MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597
SHA3-384 hash: ff710d09bf0fe610ccf26dec2bc408893946bb14129a21e66991b12bb23a8d171090707a6292082ea72cdd907f59249e
SHA1 hash: 1bc2fdc280628cebb4a3f0104a642df02e98b27c
MD5 hash: 1232537c161e32f904ce36d4f29c71d0
humanhash: robert-five-mars-cat
File name:F33AF993FD18BB47B931E031B68DC5E030DBEA7118ED4.exe
Download: download sample
Signature njrat
Create hunting rule
File size:3'424'768 bytes
First seen:2023-03-22 19:21:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:uviz/27qWGq/TzuqCDl2Ptao7jk8zatt1N3:uviq75/TzufvpN3
Threatray 540 similar samples on MalwareBazaar
TLSH T104F5334139CC403BC5B2037164FD93871BB4BCB251F9934AA0C951991EA64A1BAFBFF5
TrID 70.4% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
11.1% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
5.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
3.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
141.255.156.210:5552

Intelligence

File Origin
# of uploads :
1
# of downloads :
286
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
F33AF993FD18BB47B931E031B68DC5E030DBEA7118ED4.exe
Verdict:
Malicious activity
Analysis date:
2023-03-22 19:24:33 UTC
Tags:
rat njrat bladabindi
Link:
https://app.any.run/tasks/1107ba71-7c8c-4d50-9b6b-b57ad53e9878

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/376649/
Detection(s):
Win.Malware.Generic-6895514-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Searching for synchronization primitives
Сreating synchronization primitives
Creating a window
Delayed reading of the file
Sending a custom TCP request
Enabling the 'hidden' option for files in the %temp% directory
Creating a file
Creating a process with a hidden window
Enabling the 'hidden' option for recently created files
Searching for the window
DNS request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Creating a file in the mass storage device
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack.dll bladabindi CAB datper greyware installer keylogger mshtml.dll packed rundll32.exe setupapi.dll shell32.dll strictor
Link:
https://www.filescan.io/uploads/641b555bb236355850d77041/reports/2c3cadb6-e78b-441a-b6b9-e3329cccd27c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4e8a6975-4e1b-4f1b-b0fe-c69b0890cb9d
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1199782
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Drops fake system file at system root drive
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 832690 Sample: F33AF993FD18BB47B931E031B68... Startdate: 22/03/2023 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 10 other signatures 2->62 10 F33AF993FD18BB47B931E031B68DC5E030DBEA7118ED4.exe 1 13 2->10         started        13 WindowsDefender.exe 2 2->13         started        15 WindowsDefender.exe 3 2->15         started        17 2 other processes 2->17 process3 file4 40 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 10->40 dropped 42 C:\Users\user\AppData\Local\Temp\...\CDS.exe, PE32 10->42 dropped 44 C:\Users\user\AppData\Local\...\lua51.dll, PE32 10->44 dropped 19 CDS.exe 3 10->19         started        process5 dnsIp6 52 192.168.2.1 unknown unknown 19->52 36 C:\Users\user\AppData\Local\...\crypted.exe, PE32 19->36 dropped 23 crypted.exe 1 5 19->23         started        file7 process8 file9 38 C:\ProgramData\WindowsDefender.exe, PE32 23->38 dropped 64 Antivirus detection for dropped file 23->64 66 Multi AV Scanner detection for dropped file 23->66 68 Machine Learning detection for dropped file 23->68 27 WindowsDefender.exe 2 9 23->27         started        signatures10 process11 dnsIp12 54 disgold.ddns.net 141.255.156.210, 49698, 49699, 49700 IELOIELOMainNetworkFR France 27->54 46 C:\svchost.exe, PE32 27->46 dropped 48 C:\...\47f25923fcbb693d740507642e98e188.exe, PE32 27->48 dropped 50 C:\autorun.inf, Microsoft 27->50 dropped 70 Antivirus detection for dropped file 27->70 72 Multi AV Scanner detection for dropped file 27->72 74 Protects its processes via BreakOnTermination flag 27->74 76 7 other signatures 27->76 32 netsh.exe 3 27->32         started        file13 signatures14 process15 process16 34 conhost.exe 32->34         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 02:05:53 UTC
File Type:
PE (Exe)
Extracted files:
765
AV detection:
16 of 37 (43.24%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6m5pte75dc5upojr4ay3ndof4aynx2trddwuorqygi4amyzw6wlq._file
Verdict:
malicious
Similar samples:
044863910e84822872c6a9d134f18db1e04b17f2641f0baa7c3aca4f5f587fbb
njrat
0d22efcba5ba1b7d3f159b2d75da6c08a81c734c9d16ea8b8e0db48602dab58b
njrat
2432f01cd92be89d208d067815c2bd8c04c11736a3ab8fb8dbc464d1a0930a58
njrat
2750ae5e54def2b34aaf8330a4730073db54302e47a785cd5684ae7b224e3211
njrat
326faaed1dd1881b1ae5af3ccea65ab894f4d7aaff2770c52c3175a29ab43abf
njrat
4671dbc33d55c1b28df97a2af222a558362ed68f24bc5a3bf433069f6d7673cb
njrat
88d7d88b3c0ededd4c99459a4231c3c4a0af8184e5e2492fce16992908f2547d
njrat
b0fedb5fc4232c07ff1161ddcc830cf11596ba2653cc7cea1d5666b4bab1f276
njrat
db5b68be18809752d92bc7720216b24922f597363d21e4ac36a0a697342da460
njrat
+ 530 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/230322-x28cqacg71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Unpacked files
SH256 hash:
b7c5d1859604bb32f32cd42f3689942e6ce5a0e372540d8974f18e828dc73dc2
MD5 hash:
b870be9d6f1afe7effb70c01388fd45d
SHA1 hash:
58496b46542ef55b1d155d4cc266c3d976cca1a3
Link:
https://www.unpac.me/results/d5b404f0-6f69-4d33-b47b-bcd6893e1852/
SH256 hash:
58ad98985d9a47a9da4129aacd39565ce118a0787059ef304b7f75ef5fc82cd3
MD5 hash:
de09b1efdee5d1910a0f44ededbbebbd
SHA1 hash:
5d538c5b1a5d6cf0a46f1370bc777592c4483b29
Link:
https://www.unpac.me/results/d5b404f0-6f69-4d33-b47b-bcd6893e1852/
SH256 hash:
6547bc87f94d5fffe2e9d5c0f9a43b231cd199782e182e82206aeedf5662e922
MD5 hash:
f6d0617b25398d56cf80f2a52e21f28f
SHA1 hash:
03849d349af97618ee02c1a3986eddb895190540
Link:
https://www.unpac.me/results/d5b404f0-6f69-4d33-b47b-bcd6893e1852/
SH256 hash:
f33af993fd18bb47b931e031b68dc5e030dbea7118ed4746183238066336f597
MD5 hash:
1232537c161e32f904ce36d4f29c71d0
SHA1 hash:
1bc2fdc280628cebb4a3f0104a642df02e98b27c
Link:
https://www.unpac.me/results/d5b404f0-6f69-4d33-b47b-bcd6893e1852/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/376649/

Comments