MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deebba95dabc50ecaca9ec1a70f321b9712baa078ff94dce2cb2385900c21b20. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deebba95dabc50ecaca9ec1a70f321b9712baa078ff94dce2cb2385900c21b20
SHA3-384 hash: a2755baa9740c3cc7bf668eb862a5a1ccaf7bc507470a7af5f0ac544265cb75fd952b99d5e0d7fa58063b1d103a95e24
SHA1 hash: 9b4706bb42b010cab57db1d3d90f8cba7c44ee71
MD5 hash: 30879194dc4f71062c4112b8b79c2493
humanhash: saturn-uranus-alanine-apart
File name:30879194DC4F71062C4112B8B79C2493.exe
Download: download sample
Signature njrat
Create hunting rule
File size:8'355'948 bytes
First seen:2021-03-23 08:17:58 UTC
Last seen:2021-03-23 09:36:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 49152:fn45aoAotR7v9JuwTMW3k5gVLXQMTGL6Mvk8KGSYYQBu//GCodLzGbjAOAf3Unlg:d
Threatray 288 similar samples on MalwareBazaar
TLSH 49862320FAAB1965C6F442F450DA7A35DABC4A4E7348E19EFF8E1C8E375A7410CCAC54
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
52.233.171.173:1337

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
52.233.171.173:1337 https://threatfox.abuse.ch/ioc/4591/

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
30879194DC4F71062C4112B8B79C2493.exe
Verdict:
Malicious activity
Analysis date:
2021-03-23 08:58:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c4830648-53d5-46b3-85a9-de6841d3a970

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126486/
Detection(s):
SecuriteInfo.com.BackDoor.Ddoser.267.4868.11085.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Modifying a system file
Replacing files
Launching a process
Launching a service
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Enabling the 'hidden' option for files in the %temp% directory
Forced system process termination
Unauthorized injection to a recently created process
Blocking the Windows Defender launch
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/649650
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies Group Policy settings
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 373789 Sample: RNuld8RVuz.exe Startdate: 23/03/2021 Architecture: WINDOWS Score: 84 101 suleymanpasa.freeddns.org 2->101 103 cdn.discordapp.com 2->103 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for dropped file 2->127 129 8 other signatures 2->129 11 RNuld8RVuz.exe 5 2->11         started        14 svchost?.exe 2->14         started        18 svchost.exe 2->18         started        20 12 other processes 2->20 signatures3 process4 dnsIp5 77 C:\Users\user\AppData\...\flimora2021.exe, PE32 11->77 dropped 79 C:\Users\user\...\autokeyboardsetup.exe, PE32 11->79 dropped 22 flimora2021.exe 16 7 11->22         started        27 autokeyboardsetup.exe 2 11->27         started        115 suleymanpasa.freeddns.org 14->115 117 192.168.2.1 unknown unknown 14->117 81 C:\Users\user\AppData\...\svchost?.exe, PE32 14->81 dropped 139 Antivirus detection for dropped file 14->139 141 Machine Learning detection for dropped file 14->141 143 Creates autostart registry keys with suspicious names 14->143 151 2 other signatures 14->151 145 Changes security center settings (notifications, updates, antivirus, firewall) 18->145 119 127.0.0.1 unknown unknown 20->119 file6 147 System process connects to network (likely due to code injection or exploit) 115->147 149 Uses dynamic DNS services 115->149 signatures7 process8 dnsIp9 105 suleymanpasa.freeddns.org 22->105 107 cdn.discordapp.com 162.159.135.233, 443, 49708, 49715 CLOUDFLARENETUS United States 22->107 71 C:\Users\user\AppData\...\DefenderControl.exe, PE32 22->71 dropped 73 C:\ProgramData\svchost.exe, PE32 22->73 dropped 131 Antivirus detection for dropped file 22->131 133 Multi AV Scanner detection for dropped file 22->133 135 Machine Learning detection for dropped file 22->135 137 Drops PE files with benign system names 22->137 29 svchost.exe 22->29         started        34 Payload.exe 22->34         started        36 cmd.exe 1 22->36         started        75 C:\Users\user\...\autokeyboardsetup.tmp, PE32 27->75 dropped 38 autokeyboardsetup.tmp 27 28 27->38         started        file10 signatures11 process12 dnsIp13 111 eisconn2.duckdns.org 52.233.171.173, 1337, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->111 113 cdn.discordapp.com 29->113 83 C:\svchost.exe, PE32 29->83 dropped 85 C:\...\2033c568eafee18d130e7a52b0d15c66.exe, PE32 29->85 dropped 87 C:\Users\user\AppData\Local\...\Payload.exe, PE32 29->87 dropped 89 C:\autorun.inf, Microsoft 29->89 dropped 153 Antivirus detection for dropped file 29->153 155 System process connects to network (likely due to code injection or exploit) 29->155 157 Multi AV Scanner detection for dropped file 29->157 161 9 other signatures 29->161 40 cmd.exe 29->40         started        42 Payload.exe 29->42         started        44 netsh.exe 29->44         started        91 C:\Users\user\AppData\Roaming\svchost?.exe, PE32 34->91 dropped 159 Uses schtasks.exe or at.exe to add and modify task schedules 34->159 46 schtasks.exe 34->46         started        48 DefenderControl.exe 6 36->48         started        52 conhost.exe 36->52         started        93 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 38->93 dropped 95 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 38->95 dropped 97 C:\Program Files (x86)\...\is-UT78E.tmp, PE32 38->97 dropped 99 C:\Program Files (x86)\...\is-N0RBK.tmp, PE32 38->99 dropped 54 AutoKeyboard.exe 38->54         started        file14 signatures15 process16 dnsIp17 57 conhost.exe 40->57         started        59 DefenderControl.exe 40->59         started        61 schtasks.exe 42->61         started        63 conhost.exe 46->63         started        69 C:\Windows\System32behaviorgraphroupPolicy\gpt.ini, ASCII 48->69 dropped 121 Modifies Group Policy settings 48->121 65 DefenderControl.exe 48->65         started        109 www.autokeyboard.com 64.190.62.111, 49720, 49721, 80 NBS11696US United States 54->109 file18 signatures19 process20 process21 67 conhost.exe 61->67         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deebba95dabc50ecaca9ec1a70f321b9712baa078ff94dce2cb2385900c21b20/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2021-03-20 00:52:22 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=33v3vfo2xriozlfj5qnhb4zbxfysxkqhr74u3trmwi4fsagcdmqa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
2937afa694e2560413f2860dd1b71019b1b89839b08317a9d79a651a80486645
njrat
354d3e283f994802a084678c53be397a4ea4d46d7e48487e6db6c46f6f91ffb9
njrat
6ef31a13d71d059d6e007fb2305c8e2d7615c3d468c9f2f4e023b45490b50787
njrat
752abe1050403b95676de500b60db8b36e26f02e4b24eb84ae9f4daf6d03b957
njrat
81b8b63585232453260b49527a238b5392a692c501d1c3342223d451b2894187
njrat
89d2c8b2ef681c0e34e5d0f1ecb6aa850c90380a7cced1347bf9f7ed5b3fbd31
njrat
9dd08cf2672502db217f9772affb88657f8559d8f4d946af25c4b22428ea336a
njrat
d1597e584fec8eb356aa5c831045b2ce68531e69fe70436fa3ca0d8dd1d90ca7
njrat
e3ac84aeb4c0a6606a5e385327f371c36335954f27ec4151d616fbb73d466e37
njrat
f3fa03025a7f730194ec723fc73550b525bc098969c32802d6eddef97a7486f1
njrat
+ 278 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence trojan
Link:
https://tria.ge/reports/210323-pra4g3anmn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Drops file in System32 directory
Adds Run key to start application
Drops startup file
Loads dropped DLL
Windows security modification
Executes dropped EXE
Modifies Windows Firewall
Modifies security service
Unpacked files
SH256 hash:
44b8e6a310564338968158a1ed88c8535dece20acb06c5e22d87953c261dfed0
MD5 hash:
9c8886759e736d3f27674e0fff63d40a
SHA1 hash:
ceff6a7b106c3262d9e8496d2ab319821b100541
Link:
https://www.unpac.me/results/20583002-ff94-4e12-9b1c-755f493429dd/
SH256 hash:
e11132ca9fb98307830147446f5f731e19e308949e1a473d177d5a9f7ddf9c7e
MD5 hash:
e4a2856522e6a817e3f0edd2677fa647
SHA1 hash:
7cffea7ad238e4d2a64238139ab64802dbaf1185
Link:
https://www.unpac.me/results/20583002-ff94-4e12-9b1c-755f493429dd/
SH256 hash:
cd8aa569a523d21df092f9143b3927a29bde7cb14878a7dbf33fe2a092001e7f
MD5 hash:
794d6173a7a70f39e026fb0ec19d0843
SHA1 hash:
5bb163642acff5d7a8753fa161dd9c162c0204bf
Link:
https://www.unpac.me/results/20583002-ff94-4e12-9b1c-755f493429dd/
SH256 hash:
4f11e9fa553b42cc5dc04a6d6407e62de1d61f15b471eea3d270dbe289332ace
MD5 hash:
d124d2513d81427249a29131f8dbaf39
SHA1 hash:
ac6f5e3ba20aeb2e3cc3582977820d29b60b0900
Link:
https://www.unpac.me/results/20583002-ff94-4e12-9b1c-755f493429dd/
SH256 hash:
c4f78c35af6d27a41035f1a54c6c63ca171824c584863de24f61d8c57ba07bc5
MD5 hash:
73cd4845dfbb697e76a49bb93c14cdec
SHA1 hash:
aa650ab326d2987732ceb14deaf129460ed42749
Link:
https://www.unpac.me/results/20583002-ff94-4e12-9b1c-755f493429dd/
SH256 hash:
deebba95dabc50ecaca9ec1a70f321b9712baa078ff94dce2cb2385900c21b20
MD5 hash:
30879194dc4f71062c4112b8b79c2493
SHA1 hash:
9b4706bb42b010cab57db1d3d90f8cba7c44ee71
Link:
https://www.unpac.me/results/20583002-ff94-4e12-9b1c-755f493429dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/deebba95dabc50ecaca9ec1a70f321b9712baa078ff94dce2cb2385900c21b20

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/126486/

Comments