MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1df003e684180821286734985d36cb53e877a027cb6cf3972dda22b1a52c679. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1df003e684180821286734985d36cb53e877a027cb6cf3972dda22b1a52c679
SHA3-384 hash: cbc44daaa521b80f99cc68d6325cbe30fa8bca81aa621e1dea7a3a664a492c70114dc3a08129651b67806566f732ff88
SHA1 hash: 669bc33564c755a7b32d0ca40ff94e31074fa23f
MD5 hash: 8b577aadd1c6d31201479cf4bef69554
humanhash: eight-carolina-yellow-speaker
File name:Paint.exe
Download: download sample
Signature njrat
Create hunting rule
File size:322'593 bytes
First seen:2023-04-19 01:20:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 12e12319f1029ec4f8fcbed7e82df162 (390 x DCRat, 52 x RedLineStealer, 51 x Formbook)
ssdeep 6144:KTouKrWBEu3/Z2lpGDHU3ykJobPmu/KOru1:KToPWBv/cpGrU3y1bPmKDK1
Threatray 719 similar samples on MalwareBazaar
TLSH T1C664C003FDC194B3C46219321B656B12AA7DBA201F658EDFB3D44E6DEE311D0E7316A2
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8291f8b6b5d9f838 (1 x njrat)
Reporter Chainskilabs
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
929
Origin country :
US US
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
Рaint.exe
Verdict:
Malicious activity
Analysis date:
2023-04-18 20:38:36 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/34492943-0ffc-402d-a750-dd24d8d4de11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383142/
Detection(s):
Win.Malware.Fugrafa-9938779-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.38920448.13962.7593.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Running batch commands
Launching a process
Creating a process from a recently created file
Creating a file in the Windows subdirectories
Launching a service
Creating a file in the %AppData% directory
Creating a file
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/80273/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/f1df003e684180821286734985d36cb53e877a027cb6cf3972dda22b1a52c679
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/8d544914-7213-4885-9b83-afef2e324df8
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1216453
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 849380 Sample: Paint.exe Startdate: 19/04/2023 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Antivirus detection for dropped file 2->51 53 4 other signatures 2->53 7 Paint.exe 10 2->7         started        10 svchost.exe 2->10         started        13 svchost.exe 3 2->13         started        15 12 other processes 2->15 process3 dnsIp4 39 C:\Users\user\AppData\Local\Temp\...\file.exe, MS-DOS 7->39 dropped 18 file.exe 1 3 7->18         started        22 cmd.exe 1 7->22         started        61 Changes security center settings (notifications, updates, antivirus, firewall) 10->61 24 MpCmdRun.exe 10->24         started        63 Query firmware table information (likely to detect VMs) 13->63 45 192.168.2.1 unknown unknown 15->45 file5 signatures6 process7 file8 37 C:\Users\user\AppData\Roaming\svchost.exe, MS-DOS 18->37 dropped 55 Antivirus detection for dropped file 18->55 57 Machine Learning detection for dropped file 18->57 59 Drops PE files with benign system names 18->59 26 svchost.exe 3 3 18->26         started        31 mspaint.exe 2 22->31         started        33 conhost.exe 22->33         started        35 conhost.exe 24->35         started        signatures9 process10 dnsIp11 43 151.237.185.211, 47736, 49697, 49698 AS57858EU Sweden 26->43 41 C:\Users\user\AppData\...\Java update.exe, MS-DOS 26->41 dropped 65 Antivirus detection for dropped file 26->65 67 System process connects to network (likely due to code injection or exploit) 26->67 69 Machine Learning detection for dropped file 26->69 71 Drops PE files to the startup folder 26->71 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f1df003e684180821286734985d36cb53e877a027cb6cf3972dda22b1a52c679/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2023-04-19 01:21:08 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
24 of 37 (64.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6hpqaptiigaieeugoneylu3mwu7io6qcps3m6ols3wrcwgssyz4q._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
59e02dea77ea89b913bb8552b5c34009f7b84a04a4c61524c42ee3edccf06e3c
njrat
7c321e4c1f7dee37aab2fd65d50987b9502a3700348ef2ab08d79a952ff27ab7
njrat
93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f
njrat
968c669247fa766c85b612db143f89228e4ee94329cf6fe62a6b78bac1b4b5c8
njrat
bd25d061e47807928047ff754e3f35793863949c20b9b13a92a3a08cbc78dee0
njrat
+ 709 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:trupashot persistence trojan
Link:
https://tria.ge/reports/230419-bqnnaafd83/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
njRAT/Bladabindi
Malware Config
C2 Extraction:
151.237.185.211:47736
Unpacked files
SH256 hash:
504dbc422a3f20c1e655c466c34c571c487e852cadf5e24ef4e12428da7d2292
MD5 hash:
91dbd5a03688174b9cb4d7203983625a
SHA1 hash:
a9a794c40d2cafd6baf28fa4ef63d7b682032784
Link:
https://www.unpac.me/results/2859c65d-5712-4b24-b88e-0de840d5d708/
SH256 hash:
0074d2bf9272cea7b66f0809fa1ae6c1a79ef1a6f2eef254ae9a2d6e2745da91
MD5 hash:
88e2da6c93116f88e5343f3d833c572f
SHA1 hash:
6e39b9accddf7a821fc8bae01cf7a50e189f87d1
Link:
https://www.unpac.me/results/2859c65d-5712-4b24-b88e-0de840d5d708/
SH256 hash:
f1df003e684180821286734985d36cb53e877a027cb6cf3972dda22b1a52c679
MD5 hash:
8b577aadd1c6d31201479cf4bef69554
SHA1 hash:
669bc33564c755a7b32d0ca40ff94e31074fa23f
Link:
https://www.unpac.me/results/2859c65d-5712-4b24-b88e-0de840d5d708/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f1df003e6841/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1df003e684180821286734985d36cb53e877a027cb6cf3972dda22b1a52c679

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

anyrun
any.run
https://app.any.run/tasks/34492943-0ffc-402d-a750-dd24d8d4de11/#
Cape
Cape
https://www.capesandbox.com/analysis/383142/

Comments