MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb
SHA3-384 hash: cc7db0911bed02e4e0e3ef550314984e1e33435ce256024a3cd4601c468e49f343792e5859c64c92e8d5f0c669a442dc
SHA1 hash: e309c1fa1053a6d732e2f43aa18c3c7d960f0921
MD5 hash: 95fb80c07272283986d852ba2bf78035
humanhash: queen-crazy-vermont-earth
File name:95FB80C07272283986D852BA2BF78035.exe
Download: download sample
Signature njrat
Create hunting rule
File size:2'818'148 bytes
First seen:2022-03-14 22:21:30 UTC
Last seen:2022-03-14 23:55:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 47bc19dfc1ae2e981c4482fe1911174d (1 x njrat)
ssdeep 49152:T9L1R2DvORR8swPgk/87JMp50/d5XIDg+XZKaRJ1E2FRFPBAIUqwG8sDIT3:TRYvg1MgYKJamXIsRapUhG8s2
Threatray 86 similar samples on MalwareBazaar
TLSH T141D533F0EBA0A53BD694E07C685EF7258C14898A45967B12E4E03C2EBC7BB0F25F1D54
File icon (PE):PE icon
dhash icon 204cb27169b21428 (1 x njrat, 1 x DarkComet)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
23.95.132.55:48339

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
23.95.132.55:48339 https://threatfox.abuse.ch/ioc/395249/

Intelligence

File Origin
# of uploads :
2
# of downloads :
350
Origin country :
n/a
Vendor Threat Intelligence
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/250457/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader22.9658.2986.31602.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
darkkomet exploit greyware overlay packed shell32.dll virus
Link:
https://www.filescan.io/uploads/622fc010b94fb38cb47e8263/reports/9513ac3f-d5b5-44a6-87e2-d25f1eb7043c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
RedLine stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b64c951d-cab2-45d5-a8bb-039af2452bdf
Result
Threat name:
njRat RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/956621
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Tries to evade analysis by execution special instruction which cause usermode exception
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 589098 Sample: fbfn4s7bqW.exe Startdate: 14/03/2022 Architecture: WINDOWS Score: 100 88 Malicious sample detected (through community Yara rule) 2->88 90 Antivirus detection for dropped file 2->90 92 Antivirus / Scanner detection for submitted sample 2->92 94 12 other signatures 2->94 11 fbfn4s7bqW.exe 1 6 2->11         started        process3 file4 58 C:\Users\user\...\._cache_fbfn4s7bqW.exe, PE32 11->58 dropped 60 C:\ProgramData\Synaptics\Synaptics.exe, PE32 11->60 dropped 62 C:\ProgramData\Synaptics\RCXB7DD.tmp, PE32 11->62 dropped 64 C:\...\Synaptics.exe:Zone.Identifier, ASCII 11->64 dropped 110 Tries to evade analysis by execution special instruction which cause usermode exception 11->110 15 ._cache_fbfn4s7bqW.exe 7 11->15         started        19 Synaptics.exe 11->19         started        signatures5 process6 file7 68 C:\Users\user\AppData\Roaming\build.exe, PE32 15->68 dropped 70 C:\Users\user\AppData\Roaming\Client.exe, PE32 15->70 dropped 72 C:\Users\user\...\._cache_fbfn4s7bqW.exe.log, ASCII 15->72 dropped 74 C:\Users\user\AppData\...\uProxy Tool.exe, PE32 15->74 dropped 82 Antivirus detection for dropped file 15->82 84 Machine Learning detection for dropped file 15->84 21 Client.exe 2 15->21         started        25 build.exe 2 15->25         started        27 uProxy Tool.exe 2 15->27         started        86 Multi AV Scanner detection for dropped file 19->86 signatures8 process9 dnsIp10 52 C:\Users\user\Desktop\._cache_Client.exe, PE32 21->52 dropped 96 Antivirus detection for dropped file 21->96 98 Multi AV Scanner detection for dropped file 21->98 100 Machine Learning detection for dropped file 21->100 30 ._cache_Client.exe 21->30         started        34 Synaptics.exe 21->34         started        54 C:\Users\user\Desktop\._cache_build.exe, PE32 25->54 dropped 36 ._cache_build.exe 15 3 25->36         started        39 Synaptics.exe 25->39         started        80 raw.githubusercontent.com 185.199.108.133, 443, 49782 FASTLYUS Netherlands 27->80 file11 signatures12 process13 dnsIp14 66 C:\Users\user\AppData\Roaming\OneDrive.exe, PE32 30->66 dropped 112 Antivirus detection for dropped file 30->112 114 Multi AV Scanner detection for dropped file 30->114 116 Machine Learning detection for dropped file 30->116 41 OneDrive.exe 30->41         started        76 api.ip.sb 36->76 46 conhost.exe 36->46         started        file15 signatures16 process17 dnsIp18 78 23.95.132.55, 48339, 49771, 49773 AS-COLOCROSSINGUS United States 41->78 56 C:\...\b1132c80f5159636927833f82a838b5f.exe, PE32 41->56 dropped 102 Antivirus detection for dropped file 41->102 104 Multi AV Scanner detection for dropped file 41->104 106 Machine Learning detection for dropped file 41->106 108 4 other signatures 41->108 48 netsh.exe 41->48         started        file19 signatures20 process21 process22 50 conhost.exe 48->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-03-12 15:25:00 UTC
File Type:
PE (Exe)
Extracted files:
9
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ur2txm22he34nmayr4bpgivx7ghtir3ysiwd5e64cardtvlk7vq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0fbdb66d81f97c74640af563b58b4d93872ed48a0397754b5c51a5c76d32900c
njrat
2ca6095540ff0d50021a7191653b2d002cf1a4122330ecbd4e1891c67849e1b0
njrat
5fa54622d0d5f5abbeec7e634d6c2d868984e8cfb20b8502757c2df8fe94f7c7
njrat
5ff2763a7af9c5e8d274be89a3df9e75d9a0b281878def38c44085395178f01e
njrat
7110059a2bb0e2b4e6ee39ff235c283864152200d0daca4fb123f3b7c7315095
njrat
95272a070df2cf2988d238138d1eadcfeffe68e311d904f83969b2fd71b62f60
njrat
a3c743f00e4cf6e8a71132c43ecda56aa86a773df375c62bc7b347bdd05ea4c4
njrat
fa9e3e8282175677e1bf926361df6aa60510a6ba8d3d8857d9c9cd850d971d60
njrat
ff97bd0b382bcd07b0e71fd6249426a1d1246c52b07edd238eaa64136db737df
njrat
+ 76 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:redline botnet:cheat botnet:hacked evasion infostealer persistence trojan
Link:
https://tria.ge/reports/220314-198v1adbe8/
Behaviour
Modifies registry class
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
RedLine
RedLine Payload
njRAT/Bladabindi
Malware Config
C2 Extraction:
23.95.132.55:48339
23.95.132.55:5552
Unpacked files
SH256 hash:
ab1be4329a692dbd88e81a2197c2dbc98abde8c9a2c5a91aa0ad5d906ba0dcd3
MD5 hash:
4838b66c7387b9c5b6d6fc7b2a03e456
SHA1 hash:
194be968a9c5b187c9fade04a41f3d8ad601cacd
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
1f42633377481ac6824093549eb4778f7db0d44c8c7f22e828ee0c5511f928dc
MD5 hash:
0cc4c15fe7c15fa0923655b7290a428e
SHA1 hash:
fd6fd5bba7000e6f25aaa061a9e123b7e041aa2f
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
cc3464233e8cf82a26c6f1fa879bab7c23946c12506cc2daab935d00dd87b8a6
MD5 hash:
dc49ab7c1fc261f57880638fe341f809
SHA1 hash:
e8c6d574e22877cbbad0c4bfb2a379b1e2f23535
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
523d52722bdd2160566e34040dee9a47fc3137feeff305daa51d3c57dbbe5c70
MD5 hash:
f09c93bd153981c069a97928c36ca7cb
SHA1 hash:
9a09f00426251c408c2becf61ef3fcb0e74d356a
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
081dfd5b42a620a0d3e1a934b0b01623fe501adc2f576e7decda9939efc865ba
MD5 hash:
fe9a574afd7088b0c4cda6209533513f
SHA1 hash:
395b538a3085022f698ad345d49e2417df168b78
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
48732c638c2e7dabef1f991e8b47264604409e96d02bde5c1036f787c1a9824e
MD5 hash:
f59805f618e77fcad80e820a179ac0d0
SHA1 hash:
00c62b9383d71ddad4a0dea2cf64c3ba364cc53d
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
8f781dad2cd705d6ba672cf6b50cbeb8029157f130ae5096fa0756484ac6722d
MD5 hash:
d381c9079af8dc8e11f08fc1c4bb5d21
SHA1 hash:
a820039765ae3a743d61c7d582243a8b4f566f74
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
5892ff57735d691576646d82c692c4a595b28f2576007c3455ff8f3da91ef45f
MD5 hash:
54c66980fcc6c525f4a8043de1be11f4
SHA1 hash:
4a01931f951aeaeea9772a7119783225a975d8f9
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
8e339fee1030be8f787afd6890e0635fe7311bffd3b9308bf0e55d801b6ab8d0
MD5 hash:
caa1653c068e2a8611a4862ece18df21
SHA1 hash:
228c0a86c8f373f28cce952613e41d60e8080ab8
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
SH256 hash:
dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb
MD5 hash:
95fb80c07272283986d852ba2bf78035
SHA1 hash:
e309c1fa1053a6d732e2f43aa18c3c7d960f0921
Link:
https://www.unpac.me/results/f56b04f8-9ea5-4e83-86eb-4b990766a508/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/dd23a9dd9ad1c9be3580c478179915bfcc79a23bc49161f49ee08111ceab57eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/250457/

Comments