MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551
SHA3-384 hash: 7d29c2eae3df17755852bef7a3bacf4a2f90ecf225fcbc2e7bb82bc23e5a5641cd79c60c2f96ab0ce6414685c415c27a
SHA1 hash: c4d113bdc52299a7747a6583fce8b4e0b84d9b44
MD5 hash: 5932e512fca596de1fa5774a45744d81
humanhash: fifteen-single-ohio-burger
File name:5932E512FCA596DE1FA5774A45744D81.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'314'816 bytes
First seen:2023-07-06 00:10:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5c6c023aef8e72fac6ba76f96f31fdfc (2 x njrat, 1 x DCRat)
ssdeep 24576:b255Z6Cl6D/NkA+oRQkXAhaAOiMmY3DJYv2crSxYu:Gn6Clc1kApRNQvOiMP82cGe
Threatray 68 similar samples on MalwareBazaar
TLSH T15355BB87749FA700D5BBF938E611E69C25932E26DCB940AA3A172F0BC5333D62375970
TrID 35.7% (.EXE) Win32 Executable (generic) (4505/5/1)
16.4% (.EXE) Win16/32 Executable Delphi generic (2072/23)
16.0% (.EXE) OS/2 Executable (generic) (2029/13)
15.8% (.EXE) Generic Win/DOS Executable (2002/3)
15.8% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon aa86e0a023a2c469 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
209.25.141.212:27486

Intelligence

File Origin
# of uploads :
1
# of downloads :
414
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5932E512FCA596DE1FA5774A45744D81.exe
Verdict:
Malicious activity
Analysis date:
2023-07-06 00:11:33 UTC
Tags:
evasion xworm
Link:
https://app.any.run/tasks/131a911b-4809-4ed5-9cbd-6060ce4710c2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/408696/
Detection(s):
PUA.Win.Packer.EnigmaProtector-19
Create hunting rule

PUA.Win.Packer.EnigmaProtector-1
Create hunting rule

Win.Malware.Pwsx-9974228-0
Create hunting rule

PUA.Win.Packer.EnigmaProtector-9852682-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Enabling the 'hidden' option for files in the %temp% directory
Creating a file in the Windows directory
DNS request
Sending an HTTP GET request
Creating a file in the %AppData% directory
Creating a process with a hidden window
Running batch commands
Launching a process
Enabling the 'hidden' option for recently created files
Creating a window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Creating a file in the mass storage device
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Unauthorized injection to a system process
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin obfuscated packed shell32
Link:
https://www.filescan.io/uploads/64a606968583eaadb34ef867/reports/46bb81e4-9786-48ba-9fd8-fa9b03f8099f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/78c20747-0c25-4c14-b31b-1d2a2e9577a1
Result
Threat name:
njRat, AsyncRAT, XWorm
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1267668
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Detected njRat
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Protects its processes via BreakOnTermination flag
Sigma detected: Drops fake system file at system root drive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses netsh to modify the Windows network and firewall settings
Yara detected AsyncRAT
Yara detected Generic Downloader
Yara detected Njrat
Yara detected XWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1267668 Sample: fNCdxSRC32.exe Startdate: 06/07/2023 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 21 other signatures 2->69 9 fNCdxSRC32.exe 4 2->9         started        process3 file4 45 C:\Users\user\AppData\Local\...\svchost.exe, PE32 9->45 dropped 47 C:\Users\user\AppData\Local\...\XClient.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\...49ew Client.exe, PE32 9->49 dropped 79 Detected unpacking (changes PE section rights) 9->79 81 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->81 83 Hides threads from debuggers 9->83 85 Drops PE files with benign system names 9->85 13 svchost.exe 1 5 9->13         started        17 XClient.exe 14 2 9->17         started        20 New Client.exe 1 10 9->20         started        signatures5 process6 dnsIp7 51 C:\Windows\svh0stt.exe, PE32 13->51 dropped 87 Antivirus detection for dropped file 13->87 89 Multi AV Scanner detection for dropped file 13->89 91 Machine Learning detection for dropped file 13->91 93 Drops executables to the windows directory (C:\Windows) and starts them 13->93 22 svh0stt.exe 2 9 13->22         started        57 ip-api.com 208.95.112.1, 49700, 80 TUT-ASUS United States 17->57 95 May check the online IP address of the machine 17->95 97 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 17->97 53 C:\Users\user\AppData\Roaming\Defender.exe, PE32 20->53 dropped 55 C:\Defender.exe, PE32 20->55 dropped 27 Defender.exe 5 20->27         started        29 cmd.exe 1 20->29         started        file8 signatures9 process10 dnsIp11 59 structure-tour.at.ply.gg 209.25.141.212, 27475 COGECO-PEER1CA Canada 22->59 61 192.168.2.1 unknown unknown 22->61 39 C:\svchost.exe, PE32 22->39 dropped 41 C:\...\90e01f40b77fe25a11d52d46dae82c17.exe, PE32 22->41 dropped 43 C:\autorun.inf, Microsoft 22->43 dropped 71 Antivirus detection for dropped file 22->71 73 Multi AV Scanner detection for dropped file 22->73 75 Protects its processes via BreakOnTermination flag 22->75 77 8 other signatures 22->77 31 netsh.exe 3 22->31         started        33 conhost.exe 29->33         started        35 choice.exe 1 29->35         started        file12 signatures13 process14 process15 37 conhost.exe 31->37         started       
Detection:
shortloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-07-01 17:48:51 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=42nnnbfzz2djzem2absakeypwdvzddjy5qrxfuh4ne3siogweviq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
2698fb5c3c46ef781958f43e418e2a193b97b3d09900678650ba2190c1cea15e
njrat
6179a69d0e85480eba50e73b18cea33da9a88d5e36c590d525a7b0474e7c2e07
njrat
6e2078661766da4dc4a1f8cdb2a222791ae1382af3fc6527e1053104ce5c543d
njrat
b15e94a6fde3f1813f38baeb354ff8a63a0bf47cadcf3b988595df6667747f07
njrat
d9048e7e5185fca63822a536674effaf47f434fd8bcd74018e5da09b5a7c1469
njrat
ec6a6aa9a75e81c6069edc6bd5e246062ae923348d7c2221eb5f8fa3f59b63a8
njrat
+ 58 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:xworm botnet:lox evasion persistence rat trojan
Link:
https://tria.ge/reports/230706-agllwshg3s/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops autorun.inf file
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Looks up external IP address via web service
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Xworm
njRAT/Bladabindi
Malware Config
C2 Extraction:
127.0.0.1:27486
structure-tour.at.ply.gg:27475
programs-scsi.at.ply.gg:27411
Unpacked files
SH256 hash:
e08a417139236da437b7cced4acee4f30b4e06e1067c436aa54c99bd637d45e8
MD5 hash:
24ebec5d3a911754938ac9bea7921625
SHA1 hash:
a79b84b232baf16f79780bdcf3171171f637684b
Detections:
XWorm
Create hunting rule
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/16c266dd-1eb9-422c-83c2-da426503f7de/
SH256 hash:
e08a417139236da437b7cced4acee4f30b4e06e1067c436aa54c99bd637d45e8
MD5 hash:
24ebec5d3a911754938ac9bea7921625
SHA1 hash:
a79b84b232baf16f79780bdcf3171171f637684b
Detections:
XWorm
Create hunting rule
XWorm
Create hunting rule
Link:
https://www.unpac.me/results/16c266dd-1eb9-422c-83c2-da426503f7de/
SH256 hash:
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877
MD5 hash:
7512d672a1aa2990358a8edb98b8756e
SHA1 hash:
0240bd7397bfd80fe13df3039122c0802a71c5cf
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/16c266dd-1eb9-422c-83c2-da426503f7de/
SH256 hash:
fffab737446fb972d49ddc851cfcd103323f499b54ee99ceeba2dbfa0cc46877
MD5 hash:
7512d672a1aa2990358a8edb98b8756e
SHA1 hash:
0240bd7397bfd80fe13df3039122c0802a71c5cf
Detections:
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
NjRat
Create hunting rule
win_njrat_w1
Create hunting rule
Link:
https://www.unpac.me/results/16c266dd-1eb9-422c-83c2-da426503f7de/
SH256 hash:
e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551
MD5 hash:
5932e512fca596de1fa5774a45744d81
SHA1 hash:
c4d113bdc52299a7747a6583fce8b4e0b84d9b44
Link:
https://www.unpac.me/results/16c266dd-1eb9-422c-83c2-da426503f7de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e69ad684b9ce869c919a006405130fb0eb918d38ec2372d0fc69372438d62551

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834
Rule name:SUSP_XORed_URL_in_EXE_RID2E46
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/408696/

Comments