MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1b01db7444eacf1c44d10f564d4841c8fbfd885810bfa4da24dbcaa79188b59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1b01db7444eacf1c44d10f564d4841c8fbfd885810bfa4da24dbcaa79188b59
SHA3-384 hash: 84769c1f746f956a1a1682fcfbb4d2cc4e9d8fd341931e4834391b4c6df37862c5a8691b274241566c8f108fba255a0c
SHA1 hash: 2503e96811ec98e13f0806c472a4669cd9476dd6
MD5 hash: eee89f373c1edf70e7e8ef69a1c439a7
humanhash: romeo-fillet-friend-florida
File name:f1b01db7444eacf1c44d10f564d4841c8fbfd885810bfa4da24dbcaa79188b59
Download: download sample
Signature njrat
Create hunting rule
File size:160'768 bytes
First seen:2021-02-28 07:17:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 3072:aTCIyziDm+4YGOoNTWdgeFEN4dXhmLX1yDAPKpEqJ:72sOoNTOgeFEmBh6yD4snJ
Threatray 375 similar samples on MalwareBazaar
TLSH 11F3D72B7A44CB15DE5828B5C0EBA53013E1ADC71732F24F3F48266D1D523E7AD85ACA
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f1b01db7444eacf1c44d10f564d4841c8fbfd885810bfa4da24dbcaa79188b59
Verdict:
Malicious activity
Analysis date:
2021-02-28 07:37:35 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/72f88820-a252-40f1-a292-323a8f9449a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119867/
Detection(s):
Win.Malware.Bladabindi-6862380-0
Create hunting rule

Win.Trojan.Bladabindi-9815414-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file
Creating a process with a hidden window
Creating a window
Connection attempt
Creating a file in the mass storage device
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621005
Signature
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1b01db7444eacf1c44d10f564d4841c8fbfd885810bfa4da24dbcaa79188b59/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-02-27 15:27:00 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6gyb3n2ej2wpdrcncd2wjveedsh37wefqef7utncjw6ku6iyrnmq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
2454d64559ffdaf95915ebea1ad0a5310fa2ef724e42d8e510e4cac97078e80f
njrat
2568dc1c5fbbec2e5a84dd95559dd89a8318d4eb1f501c33ed1d1bf861b4dca8
njrat
34931da71c14d251f6a43f21ef98c4b67bf17535d7164f154bc6206625363140
njrat
37a1dca413bedca841a9a633c04c77df208a7dcef64a26c799d01078805f8774
njrat
90f6d27c8269a6dbbfbcd3c6735ae51bcc1942defd21c547004b33265e85b7e2
njrat
93c6cc14e478c54711c794dc49dcedd43bce1a7f15de08fe279af4da5b4f84e5
njrat
a0de65c408284dfddf6318980b138aa05015686c4371853070500ff84d18cd50
njrat
b8fbf85d1eab97ed168f99eb07d13294594675a051c2056b5374630d81fd974d
njrat
c994005280c186f67dc644ffbe88a9fcf43f45b16605c3f51a138dfc262b4c50
njrat
d8151875b740aaaa169d95c2c4593579a1d57e371b2a97602a02a5496de7fd8f
njrat
+ 365 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion persistence trojan
Link:
https://tria.ge/reports/210228-y5r8e3kl6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Drops startup file
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
f1b01db7444eacf1c44d10f564d4841c8fbfd885810bfa4da24dbcaa79188b59
MD5 hash:
eee89f373c1edf70e7e8ef69a1c439a7
SHA1 hash:
2503e96811ec98e13f0806c472a4669cd9476dd6
Link:
https://www.unpac.me/results/a659dc89-065e-4b12-a47a-71b7bc147fc0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1b01db7444eacf1c44d10f564d4841c8fbfd885810bfa4da24dbcaa79188b59

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119867/

Comments