MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec7a3cad963d387d0eb81abd5fe7db17c6aa634ac30ff8485447eec2b5cd3dcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 19

Intelligence 19 IOCs YARA 9 File information Comments

SHA256 hash:	ec7a3cad963d387d0eb81abd5fe7db17c6aa634ac30ff8485447eec2b5cd3dcb
SHA3-384 hash:	fed914ad2289f52bdd2440b8d3069a291c15dfbd3731fc5ea11ef473ccdd3814f14c65c89c32630634da0789125f5711
SHA1 hash:	8343262ce152b88508474457db596b5035586155
MD5 hash:	145ec63fa85b1dd8c0a4c528a3b15cc6
humanhash:	utah-ink-echo-pluto
File name:	1727246228bf52474d96d0c91d76eecd39cfb06284f20ad0f3e787fb96b50f595788ca18c5809.dat-decoded
Download:	download sample
Signature	njrat Create hunting rule
File size:	32'768 bytes
First seen:	2024-09-25 06:37:10 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'854 x AgentTesla, 19'783 x Formbook, 12'304 x SnakeKeylogger)
ssdeep	384:u0bUe5XB4e0XOOSSGgFS6Z/73xWTStTUFQqz9UtObbi:/T9BuNSgS6BNJCbi
Threatray	948 similar samples on MalwareBazaar
TLSH	T111E209467BA58215C6BD5AFC8CB313114772E3438532EBAF5CDC58CA4BA76D04241EE9
TrID	51.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.4% (.EXE) Win64 Executable (generic) (10523/12/4) 4.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	abuse_ch
Tags:	base64-decoded exe NjRAT

abuse_ch

Malware dropped as base64 encoded payload

Intelligence

File Origin

# of uploads :

# of downloads :

475

Origin country :

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

1727246228bf52474d96d0c91d76eecd39cfb06284f20ad0f3e787fb96b50f595788ca18c5809.dat-decoded

Verdict:

Malicious activity

Analysis date:

2024-09-25 07:05:56 UTC

Tags:

njrat

Link:

https://app.any.run/tasks/810bd8d4-89c9-4334-9750-ec0b01ab76a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.njRAT-7445143-0

Win.Dropper.Detected-9941784-0

Win.Dropper.Nanocore-10030076-0

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=66f3afcd8aca58c2b2c733fc

Tags:

Network Stealth Bladabindi Micro Tori Msil

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

DNS request

Connection attempt

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

backdoor cmd keylogger lolbin njrat rat vbnet

Link:

https://www.filescan.io/uploads/66f3afce0411a5a380cc746a/reports/f4facf26-ca45-4468-bc13-16ca092ebdaa/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/ec7a3cad963d387d0eb81abd5fe7db17c6aa634ac30ff8485447eec2b5cd3dcb

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

njRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d8690244-c459-4ab4-b9b1-55f47cc470d4

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1517930

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Uses dynamic DNS services

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ec7a3cad963d387d0eb81abd5fe7db17c6aa634ac30ff8485447eec2b5cd3dcb

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/ec7a3cad963d387d0eb81abd5fe7db17c6aa634ac30ff8485447eec2b5cd3dcb/

Threat name:

ByteCode-MSIL.Backdoor.njRAT

Status:

Malicious

First seen:

2024-09-25 06:38:04 UTC

File Type:

PE (.Net Exe)

AV detection:

24 of 24 (100.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5r5dzlmwhu4h2dvydk6v7z63c7dkuy2kymh7qscui7xmfnonhxfq._file

Verdict:

malicious

Label(s):

njrat

3f24a0243264894973daaddd665b311850024f99a47f935ca6ecba0d95f5f283

njrat

4e5ded274678eb23a00ebdd9c03de6d04467a6452275ce76f0224a067f241917

njrat

8e9629451b8a090834f96bd6688184ad7a18aacd33784193f273c7796e3c01b3

njrat

91b1b82d19155a4028599299e72779af33147ef437bbe72055550fe8315ce8db

njrat

928fa2abb515bdef1c998054997b1d16b4030dfeee4640b3bd2508e43bea06a5

njrat

cabefcbafeb635832ee95c34da10993a8e47231de1bae661d3448e5ddd7aa2f3

njrat

+ 938 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:nyan cat discovery

Link:

https://tria.ge/reports/240925-hd2spstcra/

Behaviour

Suspicious use of AdjustPrivilegeToken

System Location Discovery: System Language Discovery

Malware Config

C2 Extraction:

notificadoresrma.duckdns.org:2054

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/e8497dd1-3220-42cc-963e-875b3d13d94f

Unpacked files

SH256 hash:

ec7a3cad963d387d0eb81abd5fe7db17c6aa634ac30ff8485447eec2b5cd3dcb

MD5 hash:

145ec63fa85b1dd8c0a4c528a3b15cc6

SHA1 hash:

8343262ce152b88508474457db596b5035586155

Detections:

win_njrat

Link:

https://www.unpac.me/results/bf17bb43-f3b3-456c-9cd3-352c46d5c0a5/

Malware family:

njRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ec7a3cad963d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.97

Link:

https://yomi.yoroi.company/submissions/ec7a3cad963d387d0eb81abd5fe7db17c6aa634ac30ff8485447eec2b5cd3dcb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ByteCode_MSIL_Backdoor_NjRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects NjRAT backdoor.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	njrat_v1 Create hunting rule
Author:	RandomMalware

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_njrat_bytecodes_V2_oct_2023 Create hunting rule
Author:	Matthew @ Embee_Research

Rule name:	yarahub_win_njrat_bytecodes_V2_oct_2023 Create hunting rule
Author:	Matthew @ Embee_Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

bf52474d96d0c91d76eecd39cfb06284f20ad0f3e787fb96b50f595788ca18c5

njrat

exe ec7a3cad963d387d0eb81abd5fe7db17c6aa634ac30ff8485447eec2b5cd3dcb

(this sample)

Dropped by

SHA256 bf52474d96d0c91d76eecd39cfb06284f20ad0f3e787fb96b50f595788ca18c5

Dropped by

MD5 3663c5bcddef15580d853428081990dc

URLhaus

https://urlhaus.abuse.ch/url/3190183/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample