MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efa8cf6765c00f318727086bed949c107f0fdd0a12e05189018f540192155ddb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efa8cf6765c00f318727086bed949c107f0fdd0a12e05189018f540192155ddb
SHA3-384 hash: 4f8cbc0afc18a89ae9b1fe26de3f429cddc23f5d233df2fb61f7ab0b6034b620d1321c7cb2a9eca9d232599e58c36f0f
SHA1 hash: d70988e4ef8ee35e97c6e29266733ab1b9c8d7dd
MD5 hash: 5dd9276b9ab06cafca7422d880ec9edd
humanhash: lactose-early-mississippi-ten
File name:5dd9276b9ab06cafca7422d880ec9edd.exe
Download: download sample
Signature njrat
Create hunting rule
File size:168'960 bytes
First seen:2022-09-25 23:10:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:ZSDZj/VT68wEDP/i7/0pNgRUYQyOscE8W4+bT7lEVLL9:ZSpyspIUVyffL/b/UP
Threatray 5'908 similar samples on MalwareBazaar
TLSH T134F34A5A778A4B10D5BC1C7190EF553003F1DAC31632F78A2FC86AAD9E122D69E4D7CA
TrID 48.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
20.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.6% (.SCR) Windows screen saver (13101/52/3)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
212.174.242.50:6522

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
212.174.242.50:6522 https://threatfox.abuse.ch/ioc/851638/

Intelligence

File Origin
# of uploads :
1
# of downloads :
307
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/313334/
Detection(s):
Win.Packed.Razy-9960873-0
Create hunting rule

Win.Packed.Barys-6880522-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling a "Do not show hidden files" option
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm cmd.exe eventvwr.exe keylogger njrat obfuscated packed rat
Link:
https://www.filescan.io/uploads/6330e008d192c333bf3cd761/reports/fc7e0348-9089-4e68-a0b2-486686e3b4e7/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c980a470-1a74-40fb-b529-79ff096086d7
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1077046
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efa8cf6765c00f318727086bed949c107f0fdd0a12e05189018f540192155ddb/
Threat name:
Win32.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-09-24 13:55:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
24 of 26 (92.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56um6z3fyahtdbzhbbv63fe4cb7q7xikclqfdcibr5kadeqvlxnq._file
Verdict:
malicious
Similar samples:
1185375a3412384ef2b76085dd8105b6d1ae9883154cf6129653325a40484013
njrat
2edc5f308e2dc9af2514cee46e1b73e40cabd03b5756e8993aad2e08a817d80b
njrat
32ff5787da7645739eb059af2c09432f0b25401acfbc58a0f576ca6123bbee44
njrat
618f4050d767d0c8f835ec3fa9e46b85b9291062a2e381122852238fa84c95f7
njrat
9ef8bc32ed08c4a8e02fb67262275a242db4a80a177c175c66c054ac618145d7
njrat
b1eb6dca624a1a78cd91360e6af46b0d7bc0afaca59ddf35cfff0ed2b9df4119
njrat
e414709eff086bf9652b2990488603a5346b60b8936c51c364e1130e5a5def0f
njrat
+ 5'898 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat persistence
Link:
https://tria.ge/reports/220925-259geahffn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/69f5b41b-41a4-4e30-b1ea-50ea3210649e
Unpacked files
SH256 hash:
efa8cf6765c00f318727086bed949c107f0fdd0a12e05189018f540192155ddb
MD5 hash:
5dd9276b9ab06cafca7422d880ec9edd
SHA1 hash:
d70988e4ef8ee35e97c6e29266733ab1b9c8d7dd
Link:
https://www.unpac.me/results/bc432801-10ca-4eb3-8504-8137016e57a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efa8cf6765c00f318727086bed949c107f0fdd0a12e05189018f540192155ddb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla
Create hunting rule
Author:Harish Kumar P
Description:Yara Rule to Detect AgentTesla
Rule name:BAZT_B5_NOCEXInvalidStream
Create hunting rule
Rule name:NETDIC208_NOCEX_NOREACTOR
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:RansomwareTest6
Create hunting rule
Author:Daoyuan Wu
Description:Test Ransomware YARA rules
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/313334/

Comments