MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f406bc1708572d21e98b0a0c3899a284e3fe04e8b1f261cffca6c255c0b134e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f406bc1708572d21e98b0a0c3899a284e3fe04e8b1f261cffca6c255c0b134e7
SHA3-384 hash: e9b559f785184da6877632ea4f1e91e6446ca91653b9fba43feab89c6da082462437a40a10a9c5b7428580165652bf3a
SHA1 hash: da54aaaec08f6eec070bf3e9791dfb5282c9dd13
MD5 hash: 702482fbfc8195be33e67939ebd158bd
humanhash: artist-twenty-burger-kansas
File name:SQL Fucker 1.7.exe
Download: download sample
Signature njrat
Create hunting rule
File size:2'120'704 bytes
First seen:2022-10-08 10:57:48 UTC
Last seen:2022-10-08 12:23:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 49152:NVHFXSFEmqiDqCbS1gickVsPTE5hb0+EzLwW1T+Q:NVHFXSCmqsSgfkVs45hb0+Ev1T
Threatray 1 similar samples on MalwareBazaar
TLSH T15FA5BF42F3E680F1D845A3B581EB722A5B309705172EC7D3A6B83D9D5C613D22E3939B
TrID 61.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.0% (.SCR) Windows screen saver (13101/52/3)
8.8% (.EXE) Win64 Executable (generic) (10523/12/4)
5.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 00f6caa692a5b500 (1 x njrat)
Reporter Anonymous
Tags:exe NjRAT RAT

Intelligence

File Origin
# of uploads :
2
# of downloads :
358
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/317878/
Detection(s):
SecuriteInfo.com.Trojan.Siggen18.44274.20173.4615.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Enabling the 'hidden' option for files in the %temp% directory
Creating a file
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Creating a window
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Launching a process
Creating a process with a hidden window
Running batch commands
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm bladabindi greyware packed razy shell32.dll
Link:
https://www.filescan.io/uploads/634157bb78d4acb349f508c6/reports/089447ce-172f-44d4-937e-2e3b40210eea/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/834dabe9-fa28-4c1f-bd11-d13b482a5711
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1086260
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Creates multiple autostart registry keys
Detected njRat
Drops PE files with benign system names
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 718817 Sample: SQL Fucker 1.7.exe Startdate: 08/10/2022 Architecture: WINDOWS Score: 100 62 blog.hackcrack.io 2->62 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for URL or domain 2->76 78 Antivirus detection for dropped file 2->78 80 11 other signatures 2->80 8 SQL Fucker 1.7.exe 7 2->8         started        11 svchost.exe 2->11         started        15 svchost.exe 2->15         started        17 12 other processes 2->17 signatures3 process4 dnsIp5 50 C:\Users\user\Desktop\SQL Fucker 1.7 .exe, PE32 8->50 dropped 52 C:\Users\user\AppData\Local\Temp\Setup.exe, PE32 8->52 dropped 54 C:\Users\user\...\SQL Fucker 1.7.exe.log, ASCII 8->54 dropped 19 Setup.exe 1 7 8->19         started        23 explorer.exe 8->23         started        25 Setup.exe 3 8->25         started        27 SQL Fucker 1.7 .exe 8->27         started        64 amazonhost.thedreamsop.com 11->64 66 blogspot.l.googleusercontent.com 11->66 68 24-06-2022-8080.blogspot.com 11->68 106 System process connects to network (likely due to code injection or exploit) 11->106 108 Changes security center settings (notifications, updates, antivirus, firewall) 15->108 29 MpCmdRun.exe 15->29         started        70 amazonhost.thedreamsop.com 17->70 72 192.168.2.1 unknown unknown 17->72 110 Query firmware table information (likely to detect VMs) 17->110 31 WerFault.exe 17->31         started        file6 signatures7 process8 file9 46 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 19->46 dropped 90 Antivirus detection for dropped file 19->90 92 Multi AV Scanner detection for dropped file 19->92 94 Machine Learning detection for dropped file 19->94 96 Drops PE files with benign system names 19->96 33 svchost.exe 8 19->33         started        48 C:\Users\user\AppData\...\explorer.exe, PE32 23->48 dropped 98 Creates multiple autostart registry keys 23->98 100 Writes to foreign memory regions 23->100 102 Allocates memory in foreign processes 23->102 104 Injects a PE file into a foreign processes 23->104 38 fodhelper.exe 23->38         started        40 RegAsm.exe 23->40         started        42 conhost.exe 29->42         started        signatures10 process11 dnsIp12 56 amazonhost.thedreamsop.com 144.126.144.223, 49702, 49703, 49705 LOYOLAUS United States 33->56 58 blogspot.l.googleusercontent.com 142.250.184.193, 443, 49704, 49708 GOOGLEUS United States 33->58 60 24-06-2022-8080.blogspot.com 33->60 44 C:\Users\user\AppData\...\explorer.exe, PE32 33->44 dropped 82 Antivirus detection for dropped file 33->82 84 System process connects to network (likely due to code injection or exploit) 33->84 86 Multi AV Scanner detection for dropped file 33->86 88 2 other signatures 33->88 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f406bc1708572d21e98b0a0c3899a284e3fe04e8b1f261cffca6c255c0b134e7/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-09-11 06:13:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
39
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qdlyfyik4wsd2mlbigdrgncqtr74bhiwhzgdt74u3bflqfrgttq._file
Verdict:
malicious
Similar samples:
db49640072320f33cbbcc3543ae71898214ff0decd8f2c004e308bf0e79d856c
njrat
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion persistence trojan
Link:
https://tria.ge/reports/221008-m2tjfsefb6/
Behaviour
Checks processor information in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Checks computer location settings
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
blog.hackcrack.io:8082
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/94b21d35-c68c-4d01-b544-24bdae8256d2
Unpacked files
SH256 hash:
2ea1fa52a6896ce0100084e3696712d76b4d1e995ca0012954bae3107562a9eb
MD5 hash:
301e8d9a2445dd999ce816c17d8dbbb3
SHA1 hash:
b91163babeb738bd4d0f577ac764cee17fffe564
Link:
https://www.unpac.me/results/71f15f77-b227-44f4-b1a0-48e1a86fb904/
SH256 hash:
9286a6c9e1effa964079095f5178d047c088b3d330816ebe9765eaa0b854adbf
MD5 hash:
97efaf1ced78050d4af749b2ec8c719d
SHA1 hash:
aaea00628ec89f93a610bb5113ac91b3f3e5ec23
Link:
https://www.unpac.me/results/71f15f77-b227-44f4-b1a0-48e1a86fb904/
SH256 hash:
2daee8e9e146c148e282a33e7a4311a1dc21531abc11729304acf1471616e5ce
MD5 hash:
0baa75f9513a6fd8729ec7c100115781
SHA1 hash:
b583d03f3cb7dc58af410cd35c8b5ccc269a656e
Link:
https://www.unpac.me/results/71f15f77-b227-44f4-b1a0-48e1a86fb904/
SH256 hash:
7285dbba1c250e3ef07a208f418a3e96210a23d06787c0cf38138163b56aab64
MD5 hash:
4a4427e4591a1a142964a3927d3535fc
SHA1 hash:
8e146a4dbde1772e074a80a7b42d8ec5cd02716e
Link:
https://www.unpac.me/results/71f15f77-b227-44f4-b1a0-48e1a86fb904/
SH256 hash:
f406bc1708572d21e98b0a0c3899a284e3fe04e8b1f261cffca6c255c0b134e7
MD5 hash:
702482fbfc8195be33e67939ebd158bd
SHA1 hash:
da54aaaec08f6eec070bf3e9791dfb5282c9dd13
Link:
https://www.unpac.me/results/71f15f77-b227-44f4-b1a0-48e1a86fb904/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f406bc1708572d21e98b0a0c3899a284e3fe04e8b1f261cffca6c255c0b134e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe f406bc1708572d21e98b0a0c3899a284e3fe04e8b1f261cffca6c255c0b134e7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/317878/

Comments