MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1e04dcb77d12336ab2ead9a1cb7eadae3d744b2207b6331ea3510e50ca41bb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1e04dcb77d12336ab2ead9a1cb7eadae3d744b2207b6331ea3510e50ca41bb7
SHA3-384 hash: b9bfd4dc0fd9eafde832c6bc7d0a8952b3186511491eb68ecf9f5ff2ee039dab479e22ac0896bf10c96e5f7effbba044
SHA1 hash: eb8b4cf09ff62f29d04b411dfdef760e961f4bbb
MD5 hash: 8a6ebe97b7ea7d1b8c2dca426ceac85b
humanhash: don-cold-snake-cup
File name:DUCSetup_v4_1_1.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'396'736 bytes
First seen:2022-05-04 11:21:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2674e2c85d69ad77d97510ac486e707b (2 x njrat, 1 x AZORult)
ssdeep 24576:K5BxNCmSRKoPDerS5qvNd5Q9spywNAlw3xmiTRNeVqi5:cCLRKADjqvr5YlUxhTRNeV
Threatray 120 similar samples on MalwareBazaar
TLSH T14D55335D30B98776C016B2F4C6DBA649B89966047489B03A1D543F1D7B4B386F3B20FB
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4505/5/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon c4dadadad2f492c2 (25 x GuLoader, 14 x RemcosRAT, 7 x AgentTesla)
Reporter tech_skeech
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
324
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
DUCSetup_v4_1_1.exe
Verdict:
Malicious activity
Analysis date:
2022-05-04 11:09:29 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/8ef43e2c-759b-4044-ab4f-c958b2816426

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
njRat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/268608/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Win.Malware.Zusy-9774867-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Enabling the 'hidden' option for files in the %temp% directory
Sending a custom TCP request
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627261dc62b1ae4451d5db90/reports/dd1e4844-d4f5-4777-8d56-0396781fc5c8/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e989595-e788-42f0-a337-434d6e7a33a9
Result
Threat name:
njRat RedLine
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/987685
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Detected njRat
Detected unpacking (changes PE section rights)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Drops fake system file at system root drive
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 620181 Sample: DUCSetup_v4_1_1.exe Startdate: 04/05/2022 Architecture: WINDOWS Score: 100 55 185.215.113.25, 27757, 49864 WHOLESALECONNECTIONSNL Portugal 2->55 57 siasky.net 185.130.226.111, 443, 49865 HOSTKEY-ASNL Netherlands 2->57 59 2 other IPs or domains 2->59 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Malicious sample detected (through community Yara rule) 2->69 71 14 other signatures 2->71 10 DUCSetup_v4_1_1.exe 10 2->10         started        signatures3 process4 file5 41 C:\Users\user\AppData\Local\Temp\dwm.exe, PE32 10->41 dropped 43 C:\Users\user\AppData\...\DUCSetup_v4_1_1.exe, PE32 10->43 dropped 81 Detected unpacking (changes PE section rights) 10->81 83 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->83 85 Hides threads from debuggers 10->85 87 Drops PE files with benign system names 10->87 14 dwm.exe 1 5 10->14         started        18 DUCSetup_v4_1_1.exe 14 39 10->18         started        signatures6 process7 file8 45 C:\Users\user\AppData\Local\...\svchost.exe, PE32 14->45 dropped 89 Antivirus detection for dropped file 14->89 91 Machine Learning detection for dropped file 14->91 93 Drops PE files with benign system names 14->93 20 svchost.exe 3 9 14->20         started        47 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 18->47 dropped 49 C:\Users\user\AppData\Local\...\System.dll, PE32 18->49 dropped 51 C:\Program Files (x86)51o-IP\ducservice.exe, PE32 18->51 dropped 53 3 other files (none is malicious) 18->53 dropped 25 DUC40.exe 15 19 18->25         started        27 DUC40.exe 18->27         started        signatures9 process10 dnsIp11 61 178.33.93.88, 2313, 49771, 49772 OVHFR France 20->61 33 C:\svchost.exe, PE32 20->33 dropped 35 C:\...\2515e856f03b835ae52c5318fb17badb.exe, PE32 20->35 dropped 37 C:\autorun.inf, Microsoft 20->37 dropped 39 C:\Users\user\AppData\...\tmp776D.tmp.exe, PE32 20->39 dropped 73 Antivirus detection for dropped file 20->73 75 System process connects to network (likely due to code injection or exploit) 20->75 77 Creates autorun.inf (USB autostart) 20->77 79 6 other signatures 20->79 29 netsh.exe 1 3 20->29         started        63 dynupdate.noip.com 158.247.7.204, 49789, 80 NOIP-VITALUS United States 25->63 file12 signatures13 process14 process15 31 conhost.exe 29->31         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1e04dcb77d12336ab2ead9a1cb7eadae3d744b2207b6331ea3510e50ca41bb7/
Threat name:
Win32.Trojan.VBinder
Create hunting rule
Status:
Malicious
First seen:
2022-05-04 11:22:11 UTC
File Type:
PE (Exe)
Extracted files:
14
AV detection:
29 of 42 (69.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hqe3s3x2ertnkzovwnbzn7k3lr5orfseb5wgmpkguiokdfedo3q._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
05624102a4432c069b4731553fe2fe3a9143161cf4e38ad5b8197378dbda1300
njrat
4101bd379660a169d50442c9921d6fb0329620efbc5a163856c2f5e5f41e601c
njrat
8b00d26012b7c13819459fa567024ca068fed3aa0c0539c63ae73ebb00bca9a2
njrat
a4c7cb6d7212aac61a61a4f7c7c218684a8ea7727ebf26c4bf9b4f98c39a86c4
njrat
b968ab7d248818d7b487f45bb33982861f83f667c0ad165c9a906e330b33b027
njrat
df76b66e92d2d5f0b35e9d8b67a65f2e967ac7502013496e9e241ef510ffad29
njrat
e445b1166af56c2e7928d3dabc853c0cd1a4be49b62b5e2a7f27b291bc81c5c2
njrat
fa1b0782ba561e7c093eae658614ce3f846cb6d57fd6454aea2246e141ec5242
njrat
+ 110 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion persistence suricata trojan
Link:
https://tria.ge/reports/220504-ngklgsdfe9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks computer location settings
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback (Remote Desktop)
suricata: ET MALWARE njrat ver 0.7d Malware CnC Callback Response (Remote Desktop)
Malware Config
C2 Extraction:
178.33.93.88:2313
Unpacked files
SH256 hash:
1e6d3d0629e9c1da10dd7d1c76b568e8e6a2d981a1ac97227840888f11530d98
MD5 hash:
b4c4d000ddac53389d2d4e39fedd1e5f
SHA1 hash:
0a2c3cf6c95b300959edbcd3aca868b426fe7293
Link:
https://www.unpac.me/results/cab1a061-1f08-4a4e-bded-6c9e5163a97e/
SH256 hash:
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
MD5 hash:
c10e04dd4ad4277d5adc951bb331c777
SHA1 hash:
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
Link:
https://www.unpac.me/results/cab1a061-1f08-4a4e-bded-6c9e5163a97e/
SH256 hash:
0284a4511e26f1b9fa523db6ba896784529ae6ccba040161b1b12688499ad8e5
MD5 hash:
d626923e92e6da0a089204f9043653c6
SHA1 hash:
7c6fa1e82f74210786b3288d41210ca3689ecd33
Link:
https://www.unpac.me/results/cab1a061-1f08-4a4e-bded-6c9e5163a97e/
SH256 hash:
e1e04dcb77d12336ab2ead9a1cb7eadae3d744b2207b6331ea3510e50ca41bb7
MD5 hash:
8a6ebe97b7ea7d1b8c2dca426ceac85b
SHA1 hash:
eb8b4cf09ff62f29d04b411dfdef760e961f4bbb
Link:
https://www.unpac.me/results/cab1a061-1f08-4a4e-bded-6c9e5163a97e/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e1e04dcb77d1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1e04dcb77d12336ab2ead9a1cb7eadae3d744b2207b6331ea3510e50ca41bb7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe e1e04dcb77d12336ab2ead9a1cb7eadae3d744b2207b6331ea3510e50ca41bb7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/268608/

Comments