MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 def82eea2b57f5b879e8e7c14eb6e0c5a6cd58874835c53f0cfd4ee18d30101e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: def82eea2b57f5b879e8e7c14eb6e0c5a6cd58874835c53f0cfd4ee18d30101e
SHA3-384 hash: 6e1c9697d45d43e6462fd432b3cc7df6afde3394c263c4fc04e8c3e525a551d33de4f69456520f7e212b049c2f243e60
SHA1 hash: 0628d364d08a4195fa757b524017fa0a0cbe1be7
MD5 hash: ce36d722b60dd51444037c4435ab0a95
humanhash: stairway-jig-diet-victor
File name:Confirmed.exe
Download: download sample
Signature njrat
Create hunting rule
File size:857'600 bytes
First seen:2022-03-26 11:26:09 UTC
Last seen:2024-07-24 22:13:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:fGVp+bjgTI9nsskGSSO5iB+8nvtvHHNe:kpMgk9ssLmx8nvtvNe
Threatray 349 similar samples on MalwareBazaar
TLSH T12A054C065BD41AB6C07EDB32D33441A482F86EAB0415E7EF1FE171E49B71B069B432A7
File icon (PE):PE icon
dhash icon 79e9dccccccce060 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
185.140.53.176:7678

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
185.140.53.176:7678 https://threatfox.abuse.ch/ioc/453999/

Intelligence

File Origin
# of uploads :
2
# of downloads :
428
Origin country :
n/a
Vendor Threat Intelligence
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/258031/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
DNS request
Unauthorized injection to a recently created process
Creating a file
Creating a process with a hidden window
Launching the process to change the firewall settings
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed update.exe
Link:
https://www.filescan.io/uploads/623ef858a19c64941293339b/reports/c31013ab-95bf-469c-8eec-e14fdcf8e04e/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
OutSteel
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0283628-f5ed-4468-a866-0d2f1d030357
Result
Threat name:
AsyncRAT Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/965078
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 597559 Sample: Confirmed.exe Startdate: 26/03/2022 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 7 other signatures 2->39 8 Confirmed.exe 3 2->8         started        11 Confirmed.exe 2 2->11         started        13 Confirmed.exe 2 2->13         started        15 Confirmed.exe 2 2->15         started        process3 signatures4 47 Uses netsh to modify the Windows network and firewall settings 8->47 49 Modifies the windows firewall 8->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->51 17 Confirmed.exe 5 5 8->17         started        process5 dnsIp6 31 185.140.53.176, 49831, 7678 DAVID_CRAIGGG Sweden 17->31 29 C:\Users\user\AppData\...\tmpF678.tmp.exe, PE32 17->29 dropped 41 Creates autostart registry keys with suspicious names 17->41 22 tmpF678.tmp.exe 2 17->22         started        25 netsh.exe 1 3 17->25         started        file7 signatures8 process9 signatures10 43 Machine Learning detection for dropped file 22->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->45 27 conhost.exe 25->27         started        process11
Detection:
asyncrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/def82eea2b57f5b879e8e7c14eb6e0c5a6cd58874835c53f0cfd4ee18d30101e/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-03-26 11:26:22 UTC
File Type:
PE (.Net Exe)
Extracted files:
50
AV detection:
16 of 26 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=334c52rlk723q6pi47au5nxaywtm2wehja24kpym7vhoddjqcapa._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
2585845349d420cec529b285a268b989ba28f135aa5332d3ce9122bbf53b5ce4
njrat
3612932b02e0e97ec1ddac955833b9e572ca1c2d93fdc12c47e4ac6021459bc9
njrat
5f4be5b1118b3a61f72cf7a9647d5542fd52d470be2eec3470f53351a4c9f6ae
njrat
75e5171c975ae001bf82ab53fe026b4dba7f9008b0bb037b4628e3375ff6abe7
njrat
776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097
njrat
b23fac3382a51f1910438bce97a602ced4b5509fe28f323cde76a60914d83c8d
njrat
c47a4294b97b5b05ac78f01950d4cf964faf03adf9f0b495c157d09c6f3cf564
njrat
cb8d5adf6f6c6d0da4112ec3216aa856dc0cdf75caaae4c0dfc8049d57900cef
njrat
cdadc76f61382593d88182fc8d09eb68d39c5ecddc5c13e8c45341615bc91b21
njrat
fa36827395f1ca463f06226a4e8c49882454ebab18496aa47953e9f332c3f990
njrat
+ 339 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:njrat botnet:default botnet:mercy_@2022 evasion persistence rat trojan
Link:
https://tria.ge/reports/220326-njxzlacag4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Async RAT payload
AsyncRat
njRAT/Bladabindi
Malware Config
C2 Extraction:
185.140.53.176:7678
185.140.53.176:2376
Unpacked files
SH256 hash:
c611a6ceb263401ed18ff93961bd6d0cdf8757e48d8e76b13943e85b9d3b5a0b
MD5 hash:
f9b293305bd04eee511c0ffd0e7f29d7
SHA1 hash:
fd981a9537a903422311f582defc1c8fd97248af
Link:
https://www.unpac.me/results/74575792-8fb2-47b6-ada8-7a272fd94297/
SH256 hash:
7d170109f352f251d7ac012882e005b059b0db5ecce7520acf7be2ba8f13792a
MD5 hash:
72403055ee098f50bcc8a238fdbef878
SHA1 hash:
eb5ed9b38f5a23bb00b221acf3f7233aa2e9299d
Link:
https://www.unpac.me/results/74575792-8fb2-47b6-ada8-7a272fd94297/
SH256 hash:
f4f263514346ddca8d7a838aff4e439799c2bd0a2879c4426bcaf5b83460f0e6
MD5 hash:
55f4ae47a8c3e409939d37eabe669870
SHA1 hash:
999f1a288b323bd0e22cb6b3caeb0dbe6e47a35c
Link:
https://www.unpac.me/results/74575792-8fb2-47b6-ada8-7a272fd94297/
SH256 hash:
4aa0a88d0416e9ed3532a9fd569b4157492155fd82a933d78f4560ad9e4b6ad6
MD5 hash:
79be8a5c962b7f742c6b1e6d0908bc26
SHA1 hash:
5b9269cad50ca7ca11a66b91c4bf942f4d2af735
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/74575792-8fb2-47b6-ada8-7a272fd94297/
SH256 hash:
2d3d79965afb82c0bbda90e352e0b6df2f5653b3c35b25e7d3ea57b41c2db350
MD5 hash:
4f55afaccba1ec55a219fe3d6cec6e88
SHA1 hash:
05faf20a5ffc39c76dd84d73015ccf95ea31d19f
Link:
https://www.unpac.me/results/74575792-8fb2-47b6-ada8-7a272fd94297/
SH256 hash:
def82eea2b57f5b879e8e7c14eb6e0c5a6cd58874835c53f0cfd4ee18d30101e
MD5 hash:
ce36d722b60dd51444037c4435ab0a95
SHA1 hash:
0628d364d08a4195fa757b524017fa0a0cbe1be7
Link:
https://www.unpac.me/results/74575792-8fb2-47b6-ada8-7a272fd94297/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/def82eea2b57/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/def82eea2b57f5b879e8e7c14eb6e0c5a6cd58874835c53f0cfd4ee18d30101e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/258031/

Comments