MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1707f3697443452ed3ebff0b477f13bf3a19a48a4b397fba55baaf7133f6fca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1707f3697443452ed3ebff0b477f13bf3a19a48a4b397fba55baaf7133f6fca
SHA3-384 hash: 5483a60250b9d904c49f12bd55da007d467a21b4e3c981a539cdf32e73c37c35088681b69042e7d324914af9030afdd6
SHA1 hash: e527e92099388b0d77a556449ec2a3d3cdb71fbc
MD5 hash: 656436be4766884dd8fe86631f7d101a
humanhash: july-muppet-xray-colorado
File name:e1707f3697443452ed3ebff0b477f13bf3a19a48a4b397fba55baaf7133f6fca
Download: download sample
Signature njrat
Create hunting rule
File size:405'504 bytes
First seen:2021-09-14 06:36:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:Stdhsqw1BfImFLJlJn5a9BcdTcKvhBp989CJkx/NvUW+X:S7hsqw1xImRR4+TcwkxxS
Threatray 1'322 similar samples on MalwareBazaar
TLSH T1E284F61775578960C2DC1736C1DBD53417B0EE852267EA0A74C43FAB7A333A7AC0A68B
dhash icon f0f8b2aaaabaaad4 (1 x njrat, 1 x NanoCore)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e1707f3697443452ed3ebff0b477f13bf3a19a48a4b397fba55baaf7133f6fca
Verdict:
No threats detected
Analysis date:
2021-09-14 06:49:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7c1b036d-481d-4547-b504-1d5f788cdd95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/187670/
Detection(s):
Win.Trojan.B-468
Create hunting rule

Win.Trojan.Bladbindi-1
Create hunting rule

Win.Trojan.Ratenjay-1
Create hunting rule

Win.Packed.Bladabindi-6917466-0
Create hunting rule

Win.Packed.Generic-7672854-0
Create hunting rule

Win.Packed.Generic-7672855-0
Create hunting rule

Win.Packed.njRAT-7672853-1
Create hunting rule

Win.Packed.Generic-9795615-0
Create hunting rule

Win.Packed.Generic-9795616-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint greyware keylogger njrat obfuscated packed rat stealer
Link:
https://www.filescan.io/uploads/61750a7adb358dd15ed9208b/reports/cc6933fd-5160-480b-92a7-98109852bebf/overview
Malware family:
MassLogger
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2eb9fd45-7c08-4cbc-abc9-0ccbf9cd6559
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/850661
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483092 Sample: 6fWZpoOUKg Startdate: 14/09/2021 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for dropped file 2->36 38 Antivirus / Scanner detection for submitted sample 2->38 40 7 other signatures 2->40 8 6fWZpoOUKg.exe 1 5 2->8         started        11 system.exe 2 2->11         started        13 system.exe 3 2->13         started        15 system.exe 2 2->15         started        process3 file4 28 C:\Users\user\AppData\Local\Temp\system.exe, PE32 8->28 dropped 30 C:\Users\user\AppData\...\6fWZpoOUKg.exe.log, ASCII 8->30 dropped 17 system.exe 4 5 8->17         started        process5 dnsIp6 32 fadbook.ddns.net 41.142.71.82, 8899 MT-MPLSMA Morocco 17->32 26 C:\...\9d1cc64fe9a6a8e706d093702e0b1ae6.exe, PE32 17->26 dropped 42 Antivirus detection for dropped file 17->42 44 Multi AV Scanner detection for dropped file 17->44 46 Protects its processes via BreakOnTermination flag 17->46 48 5 other signatures 17->48 22 netsh.exe 1 3 17->22         started        file7 signatures8 process9 process10 24 conhost.exe 22->24         started       
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e1707f3697443452ed3ebff0b477f13bf3a19a48a4b397fba55baaf7133f6fca/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-08 17:15:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
31 of 45 (68.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4fyh6nuxiq2ff3j6x7yli57rhpz2dgsiuszzp65flovpoez7n7fa._file
Verdict:
malicious
Label(s):
masslogger
Create hunting rule
Similar samples:
0290b4bba5483f6c9865c8b2a1df7e0756a6d5ade4a2dc5ced0a380a9988d35c
njrat
045cfe04d64a1c71873d0fb2dbd1a48471f9918b1649b87ef001010dfc2a4286
njrat
0ce85115b26d769cc29342f77c359fc2177d325e5394154fdc700ea644f69971
njrat
3e468281ddf4a728dc41a9a4d1443b5bedbd7614ae0f10be0fe61bb1bacf84f3
njrat
416be48f063784dfa696921edc4844d902cd88d354f45184e5d23d70db94895f
njrat
43756195653d9b20db70b3b2700d6ece0e927da322db216d12e6eeb6af316f3f
njrat
4534997b5b146c7caebb2f398e7ea0f2bbf434af23155ad13b0acd09b0487325
njrat
8f9f89be357d1d17b6281bf9f6caebfa97fdbfcb6aec50e4aa147d0e24e909e7
njrat
a23aaa00f7b68ac090aaec5ffbd32d5a9a557333302e72fba232f2f54b38cbbc
njrat
a654772e801683ef8639985af05c8845d16ab48df5c6a8e65d014251692d73d2
njrat
+ 1'312 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/210914-hcypnafba9/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Adds Run key to start application
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
.NET Reactor proctector
njRAT/Bladabindi
Unpacked files
SH256 hash:
e1707f3697443452ed3ebff0b477f13bf3a19a48a4b397fba55baaf7133f6fca
MD5 hash:
656436be4766884dd8fe86631f7d101a
SHA1 hash:
e527e92099388b0d77a556449ec2a3d3cdb71fbc
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/cfcbe635-6a10-4106-b0bd-21f752d72c2b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/e1707f3697443452ed3ebff0b477f13bf3a19a48a4b397fba55baaf7133f6fca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/187670/

Comments