MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876
SHA3-384 hash: 1f2c2a63f2a99cbc4524727a4f8a482f4c5fe4127dfbcf2e69041945d11d07b67cc563bbd28c066544ddec693bcc7d23
SHA1 hash: ec3ce37a9a1cb7be6203a2f8f0ca0905c6fe15ff
MD5 hash: 3861a0771a80ee4a0fee71d27e55ea3b
humanhash: magazine-happy-mississippi-hamper
File name:file
Download: download sample
Signature njrat
Create hunting rule
File size:7'650'528 bytes
First seen:2024-09-10 16:17:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 98304:QsUGXWXGlsIGku5BHvj/oBpNlqYoor0jSNPbFSOUKjUUbIERKwW:Qs1GGCjr/oLNlLDNPZSkjFbKwW
TLSH T1DC76CF513694C626C0395233C8EF809413FDBE55B742DB2F78A5B71D79227A70B0A2EE
TrID 51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
7.4% (.EXE) Win64 Executable (generic) (10523/12/4)
4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
File icon (PE):PE icon
dhash icon 614141595d414143 (1 x njrat)
Reporter jstrosch
Tags:.NET exe MSIL NjRAT


Avatar
jstrosch
Found at hxxp://103.130.147[.]211/Files/Channel5.exe by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
416
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Windows.exe
Verdict:
Malicious activity
Analysis date:
2024-09-07 09:09:44 UTC
Tags:
berbew privateloader evasion
Link:
https://app.any.run/tasks/e0f4e09d-7f1f-4848-8d6d-2d67fdd15953

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Packed.Malwarex-10033462-0
Create hunting rule

Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66e0713d76bc4542b0495bf5
Tags:
Encryption Generic Static Msil
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/66e0713b4a2597249d533780/reports/71b2295d-375f-4c14-94b3-da0301c2a958/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b5c8c381-7dc7-4f5b-8e1a-8067db4813d3
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1508815
Signature
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-09-06 21:45:33 UTC
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kazdt53xqivyuducp763hal5pn7b3xepctkdu4ru7fjo2zgbb3a._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/240910-trx78atfqb/
Behaviour
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dcc69364-3827-4d71-8ffb-fe2368dd29bf
Unpacked files
SH256 hash:
381d65417c5972da260fc4b94b74750b5036696a5045c9aaccbe7b9e2d2321d7
MD5 hash:
9392bd8d638e15dcacfd14d305db92bb
SHA1 hash:
e090fff5421b6ca81f352de8c674c00f680de41d
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7fdf0918-6c39-463b-a77a-636ba51c23c3/
Parent samples :
c4af46f2a357b68ce8e5830d9639e0c9212c61ae5d0fd1bb283812217a14ab72
a67e68ae707f413ef9e64fa53d661c3f60c7bf466af1b547da818d9ac01e10a0
0b937b6b47796295a7ad405daee481beb8ac1268e5b2121996f1c514378968da
f7bbd59299cad16b2cb4916738ad1475f61e129763cae617f1f9184f20db1d99
8db41f098bd838123616c5fe1b05c54b047f7452dd372a6ace3ba2afa63b0a51
dab2dc490b25687fd6052d53dafa3a74d7685a5429a371a8232f1340d1d498ca
b3e2fe43f3024cc479415e745cd9826752debe4e8b208e5e5b7cc510723b787d
21381b405bbb2d1ac38f1d908e0dc8a399fb2401d2ed1c1a300a2144626f9add
09e1282f189d10eeb293867d986a722128839971746dc8592fabd2755839a8a3
9ae0469bb6518417e8cf3e431550f4ee21130757fbea543a639fff11c836e357
a29c9ebecbe58f11b98fa8f685619e46bbe0a73ca7f770a71a14051aa0bd9848
22de8b75a29407cf6a0e3d283ec31c907948d772e765c1c437d8bc1fe8efb34b
9e9c2fb86b9215aabb51108105b5c5a553f9c2d4904f8f03c4a8b7ff3602c989
a51f55434ef4466043357f63161a7e4a91194b7a8bcb53d7d6074135446f29ce
d68c0cbd111da5fb8346d2612734f34e34cc975b73c2a5729c2793dde3d3d791
fc1e9a1378fdb34e8c938554eaa897134232b07e9401e60f0667dc119c3c2ed3
dbf55dd5c00f37ec49e1b661228adcc0a286b3eabb35d2f85fc34d82076107f6
2f9767983de2257e20ce2039c83deb6bc93db04417a706be56ff077c0784aa54
de35d4193e3e6b9410a748c59bb2e0fc84ea2a3f16cc8d9d1d598fb32f0f0d4c
136a221cf955b23885b2c5a030d1363a667a8742785b02d9737b0f66e6dba6a3
ae5960c2eb7035bfe0c9a2233e4b8f965c39815a49558a19c025b7be5cf6e5fe
abea6ee012f90afa881358ede9697e15536addec7ce52f4d8bdc9429f56952a2
26de39355a5ffb112e494503f44bd63c8e2bc7dba35d58fedaaea1c84f868748
6c6e7eda17d7296d5c0c0cda8db200d0248c14f8682cbd7d3ffff110916e3cf2
1cf403233a05fd6140f33df350f8edccf51eea02746c6ba4ab3e31b32b8bab44
e9bfe09ecd33a97b7e599888c626daf2c97848aa4c2ffc6631404496fb7b312a
11f7ecd0569fba241fff758417113ab60c8f8cbed796222c3883037aa3ece16b
fce5cbeec1eb5274fc3afa55e57fb2f724688cb9d4661a8a86716011493564c7
d83c67e9aac5d88da1c30ab4d05bb0ad08358532d298e8cf60b9d8798c262ce4
45bd836cdf29ad666cc785f6df5e9ff0e43e9cb63ff06aca339fdb1f3ddbfa34
bc3a6941205c1bb9be465e5cb20842bc6ae2e7aaea8f374e1c411bd02b89b697
1814f8b1c1223b93e9b6ae699f7f8f25fb543ad511e349f39219a4ec222f4f05
65e67f728f8f7694f68156ad4ed80825739968701ea1535291d489ef3dbebe06
f7e542218783c81229c438685de0c7c29a619790796833069eddb97b2eb34d29
ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876
038ae1968e1cc1424184b684200cced6e2ddd84d4d8557fc2a10330cb754f44e
319d1dc217b7e83a85dd62cb2c066156ba5579087f11c991a99089606979ca28
aa66c3988f3631925873757ae73ac5630508a43e2eebe6c0502a4d3194de8e41
9df8349c91ff8bdee71cf3e257a0d2f6bab02dffcb92d16de350b9bc2cdef4f7
c98d20df81567c0b314ba81bb8deb937eb385eccc352fa61258c58800d53a3d6
acae26cfe00f442507c384c69eb5a85326754c214795becd65ad4e798e881a83
ca21d368d1f29efc9be3158e0bacbe66640dba8ed3cdf9ba9f6a485a2664cf05
aa2cae824c23fc15f2ef9fd64e369a78d49f1a068737a01c7697bae442971410
45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85
c2f99e83841e2f7e1fb0db047e5439fbe10a8d4b991a20e17a25686ea330f012
4b5ebae450e293ef4c62d3f57738bbbf33db5e28f987ed02bef8320271adaba2
1a540e531c521fd2d18ea3b8d4d4557428fa58c08a7cd7298d35f68549cee60f
279af267d365013227156575dcf61b6977ce4051dd4632515bd224314cea7c59
e301b79d4279d52c49c886fcd0ab8acc3941c5cf28c7dd0eb57e8af81fe476fb
350b72b192ad0cef2708a199ae5e89572b3a2a868488d9cc97785ed5f4d9c5d2
d4156fd0ebb875daabc39995fd95f15356eaff32f185950889e6773551827a5c
f093c3d6caae966180b506123ceba03a980cee862c6d27ccf1cbc31a4803ad8c
86772d44d0e2a57a8c2c0c410dc8b5380b2be24d078f0c79c05c9daaa56cd682
88efb8b6990e916e7590c2bd3f734f390f7c3d7b517a5fdc1baba0a2f6fbd54c
699f99c4fe9e5df1b13445278ba21139ee16200fc94051a735609c5d5a1076f6
89e1469f5157b653a2333d3f71926c45716c0ac996272818e8944ae4771bae10
6129a8293f509d2526bddf354847bbb8616f87fbb02b1742f7aa1587427b39fe
c35431b8db327238a32ce86f4f65b57571a57ce552d79e05cd49b53d4dc66f97
ee4b3ad0ab7aa01d1c44e47bf7515628770a6d2458e4ed8f98820c5ff1883fa6
351e95c5428552bb9c7734783a64c089ff966eeb96d3f2daee601041f9c091cb
1e9928ca23eb356b43f03adc13f2c2aa9f7d18a5b832973ebbee5b0a77574022
4b5a876b1c230b28c0862d5f8158b3657016709855bf3329d8fea6cada3adbfe
9e0ad460f7b2d121b0b6aae272ecafb0a0ca1bc5dae4f97f98683be27807ad43
13bd8193c4d494467aeaaa92c318a714ee1bcf788b2f46ccb110e7a25abad428
fc4021427512de18c4f01d85a3fe16f424234a62bdbfcac7a7b818797365113d
771d0ba5b4f3b2d1c6d7a5ebe9b395e70e3d125540c28f1a0c1f80098c6775ce
d8efa36e63e09c7999fa217695f94d05e6ba642588f5a9c8f5807c8c816b93c1
446b0fdcf0c64b121801a4854ffe721e1936e88fa31c9903a8f31ecfcb5bf58f
06f579ca0e4fbc7c1217722be90aa2ed0b9c4209c9abb474e3695e5a9b834734
3bd05aa096c69b414698dcaa85732a24062f69297fb6417094cc6b879f8b3e75
SH256 hash:
d0f9c71d5f1aade6a8591a0e96fec791c9d47adcb0ce8e7f11e4f1749a718808
MD5 hash:
d12c4b66d2fc81fcce621d1759ad594c
SHA1 hash:
6b77417fefd231e1c87f325667374312bc2c4b5e
Link:
https://www.unpac.me/results/7fdf0918-6c39-463b-a77a-636ba51c23c3/
SH256 hash:
cf0233a5371442bc42f020b815f01d028db3cb45f9b6cf21683aa49510f76180
MD5 hash:
1a883f5ea59d5ec78aa33303d11d0a41
SHA1 hash:
5b2dba20f5ae77ae24ffe103f2e3de7f1abb06bc
Link:
https://www.unpac.me/results/7fdf0918-6c39-463b-a77a-636ba51c23c3/
SH256 hash:
ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876
MD5 hash:
3861a0771a80ee4a0fee71d27e55ea3b
SHA1 hash:
ec3ce37a9a1cb7be6203a2f8f0ca0905c6fe15ff
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/7fdf0918-6c39-463b-a77a-636ba51c23c3/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea8191cfbbbc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe ea8191cfbbbc115c507413ffed9c0bebdbf0eee478a6a1d391a7ca976b260876

(this sample)

  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments