MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2e928cf697e22da9dff49ec85e64be6cb60e00d02503649cf2a2230a487c310. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2e928cf697e22da9dff49ec85e64be6cb60e00d02503649cf2a2230a487c310
SHA3-384 hash: 9e33bed877c46d0420c830fc36f2aac339e1ed0492ba7f346a3aaee6f05f5d19be9d22bf5584201a8dea1baf3231c9d2
SHA1 hash: 62ce107540d713b14fe93379ee0aebdb464d9eeb
MD5 hash: 713a027eb7de6e9667b266ba8cbe8bda
humanhash: beer-arkansas-johnny-april
File name:f2e928cf697e22da9dff49ec85e64be6cb60e00d02503649cf2a2230a487c310
Download: download sample
Signature njrat
Create hunting rule
File size:3'343'872 bytes
First seen:2020-11-14 18:13:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:Yviz/27qWGq/TzuqCDl2Ptao7jEzMzbNl:Yviq75/TzufRz2Nl
Threatray 160 similar samples on MalwareBazaar
TLSH 2CF5334676DC002BD570037128FD13C71BB4BCB25375978AB0CE648D19AA4B1BBB6FA6
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-6895514-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Delayed reading of the file
Enabling the 'hidden' option for files in the %temp% directory
Creating a process with a hidden window
Connection attempt
Searching for the window
Deleting a recently created file
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Launching the process to change the firewall settings
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/535669
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 316934 Sample: 6TmVoCjRV3 Startdate: 15/11/2020 Architecture: WINDOWS Score: 100 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for dropped file 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 10 other signatures 2->48 9 6TmVoCjRV3.exe 1 13 2->9         started        12 crypted.exe 2 2->12         started        14 crypted.exe 3 2->14         started        16 2 other processes 2->16 process3 file4 34 C:\Users\user\AppData\Local\Temp\...\CDS.exe, PE32 9->34 dropped 36 C:\Users\user\AppData\Local\...\lua51.dll, PE32 9->36 dropped 38 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 9->38 dropped 18 CDS.exe 3 9->18         started        process5 file6 30 C:\Users\user\AppData\Local\...\crypted.exe, PE32 18->30 dropped 21 crypted.exe 3 5 18->21         started        process7 dnsIp8 40 194.34.132.153, 49714, 49716, 49720 CREANOVA-ASOyCreanovaHostingSolutionsLtdFI Finland 21->40 32 C:\...\0e854fbd4ebf23cba2d15e6c5f675a31.exe, PE32 21->32 dropped 50 Antivirus detection for dropped file 21->50 52 Multi AV Scanner detection for dropped file 21->52 54 Protects its processes via BreakOnTermination flag 21->54 56 3 other signatures 21->56 26 netsh.exe 1 3 21->26         started        file9 signatures10 process11 process12 28 conhost.exe 26->28         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2e928cf697e22da9dff49ec85e64be6cb60e00d02503649cf2a2230a487c310/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2020-11-14 18:14:39 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lusrt3jpyrnvhp7jhwilzsl43fwbyanajidmsopfirdbjehymia._file
Verdict:
malicious
Similar samples:
153e5b1b4b51f9f27c38a24577764a9873ea08467348b5a2db04f2a13c49e291
njrat
51707360e28aa57ec8a8d7f42bc7c9ffe8969b5d19bf39a700cde35c0e4d3846
njrat
55788187a18d12723bbba31b170c83008999a405625ea9f5525d6f655ad2d565
njrat
754d17d48af7cfce94b80e05709943f2e4c119a7dde35f34ca0261672236212a
njrat
910a35ca5d26faf9ede6eabdff5d843cc84ee2086e92602c02b4c6fc45613306
njrat
a54b4d3ba528301409e3f5ba27a1d3b3d8bf9ad5d6f0d43354535f98132d980b
njrat
e17b626855a99cb900478be588cc73a331bc5a00204b4b97932f0ac6d705d308
njrat
ed34d4eba0bc7d434f32bb9bca0147632592656ddf0c2aa892fbee54b0850ff1
njrat
f7520d43549934d17d63e087a02883c12ef5a48c50d0b503e3c64d51ba32201a
njrat
ffe8dbc4f815fe713c790a19b5122c79d1de9c817f10edf7d86ca297175ce439
njrat
+ 150 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201114-yl243lp28e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Adds Run key to start application
JavaScript code in executable
Drops startup file
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
f2e928cf697e22da9dff49ec85e64be6cb60e00d02503649cf2a2230a487c310
MD5 hash:
713a027eb7de6e9667b266ba8cbe8bda
SHA1 hash:
62ce107540d713b14fe93379ee0aebdb464d9eeb
Link:
https://www.unpac.me/results/390aef21-6532-4239-9fe1-77adf2283dab/
SH256 hash:
a84dd9c800bb02aba270c2c7124ca7547256bb6447cfe15168d2d09e908cdc2a
MD5 hash:
8938752475a171a77ae5a23c4e0450de
SHA1 hash:
0a33c9308f9e29af3927f08458412537dec2bbed
Link:
https://www.unpac.me/results/390aef21-6532-4239-9fe1-77adf2283dab/
SH256 hash:
1da9ae6815c68ad3369121ce6dc480c8772690f848432cab3e9cafbdcb081972
MD5 hash:
c46acaa856b8a0dbc1749ef1e5b65a45
SHA1 hash:
ccaf60fa0017d8844b02cbcc29fdf6da33776da2
Link:
https://www.unpac.me/results/390aef21-6532-4239-9fe1-77adf2283dab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Strictor
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f2e928cf697e22da9dff49ec85e64be6cb60e00d02503649cf2a2230a487c310

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments