MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ddbf8cb72cd40ae9effa10fc0448600eedef3ab6891a9419eb6960d804a89bce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ddbf8cb72cd40ae9effa10fc0448600eedef3ab6891a9419eb6960d804a89bce
SHA3-384 hash: 7d1de96c2c4822064e122417c134b13d3508b2d41e50d4c70f888ea84972ac225c8c7e6d52a5e9d3e29499c98b0828c5
SHA1 hash: 165259ef2384cbac2fd85be26d9a509e18d7e38e
MD5 hash: 8e8ca004cdfbd7e8a875f7d316ea4c5d
humanhash: fanta-tennessee-mockingbird-seventeen
File name:ddbf8cb72cd40ae9effa10fc0448600eedef3ab6891a9419eb6960d804a89bce
Download: download sample
Signature njrat
Create hunting rule
File size:247'296 bytes
First seen:2020-07-06 07:12:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:noMO4x3KZAHul5EBKP4YmDggKHVuFsJqv42mfL9itnvWPpfjYd6f712nQhiTsdMP:ne4pdV+w5fbhUuuuuuuuuzWuob8
Threatray 58 similar samples on MalwareBazaar
TLSH F1343E7533EC9207FA7BFE35AB5562049FD6D7660315E6863C42028A44F5E80CFB293A
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21072/
Detection(s):
Win.Packed.Bladabindi-7082976-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a process with a hidden window
Creating a window
DNS request
Connection attempt
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ddbf8cb72cd40ae9effa10fc0448600eedef3ab6891a9419eb6960d804a89bce/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-06-28 03:22:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3w7yznzm2qfot372cd6aisdab3w66ovwrenjigplnfqnqbfitpha._file
Verdict:
malicious
Similar samples:
0dd3510b1088c0dd5ebd7f3692d6eeec53009cd6fb8de87650bfaf71bc5dcd07
njrat
282406408e4499b5e5807fbb08409ae8c1456efb75281da653d366dad299d5df
njrat
31be15bca048be274cf57fe357a7fe192fdf045cd2c93c2e13a42972db30ddf8
njrat
448c36ca3546f4444da82e6889980c21bf6f148e6451a9cfb92ec60547b6c41b
njrat
490b24ae49c3a9a3c8f580ed6847c8c96f9027e5be9b122e49728c7dc8ee0498
njrat
5564f628b877cee2359d1b9321ec6c4ae20cd4d168ad678afeadf126608af514
njrat
bbf78b5fa17f5545ee34137874c4feaf707fa556256bc74bee80d58782cdd719
njrat
c33d8b5589880c1a82f257555f5dea36190e409cff9b2980ab80b314ccb11bae
njrat
e34a91674a3a3aed881705d2f7deee4607a96a9abeb1a4a8fcbdbc9a3a560937
njrat
fca9b9de5070e3b30458c7477b01329ab8a84204f7c9ee633375f16c0d6df057
njrat
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/200706-cwj3ejef4e/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies service
Adds Run entry to start application
Adds Run entry to start application
Loads dropped DLL
Modifies Windows Firewall
Executes dropped EXE
Executes dropped EXE
Modifies Windows Firewall
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21072/

Comments