MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de030e8408071c2238466c90058165060ecc8d1c022c4817fc5e217cc5561f54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de030e8408071c2238466c90058165060ecc8d1c022c4817fc5e217cc5561f54
SHA3-384 hash: cdabc78972094b843de99a78dba2406d7b970b38a26ef620f00c3ba8c85dcb6f8ea1875e09edf8692e4fcb4548a31536
SHA1 hash: c4606223d563e154ac4ae7ae7f0ccf9291f46b77
MD5 hash: c1827d46d577d50f668c8b0b845416c3
humanhash: iowa-ink-carpet-coffee
File name:c1827d46d577d50f668c8b0b845416c3.exe
Download: download sample
Signature njrat
Create hunting rule
File size:84'249 bytes
First seen:2021-05-24 17:52:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 099c0646ea7282d232219f8807883be0 (476 x Formbook, 210 x Loki, 107 x AgentTesla)
ssdeep 1536:DQpQ5EP0ijnRTXJ+MOPcnKYeu59VDi/gLrxGjE9cHHEd3+dGo4tR3Up:DQIURTXJ+M7nAM95IgLrl9cAUJwe
Threatray 526 similar samples on MalwareBazaar
TLSH 1E83E12B39C4C8F7D65B5B725A7297ABC7B7A3041220060F5BB44FBF39262C7D905282
Reporter abuse_ch
Tags:exe NjRAT RAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
269
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c1827d46d577d50f668c8b0b845416c3.exe
Verdict:
Malicious activity
Analysis date:
2021-05-24 17:54:29 UTC
Tags:
installer
Link:
https://app.any.run/tasks/e88e3b73-5d99-4050-bd81-be7e3d387e0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.NSIS.Injector.AKV.30909.21677.UNOFFICIAL
Create hunting rule

PUA.Win.Trojan.Casino-141
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching a process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/790667
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 423065 Sample: S4aES2mPdl.exe Startdate: 24/05/2021 Architecture: WINDOWS Score: 80 38 Multi AV Scanner detection for submitted file 2->38 40 .NET source code contains potential unpacker 2->40 42 .NET source code references suspicious native API functions 2->42 44 3 other signatures 2->44 8 S4aES2mPdl.exe 21 2->8         started        12 $77-Windows Defender.exe 3 2->12         started        14 $77-Windows Defender.exe 3 2->14         started        16 $77-Windows Defender.exe 3 2->16         started        process3 file4 34 C:\Users\user\AppData\Local\Temp\xhpfw, DOS 8->34 dropped 36 C:\Users\user\AppData\Local\...\System.dll, PE32 8->36 dropped 48 Writes to foreign memory regions 8->48 50 Maps a DLL or memory area into another process 8->50 18 MSBuild.exe 3 4 8->18         started        22 conhost.exe 12->22         started        24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        signatures5 process6 file7 32 C:\Users\user\...\$77-Windows Defender.exe, PE32 18->32 dropped 46 Creates autostart registry keys with suspicious names 18->46 28 $77-Windows Defender.exe 4 18->28         started        signatures8 process9 process10 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/de030e8408071c2238466c90058165060ecc8d1c022c4817fc5e217cc5561f54/
Threat name:
Win32.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 17:13:29 UTC
File Type:
PE (Exe)
Extracted files:
4
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3ybq5baia4oceocgnsialalfayhmzdi4aiweqf74lyqxzrkwd5ka._file
Verdict:
suspicious
Similar samples:
47c26ad6ad20462404f1f13c5be9024a1f602452aca247b7c6de059a09dfa3ee
njrat
507dbfd6aa22a40c64e153af688a18c03616e3473eee95f5312f6e9b2b3beb5a
njrat
5c010faf4a40636a3976ec2997b6627f105928362988edf09c94a54c4c074e07
njrat
79cf1acaf9b7a819bb68f28a23ed571a1cb1e517e09e3dde87614829ae7177d8
njrat
920d5b079a7684340c82b1334d87f828f4820b54437da0d109b381fdae39ac92
njrat
ae5df8905dd1b9de509e6764dea4c5571916b1705a129bddf2f5e2e554552acb
njrat
b5c025f7696528fbc5b1649e93b4ccbafc2d1b9b51155626c9197d110edcba06
njrat
b71ac80addac74e89b71f6893d989d7233d8174b8836138a3292cc1409ae8e58
njrat
bdce23fe0fa2ff5498bcf09b53315afb9ce0b21f5cedaf2d545be614d0dcaf57
njrat
c2336a135878814b7b9b82146879a4ee8910e0a7e540415cb3716e1f62c1ea41
njrat
+ 516 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210524-stedwgb5te/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.47
Link:
https://yomi.yoroi.company/submissions/de030e8408071c2238466c90058165060ecc8d1c022c4817fc5e217cc5561f54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Reverse_text_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Reverse text detected
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe de030e8408071c2238466c90058165060ecc8d1c022c4817fc5e217cc5561f54

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1278796/
  
Delivery method
Distributed via web download

Comments