MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e3bb8c334350185803b3863f71d6fced186b373e8768bb537e371dff11f74386. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	e3bb8c334350185803b3863f71d6fced186b373e8768bb537e371dff11f74386
SHA3-384 hash:	095c5c87cf11ac5139bb604612f5110954afd53d2103c2bc48b1b1adbfda2ebc8f7b6dbdf9b97849d55a0438f37bbfc2
SHA1 hash:	eaa28117b8e8afe4aac650781861cfaa754bda97
MD5 hash:	05c1fe0245384fabe8487887c2f22549
humanhash:	purple-salami-louisiana-mexico
File name:	e3bb8c334350185803b3863f71d6fced186b373e8768bb537e371dff11f74386
Download:	download sample
Signature	njrat Create hunting rule
File size:	1'125'888 bytes
First seen:	2020-06-10 11:54:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2e5467cba76f44a088d39f78c5e807b6 (131 x DCRat, 112 x njrat, 79 x RedLineStealer)
ssdeep	24576:FwZML5rTh042WBTAR07kXeQHT+0nU6qHQ53HON1:txlZFAR07kHBnU6qsi
TLSH	2A353389C16A6963CCA900B7963FBC264CF353461904A7BF98331258A4FF59E7C9D2F4
Reporter	JAMESWT_WT
Tags:	NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

Win32.Packed.EnigmaProtector

Status:

Malicious

First seen:

2020-06-09 00:48:47 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4o5yym2dkamfqa5tqy7xdvx45umgwnz6q5ulwu36g4o76epxioda._file

Verdict:

malicious

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat evasion persistence trojan

Link:

https://tria.ge/reports/201109-1y8w7vrnys/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Modifies Windows Firewall

njRAT/Bladabindi

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample