MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0
SHA3-384 hash: a76ad2ef2e8717f2901dc4f451e2f7051eb3772c25658b43f1724e68881956f37dbddd2ae72e473e6d86e46d989be83b
SHA1 hash: f367a442469bbec9b95eb7c4e0c8feeff26a2830
MD5 hash: 18eda6136733eeceecffb3ba497a625d
humanhash: florida-happy-one-sink
File name:MIDNIGHT.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'444'352 bytes
First seen:2024-08-24 19:49:29 UTC
Last seen:2024-08-26 18:17:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:w9JNGcVkXLh3/ZjHGv6FQYTICqIKIfwkGbPE+Kiakw31vINTQeep+ck4649y3xeM:w9JNZiLhPZivG6LsIPPqkw6NTJeFkd4u
Threatray 1'696 similar samples on MalwareBazaar
TLSH T167653313F7E0682EC3A924F34DD0990544101A97568ED2A3AB41D56E1F77A3D3BFA2CA
TrID 56.5% (.EXE) Win64 Executable (generic) (10523/12/4)
11.0% (.ICL) Windows Icons Library (generic) (2059/9)
10.9% (.EXE) OS/2 Executable (generic) (2029/13)
10.7% (.EXE) Generic Win/DOS Executable (2002/3)
10.7% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:exe NjRAT


Avatar
iamaachum
YouTube Video => https://disk.yandex.ru/d/AAvin8ruatOZ4w

Intelligence

File Origin
# of uploads :
2
# of downloads :
411
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
dcrat
Create hunting rule
ID:
1
File name:
MIDNIGHT.exe
Verdict:
Malicious activity
Analysis date:
2024-08-24 19:51:00 UTC
Tags:
dcrat rat remote darkcrystal stealer xworm netreactor
Link:
https://app.any.run/tasks/09a166e9-d345-429e-aadd-a469058c6731

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Packy-10033570-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66ca396be7ff3f5a063be3a4
Tags:
Execution Generic Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Loading a suspicious library
Creating a file in the Windows subdirectories
Creating a file in the Program Files subdirectories
Running batch commands
Launching a process
DNS request
Connection attempt
Sending an HTTP POST request
Creating a window
Unauthorized injection to a recently created process
Adding an exclusion to Microsoft Defender
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/66ca396acf0999714ca52b75/reports/681f2000-0416-473e-b2ad-96e28adbd64a/overview
Verdict:
Malicious
Labled as:
MSIL.Packy.Generic
Link:
https://www.hybrid-analysis.com/sample/e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
XWorm
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d25279a3-d7ee-4977-bf99-8ee0bd41a7c7
Result
Threat name:
DCRat, PureLog Stealer, XWorm, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1498480
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Found malware configuration
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected DCRat
Yara detected PureLog Stealer
Yara detected XWorm
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1498480 Sample: MIDNIGHT.exe Startdate: 24/08/2024 Architecture: WINDOWS Score: 100 78 september-am.gl.at.ply.gg 2->78 80 782652cm.n9sh.top 2->80 96 Multi AV Scanner detection for domain / URL 2->96 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 19 other signatures 2->102 9 MIDNIGHT.exe 4 2->9         started        13 svchost.exe 2->13         started        signatures3 process4 dnsIp5 68 C:\Users\user\AppData\Local\Temp\loader.exe, PE32 9->68 dropped 70 C:\Users\user\AppData\Local\...\XClient.exe, PE32 9->70 dropped 72 C:\Users\user\AppData\...\MIDNIGHT.exe.log, CSV 9->72 dropped 104 Bypasses PowerShell execution policy 9->104 106 Adds a directory exclusion to Windows Defender 9->106 16 loader.exe 4 19 9->16         started        20 XClient.exe 1 9->20         started        22 powershell.exe 23 9->22         started        24 powershell.exe 23 9->24         started        84 127.0.0.1 unknown unknown 13->84 file6 signatures7 process8 file9 60 C:\Users\user\Desktop\xpwTYCaf.log, PE32 16->60 dropped 62 C:\Users\user\Desktop\pCQeEWrB.log, PE32 16->62 dropped 64 C:\Users\Default\Videos\fontdrvhost.exe, PE32 16->64 dropped 66 5 other malicious files 16->66 dropped 86 Antivirus detection for dropped file 16->86 88 Multi AV Scanner detection for dropped file 16->88 90 Machine Learning detection for dropped file 16->90 26 cmd.exe 16->26         started        92 Adds a directory exclusion to Windows Defender 20->92 29 powershell.exe 20->29         started        31 powershell.exe 20->31         started        33 powershell.exe 20->33         started        35 powershell.exe 20->35         started        94 Loading BitLocker PowerShell Module 22->94 37 conhost.exe 22->37         started        39 conhost.exe 24->39         started        signatures10 process11 signatures12 108 Uses ping.exe to sleep 26->108 110 Uses ping.exe to check the status of other devices and networks 26->110 41 ULqbCRrNspEsLazxJC.exe 26->41         started        46 conhost.exe 26->46         started        48 chcp.com 26->48         started        50 PING.EXE 26->50         started        112 Loading BitLocker PowerShell Module 29->112 52 conhost.exe 29->52         started        54 conhost.exe 31->54         started        56 conhost.exe 33->56         started        58 conhost.exe 35->58         started        process13 dnsIp14 82 782652cm.n9sh.top 80.211.144.156, 49736, 49737, 49738 ARUBA-ASNIT Italy 41->82 74 C:\Users\user\Desktop\tAZUrsZL.log, PE32 41->74 dropped 76 C:\Users\user\Desktop\OUyihgoW.log, PE32 41->76 dropped 114 Multi AV Scanner detection for dropped file 41->114 116 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 41->116 118 Tries to harvest and steal browser information (history, passwords, etc) 41->118 file15 signatures16
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0/
Threat name:
ByteCode-MSIL.Trojan.XWormRAT
Create hunting rule
Status:
Malicious
First seen:
2024-08-24 19:50:04 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
4
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4vqo3k5k62muz4mfin7nvhsbcw6mjcrf3fgoiavwcc4usbj4ndaa._file
Verdict:
malicious
Similar samples:
14cf7648123e018dcdfc2aa386135a0510a9f7b12b8bc125ad4e32fd7f16999c
njrat
25179f1c63031ba0b4daf7ff315f008d6f794eed2b5d486c796457cd4a8b4bce
njrat
4b0446befa42f4a40fd06635aaa72fb34dfbaa7575fb1f811df6f4fad90f53b4
njrat
515b7bd886b37d24fa02bb3d9b1ecf31f887bb46834787771722236d40c565c7
njrat
7890c98fda5bae9bcb1b6d41a7635ed385682728d810bb86b7d41981cc2b5f88
njrat
+ 1'686 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm credential_access discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/240824-yj8q7swdpg/
Behaviour
Modifies registry class
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Credentials from Password Stores: Credentials from Web Browsers
Detect Xworm Payload
Xworm
Malware Config
C2 Extraction:
september-am.gl.at.ply.gg:11177
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a0ac2881-a888-44fd-b527-329cab88a253
Unpacked files
SH256 hash:
d29f332c6b049cd51cef8b50e0174f1e9e8aa0a50858558490a64bbd23291a56
MD5 hash:
e29081b6a3a9204379abd03cb3c8b622
SHA1 hash:
a3188fbec97b43c8eb09fdf153e720a05b6d23ca
Detections:
XWorm
Create hunting rule
win_xworm_w0
Create hunting rule
Link:
https://www.unpac.me/results/0600c900-2529-45fc-9e34-b2e59394e53e/
Parent samples :
e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0
d29f332c6b049cd51cef8b50e0174f1e9e8aa0a50858558490a64bbd23291a56
SH256 hash:
0380ad0e1ec6b522801c179cac24a5da871e0b46cb51ce7d16ca1faf9ac39185
MD5 hash:
5b7097912960607daaa5512ac31c0963
SHA1 hash:
0a62161b748dafedd1765bf0754e1ac679d0ca9f
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/0600c900-2529-45fc-9e34-b2e59394e53e/
Parent samples :
e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0
0380ad0e1ec6b522801c179cac24a5da871e0b46cb51ce7d16ca1faf9ac39185
SH256 hash:
e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0
MD5 hash:
18eda6136733eeceecffb3ba497a625d
SHA1 hash:
f367a442469bbec9b95eb7c4e0c8feeff26a2830
Link:
https://www.unpac.me/results/0600c900-2529-45fc-9e34-b2e59394e53e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe e560edabaaf6994cf185437eda9e4115bcc48a25d94ce402b610b949053c68c0

(this sample)

njrat

Executable exe d29f332c6b049cd51cef8b50e0174f1e9e8aa0a50858558490a64bbd23291a56

  
Link
https://tria.ge/240824-yd61esxfjl
  
Dropping
XWorm
  
Dropping
DCRat
  
Delivery method
Distributed via web download
  
Dropping
SHA256 d29f332c6b049cd51cef8b50e0174f1e9e8aa0a50858558490a64bbd23291a56
  
Dropping
MD5 e29081b6a3a9204379abd03cb3c8b622
  
Dropping
SHA256 0380ad0e1ec6b522801c179cac24a5da871e0b46cb51ce7d16ca1faf9ac39185
  
Dropping
MD5 5b7097912960607daaa5512ac31c0963

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments