MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 19


Intelligence 19 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5
SHA3-384 hash: 175aa78c8835eeee1bc63ab78350bb9ccea05efebac12dacc225162c7d73431857a61a3c011bb89e02619c2c95095e36
SHA1 hash: 7e08b98299e0195a013e53221e3c2efb149eb4ce
MD5 hash: 1c8908102946928867ab16f2007b35cc
humanhash: october-lion-comet-delta
File name:WinRAR 7.01 Pro.exe
Download: download sample
Signature njrat
Create hunting rule
File size:4'492'800 bytes
First seen:2024-08-13 19:46:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 98304:DaxGFtNdBfKEgzVQYAO52weo3VudIlHSTNWA0rkjEaxKd:DRdytzAO52wLVu2oBWv7t
Threatray 2 similar samples on MalwareBazaar
TLSH T12D26231AF6D441F5E077D234C8E28917E6B23C995B71868F27BD476A2F233905A3E342
TrID 30.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
23.8% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
17.8% (.EXE) InstallShield setup (43053/19/16)
12.9% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.3% (.EXE) Win64 Executable (generic) (10523/12/4)
File icon (PE):PE icon
dhash icon 69f0323232929a05 (1 x njrat)
Reporter Chainskilabs
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
420
Origin country :
US US
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
WinRAR 7.01 Pro.exe
Verdict:
Malicious activity
Analysis date:
2024-08-13 19:48:56 UTC
Tags:
netreactor stormkitty wmi-base64 stealer evasion telegram exfiltration asyncrat rat
Link:
https://app.any.run/tasks/5cd60208-9156-49c4-b810-9b9909cc2bd6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
ditekSHen.MALWARE.Win.Trojan.RedLine-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66bbb838aa5b40be0aa02add
Tags:
Discovery Execution Infostealer Network Static Stealth Trojan Msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Running batch commands
Launching a process
Launching the process to change network settings
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm crypto lolbin packed redline setupapi shdocvw shell32 vbnet
Link:
https://www.filescan.io/uploads/66bbb8373930e113b90ad4b6/reports/05e3f484-f79d-4fc9-b4d3-7b30a642f886/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/11239678-4e09-43d0-a127-483032c9a9e5
Result
Threat name:
PureLog Stealer, WorldWind Stealer
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1492461
Signature
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Yara detected PureLog Stealer
Yara detected WorldWind Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1492461 Sample: WinRAR 7.01 Pro.exe Startdate: 13/08/2024 Architecture: WINDOWS Score: 100 52 api.telegram.org 2->52 54 238.14.8.0.in-addr.arpa 2->54 56 2 other IPs or domains 2->56 64 Suricata IDS alerts for network traffic 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 72 7 other signatures 2->72 9 WinRAR 7.01 Pro.exe 4 2->9         started        signatures3 70 Uses the Telegram API (likely for C&C communication) 52->70 process4 file5 38 C:\Users\user\...\winrar_x64_701ar.exe, PE32+ 9->38 dropped 40 C:\Users\user\...\_microsoft_corporation.exe, PE32 9->40 dropped 42 C:\Users\user\...\WinRAR 7.01 Pro.exe.log, ASCII 9->42 dropped 12 _microsoft_corporation.exe 15 135 9->12         started        17 winrar_x64_701ar.exe 1 24 9->17         started        process6 dnsIp7 58 api.telegram.org 149.154.167.220, 443, 49743, 49744 TELEGRAMRU United Kingdom 12->58 60 icanhazip.com 104.16.185.241, 49741, 80 CLOUDFLARENETUS United States 12->60 62 2 other IPs or domains 12->62 44 C:\Users\user\AppData\...\YPSIACHYXW.png, ASCII 12->44 dropped 46 C:\Users\user\AppData\...\WUTJSCBCFX.jpg, ASCII 12->46 dropped 48 C:\Users\user\AppData\...\ZBEDCJPBEY.jpg, ASCII 12->48 dropped 50 2 other malicious files 12->50 dropped 78 Antivirus detection for dropped file 12->78 80 Multi AV Scanner detection for dropped file 12->80 82 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 12->82 84 5 other signatures 12->84 19 cmd.exe 12->19         started        22 cmd.exe 12->22         started        file8 signatures9 process10 signatures11 74 Uses netsh to modify the Windows network and firewall settings 19->74 76 Tries to harvest and steal WLAN passwords 19->76 24 conhost.exe 19->24         started        26 chcp.com 19->26         started        28 netsh.exe 19->28         started        30 findstr.exe 19->30         started        32 conhost.exe 22->32         started        34 chcp.com 22->34         started        36 netsh.exe 22->36         started        process12
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5/
Threat name:
Win32.Ransomware.RedLine
Create hunting rule
Status:
Malicious
First seen:
2024-08-13 13:05:43 UTC
File Type:
PE (.Net Exe)
Extracted files:
731
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4nrvxasdrzjwmnuvlyx64jiqooyqhct6aauvuhqo7madvvezmxkq._file
Verdict:
malicious
Similar samples:
c055e6624eab73b83a7b66a79b30da9df9e4e0d35011c0db88b2180dcecb9801
njrat
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty botnet:default credential_access discovery persistence privilege_escalation rat spyware stealer
Link:
https://tria.ge/reports/240813-yhhtdsxelk/
Behaviour
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Drops desktop.ini file(s)
Looks up external IP address via web service
Looks up geolocation information via web service
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Async RAT payload
Credentials from Password Stores: Credentials from Web Browsers
AsyncRat
StormKitty
StormKitty payload
Malware Config
C2 Extraction:
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
https://api.telegram.org/bot5912059723:AAEvmpZvnGHJALjBBXk_PBuStnzDRsTe4-M/sendMessage?chat_id=750182271
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/03bd1bea-bf72-446d-8f1b-ab857cbc4072
Unpacked files
SH256 hash:
5ea467d548d41b747370a235c9a245910ed58d55482a48246196faf391213c24
MD5 hash:
b2795fbed63c8c1b0846b3eaeae2fe0f
SHA1 hash:
d1145cff21e008c9ad581ccf1719139d754355de
Detections:
MAL_Malware_Imphash_Mar23_1
Create hunting rule
SUSP_OBF_NET_Reactor_Native_Stub_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b1f64ce4-41e3-4c70-b5b4-e8a5fb5f80fb/
SH256 hash:
03040b9b919d1b2ec8b2d754459eeac9f2584dc16ba9335f8706f24f17dc5299
MD5 hash:
ced04a3b769946240bf236520dd9b3d4
SHA1 hash:
774c98b0feea97003d2af68b19c2be840ce35a9a
Link:
https://www.unpac.me/results/b1f64ce4-41e3-4c70-b5b4-e8a5fb5f80fb/
SH256 hash:
e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5
MD5 hash:
1c8908102946928867ab16f2007b35cc
SHA1 hash:
7e08b98299e0195a013e53221e3c2efb149eb4ce
Link:
https://www.unpac.me/results/b1f64ce4-41e3-4c70-b5b4-e8a5fb5f80fb/
Malware family:
RedNet
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e3635b82438e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e3635b82438e536636955e2fee251073b1038a7e00295a1e0efb003ad49965d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekSHen
Description:Detects RedLine infostealer
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments