MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c
SHA3-384 hash:	453a977a7ed71edeff08ba4e25611b1c318e20e844263e4b46adbe8fbeffd40bbbea494669490554a080bc524b5356f5
SHA1 hash:	bad853c5496bc28f492c01cdc6fff77efd72dc74
MD5 hash:	e8fb8e14c5e50dd51a7499b84e2c857a
humanhash:	jupiter-kansas-cold-alabama
File name:	e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c
Download:	download sample
Signature	njrat Create hunting rule
File size:	349'456 bytes
First seen:	2021-09-29 07:51:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ae9f6a32bb8b03dce37903edbc855ba1 (28 x CryptOne, 18 x RedLineStealer, 15 x njrat)
ssdeep	6144:1Q+KaiKX2omqZEIvjzmW61pX+t4OHGbPEBOk/bhnAvx:pKry2/qZXzmVpX+t4OgMdm
Threatray	942 similar samples on MalwareBazaar
TLSH	T1CA74CF11BAC184B1D1721D3859F9A734A93CBC301F358ADF93E43A2D5E345C1AA3AB67
File icon (PE):
dhash icon	9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter	JAMESWT_WT
Tags:	exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

236

Origin country :

n/a

Vendor Threat Intelligence

Detection:

njRat

Link:

https://www.capesandbox.com/analysis/192980/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %temp% subdirectories

Malware family:

njRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f39e997d-f4c9-4006-b546-9cf0c074bf25

Result

Threat name:

njRat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/860636

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus detection for dropped file

Contains functionality to log keystrokes (.Net Source)

Detected njRat

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Powershell Used To Disable Windows Defender AV Security Monitoring

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2021-09-27 03:05:28 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=4lxjaeh7ybhjgr24ctio5segcasyzsqfrqs2mqezcq2bwwoaw2ga._file

Verdict:

malicious

Label(s):

njrat

emotet

njrat

56f958f289d5af36088cf03190de09be80dc84e6bb71b5b9ab6439c9e7f1152d

njrat

9dbdfabbc99542e1c94b7a29eaf437b7fa4c898c4add1a677b126257ae54f94e

njrat

b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

njrat

b43995d648b6e64824da5749a407029eae9feb84787266a4dae33f4c412ec661

njrat

c7ab8be4ae48937c0b4433d20253e1b4a1074a48dc7c18ca73ac8848182a3b01

njrat

f19dff408fd65268a61ec79e52e8c19780d7364b20560eac8a09f12d14487e19

njrat

+ 932 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:cvcvc evasion trojan

Link:

https://tria.ge/reports/210929-jqedlsebd7/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Program Files directory

Launches sc.exe

Loads dropped DLL

Executes dropped EXE

Modifies Windows Firewall

Stops running service(s)

Nirsoft

Modifies Windows Defender Real-time Protection settings

Modifies security service

njRAT/Bladabindi

Malware Config

C2 Extraction:

127.0.0.1:6544

Unpacked files

SH256 hash:

e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c

MD5 hash:

e8fb8e14c5e50dd51a7499b84e2c857a

SHA1 hash:

bad853c5496bc28f492c01cdc6fff77efd72dc74

Link:

https://www.unpac.me/results/37708a2d-5795-414a-b0ac-46fab65f6322/

Malware family:

Winnti Group

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/e2ee9010ffc0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e2ee9010ffc04e93475c14d0eec88610258cca058c25a6409914341b59c0b68c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/192980/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample