MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4
SHA3-384 hash:	f63ba2db9ae82a74b966639ac3e0ef42d3a1d31d282c0f90ddde4b2d12c56c72d31102bfe4dbf250f5079cbca064996d
SHA1 hash:	3741755f8a11638209821a3cd7c01104acac184d
MD5 hash:	1f85c12fcd3232c577e5e8cc07fbf1e1
humanhash:	oscar-triple-moon-uncle
File name:	1f85c12fcd3232c577e5e8cc07fbf1e1.exe
Download:	download sample
Signature	njrat Alert Create hunting rule
File size:	772'608 bytes
First seen:	2022-08-05 07:35:19 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (31'209 x AgentTesla, 10'508 x Formbook, 5'466 x SnakeKeylogger)
ssdeep	12288:WqShIfQIKMR4LClwugCEzE3qA2nv1gfckf:4hIYIKMCigCEzE312nKck
Threatray	315 similar samples on MalwareBazaar
TLSH	T14DF4920B5D78868AE1FA3530C6F670B3A273970BDD098A35697DE0C37E29DE904E7116
TrID	69.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 9.9% (.EXE) Win64 Executable (generic) (10523/12/4) 6.2% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.2% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	f0c4f2e9e8b0dcf0 (1 x AsyncRAT, 1 x njrat)
Reporter	@abuse_ch
Tags:	exe NjRAT RAT

@abuse_ch

njrat C2:
91.109.186.4:5050

Intelligence

---

File Origin

# of uploads :

1

# of downloads :

291

Origin country :

NL

Mail intelligence

No data

Vendor Threat Intelligence

ANY.RUN njrat

Malware family:

njrat

Alert

Create hunting rule

ID:

1

File name:

1f85c12fcd3232c577e5e8cc07fbf1e1.exe

Verdict:

Malicious activity

Analysis date:

2022-08-05 07:35:31 UTC

Tags:

trojan rat njrat bladabindi

Link:

https://app.any.run/tasks/5b157139-1db4-478c-9c13-a36d8ccc4863

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/296591/

ClamAV Detected

Detection(s):

SecuriteInfo.com.BackDoor.Bladabindi.16104.14744.30084.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Сreating synchronization primitives

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/62ecc8dc5c07b66577fddc67/reports/26dc1b7c-4101-48cf-bafa-cde827e0f72d/overview

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2206596c-404d-4b00-a666-b3c34ba8630b

Joe Sandbox Njrat

Result

Threat name:

Njrat

Alert

Create hunting rule

Detection:

malicious

Classification:

troj

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1046622

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Alert

Create hunting rule

Link:

https://mwdb.cert.pl/sample/f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4/

ReversingLabs TitaniumCloud ByteCode-MSIL.Backdoor.Bladabhindi

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Alert

Create hunting rule

Status:

Malicious

First seen:

2022-08-03 02:51:02 UTC

File Type:

PE (.Net Exe)

Extracted files:

18

AV detection:

18 of 26 (69.23%)

Threat level:

  5/5

Spamhaus Hash Blocklist

Detection(s):

Malicious file

Link:

https://www.spamhaus.org/query/hash/6iu62b5hhp3pgu5iiknjqqvow3bogwsh6ozvhphjhtffkdx3x3sa._file

Threatray njrat

Verdict:

malicious

Label(s):

njrat

Alert

Create hunting rule

Similar samples:

00037a0cc29f3c99e88aeb57af189e291c6fe38b8b252718ec793096c4b7f463

njrat

117ef7ac70da5cdbe0e2d7662a56550a8613417e0e2054c0766725445eacaf16

njrat

1a761d816cb65252e852598e70255c99d3dc54842d71faa7b9bc83f80ce3f952

njrat

350343f15c1e0358007718d4fe9f588d6b4c391d9feb2c4cd561d34b0921c7c6

njrat

73489b558cbcf01f2bda533f372c0dfed9c225f789b17a109b76a52b99413fb0

njrat

ebe23c279471c00cb0c3ed550ae69450a59c8cdf3b1e04bf7efea65198843eaa

njrat

+ 305 additional samples on MalwareBazaar

Hatching Triage njrat

Result

Malware family:

njrat

Alert

Create hunting rule

Score:

  10/10

Tags:

family:njrat botnet:nyan cat trojan

Link:

https://tria.ge/reports/220805-je84vagff2/

Behaviour

Suspicious use of AdjustPrivilegeToken

njRAT/Bladabindi

Malware Config

C2 Extraction:

milla11.publicvm.com:5050

UnpacMe 2

Unpacked files

SH256 hash:

9010de87160bd93e2d7dc3f452cddddd9ad6f9fa4af631e9f85a3302c65a55a2

MD5 hash:

746e62001ce94ff9277a0af42fb3b5c4

SHA1 hash:

8c8b6e8549b8669c85995bc1681742d494f0d7eb

Link:

https://www.unpac.me/results/0893784e-3ab3-422f-ba58-e6e318857df0/

SH256 hash:

f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4

MD5 hash:

1f85c12fcd3232c577e5e8cc07fbf1e1

SHA1 hash:

3741755f8a11638209821a3cd7c01104acac184d

Link:

https://www.unpac.me/results/0893784e-3ab3-422f-ba58-e6e318857df0/

VMRay njRAT

Malware family:

njRAT

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f229ed07a73b/report/overview.html

VirusTotal 73.24%

AV coverage:

73.24%

AV detections:

52 / 71

Link:

https://www.virustotal.com/gui/file/f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4/detection/f-f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4-1659670137

YOROI YOMI Suspicious File

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/f229ed07a73bf6f353a8429a9842aeb6c2e35a47f3b353bce93cca550efbbee4

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/296591/