrPPSrRYTT4VlZMNdnCx+XxydsuV9ssSV:jt3R9YZRqKzPSNnVlZInlwFkn
Threatray 5 similar samples on MalwareBazaar
TLSH T1CF062264B4E2C6FAC05339B5CC0AB2F1AAE66F05DE754C8F5ED83E8079726180571C9E
TrID 93.0% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58)
1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
1.8% (.SCR) Windows screen saver (13097/50/3)
1.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):PE icon
dhash icon 13699696a28ad021 (4 x njrat, 2 x QuasarRAT, 1 x Amadey)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
107.175.31.172:5552

Intelligence

File Origin
# of uploads :
1
# of downloads :
714
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9.exe
Verdict:
Malicious activity
Analysis date:
2024-06-14 02:22:30 UTC
Tags:
rat remcos
Link:
https://app.any.run/tasks/7115977b-079c-450d-ad35-a73aa7e585ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Dropper.Nanocore-9189507-1
Create hunting rule

SecuriteInfo.com.PSW.Generic8.ISF.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=666ba948da262547655ff5d2win7simulatehigh_evasion
Tags:
Banker Encryption Execution Network Other Static Stealth Variant Dexter
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Delayed reading of the file
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a file in the Program Files subdirectories
Creating a file
Modifying a system file
Creating a process from a recently created file
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
borland_delphi fingerprint installer lolbin nanocore overlay packed shell32 strictor
Link:
https://www.filescan.io/uploads/666ba9106b8dba248b40bbc2/reports/2d112666-5aa2-4bdf-9f87-6170eb9d7941/overview
Verdict:
Malicious
Labled as:
Ser.Strictor.Generic
Link:
https://www.hybrid-analysis.com/sample/dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
REMCOS
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/01564eb0-639c-4d0e-b695-ea7c4854055b
Result
Threat name:
Remcos, AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1457014
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Detected Remcos RAT
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sample uses process hollowing technique
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Remcos
Sigma detected: Schedule system process
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: System File Execution Location Anomaly
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Snort IDS alert for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1457014 Sample: DD095F4E5B447373D0159E35E3E... Startdate: 14/06/2024 Architecture: WINDOWS Score: 100 91 alice2019.myftp.biz 2->91 93 Alice2019.myftp.biz 2->93 99 Snort IDS alert for network traffic 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Found malware configuration 2->103 105 31 other signatures 2->105 10 DD095F4E5B447373D0159E35E3E9A7CD12B30D2225743.exe 17 12 2->10         started        14 svchost.exe 2 2->14         started        16 wscript.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 83 C:\Users\user\...\425AD1552F0102S5D5F.exe, PE32+ 10->83 dropped 85 C:\Program Files (x86)\...\Uninstall.exe, PE32 10->85 dropped 87 C:\Program Files (x86)\...\Set-up.exe, PE32 10->87 dropped 89 C:\Users\user\AppData\...\AS06078677.vbe, data 10->89 dropped 137 Drops PE files to the startup folder 10->137 21 425AD1552F0102S5D5F.exe 1 7 10->21         started        25 wscript.exe 10->25         started        38 2 other processes 10->38 139 Multi AV Scanner detection for dropped file 14->139 141 Writes to foreign memory regions 14->141 143 Sample uses process hollowing technique 14->143 27 aspnet_wp.exe 14->27         started        30 WerFault.exe 14->30         started        145 Wscript starts Powershell (via cmd or directly) 16->145 147 Windows Scripting host queries suspicious COM object (likely to drop second stage) 16->147 149 Suspicious execution chain found 16->149 32 powershell.exe 16->32         started        95 127.0.0.1 unknown unknown 18->95 151 Injects a PE file into a foreign processes 18->151 34 powershell.exe 18->34         started        36 aspnet_wp.exe 18->36         started        40 10 other processes 18->40 file6 signatures7 process8 dnsIp9 75 C:\Users\user\AppData\Roaming\svchost.exe, PE32+ 21->75 dropped 107 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->107 42 cmd.exe 1 21->42         started        44 cmd.exe 1 21->44         started        77 C:\Users\user\AppData\...behaviorgraphqLxCamcmuecCDK.js, ASCII 25->77 dropped 109 Windows Scripting host queries suspicious COM object (likely to drop second stage) 25->109 111 Writes or reads registry keys via WMI 25->111 47 WmiPrvSE.exe 25->47         started        97 Alice2019.myftp.biz 107.175.31.172, 2525, 49736, 49746 AS-COLOCROSSINGUS United States 27->97 113 Contains functionality to bypass UAC (CMSTPLUA) 27->113 115 Detected Remcos RAT 27->115 117 Contains functionalty to change the wallpaper 27->117 127 4 other signatures 27->127 79 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 32->79 dropped 119 Suspicious powershell command line found 32->119 121 Writes to foreign memory regions 32->121 123 Injects a PE file into a foreign processes 32->123 125 Powershell drops PE file 32->125 49 powershell.exe 32->49         started        51 conhost.exe 32->51         started        53 AddInProcess32.exe 32->53         started        81 C:\Users\user\AppData\Roaming\RegSvcs.exe, PE32 34->81 dropped 55 conhost.exe 34->55         started        file10 signatures11 process12 signatures13 57 svchost.exe 42->57         started        60 conhost.exe 42->60         started        62 timeout.exe 1 42->62         started        153 Uses schtasks.exe or at.exe to add and modify task schedules 44->153 64 conhost.exe 44->64         started        66 schtasks.exe 1 44->66         started        155 Loading BitLocker PowerShell Module 49->155 68 conhost.exe 49->68         started        process14 signatures15 131 Writes to foreign memory regions 57->131 133 Sample uses process hollowing technique 57->133 135 Injects a PE file into a foreign processes 57->135 70 wab.exe 57->70         started        73 WerFault.exe 57->73         started        process16 signatures17 129 Detected Remcos RAT 70->129
Score:
57%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9/
Threat name:
Win32.Backdoor.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2024-04-07 18:48:12 UTC
File Type:
PE (Exe)
AV detection:
30 of 38 (78.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3uev6ts3irzxhuavty26h2nhzujlgdjcev2dwqjsabh7dujxnt4q._file
Verdict:
malicious
Similar samples:
7008a243e04182353acfd7b105350ba6785b2b9b512f1c874d1619a87f419688
njrat
8dc073cc9c71f0ef0e77d8942a776886d3913d6c44d0348c363ba582c1d89143
njrat
aa107f5e13a95804d5175acac905b539a676f71f582e5ca512dea9f8382f294e
njrat
b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f
njrat
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:njrat family:remcos botnet:default botnet:kgb-2024 discovery evasion execution persistence rat trojan
Link:
https://tria.ge/reports/240614-cs1lassajg/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Runs regedit.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Command and Scripting Interpreter: JavaScript
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
AsyncRat
Remcos
njRAT/Bladabindi
Malware Config
C2 Extraction:
alice2019.myftp.biz:2525
alice2019.myftp.biz:7707
Unpacked files
SH256 hash:
5966be432acb9568b378dc8cefdceff2f04ffe05cd0294b8011f5e3c89269445
MD5 hash:
ae48b2afec0731e0147fe54c4aa37e04
SHA1 hash:
c39cc6da4aee6f4e9cbdfa02c6db9e95ef27c193
Link:
https://www.unpac.me/results/6108513f-cc08-4dfa-bb90-e8c1f20c31ec/
SH256 hash:
dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9
MD5 hash:
8a6607f6727f04bc2d700ab5f71a349f
SHA1 hash:
9af1c2b76477e9f417d563cfe600bdce227987ac
Detections:
check_installed_software
Create hunting rule
Link:
https://www.unpac.me/results/6108513f-cc08-4dfa-bb90-e8c1f20c31ec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dd095f4e5b447373d0159e35e3e9a7cd12b30d2225743b4132004ff1d1376cf9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:iexplorer_remcos
Create hunting rule
Author:iam-py-test
Description:Detect iexplorer being taken over by Remcos
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Create hunting rule
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Remcos
Create hunting rule
Author:kevoreilly
Description:Remcos Payload
Rule name:REMCOS_RAT_variants
Create hunting rule
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Trojan_Remcos_b296e965
Create hunting rule
Author:Elastic Security
Reference:https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set
Rule name:win_remcos_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.remcos.
Rule name:win_remcos_rat_unpacked
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:win_remcos_w0
Create hunting rule
Author:Matthew @ Embee_Research
Description:Detects strings present in remcos rat Samples.
Rule name:yarahub_win_remcos_rat_unpacked_aug_2023
Create hunting rule
Author:Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
CHECK_TRUST_INFORequires Elevated Execution (level:requireAdministrator)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User Authorizationadvapi32.dll::AllocateAndInitializeSid
advapi32.dll::EqualSid
advapi32.dll::FreeSid
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
MULTIMEDIA_APICan Play Multimediagdi32.dll::StretchDIBits
winmm.dll::timeKillEvent
winmm.dll::timeSetEvent
SECURITY_BASE_APIUses Security Base APIadvapi32.dll::AdjustTokenPrivileges
advapi32.dll::GetTokenInformation
SHELL_APIManipulates System Shellshell32.dll::ShellExecuteExA
shell32.dll::ShellExecuteA
shell32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and Threadsadvapi32.dll::OpenProcessToken
kernel32.dll::OpenProcess
advapi32.dll::OpenThreadToken
kernel32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIkernel32.dll::TerminateProcess
kernel32.dll::LoadLibraryA
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WinExec
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateDirectoryA
kernel32.dll::CreateFileA
kernel32.dll::DeleteFileA
kernel32.dll::GetWindowsDirectoryA
kernel32.dll::GetSystemDirectoryA
kernel32.dll::GetFileAttributesA
WIN_BASE_USER_APIRetrieves Account Informationkernel32.dll::GetComputerNameA
advapi32.dll::GetUserNameA
advapi32.dll::LookupPrivilegeValueA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegCreateKeyExA
advapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryInfoKeyA
advapi32.dll::RegQueryValueExA
advapi32.dll::RegSetValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments


Avatar
commented on 2024-06-14 03:36:06 UTC

It seems like you have access to many malware samples. I'm curious where you obtain them from. It makes me wonder about your following, and I respect your knowledge. Could you teach me about this? I'm 19 years old and aspiring to become a malware analyst. I hope you read my comment. Thank you very much.