MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f66ba3c9a85a0a54242aa2a905df2120305cec66efbc9a1a02db3c66ff50b722. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f66ba3c9a85a0a54242aa2a905df2120305cec66efbc9a1a02db3c66ff50b722
SHA3-384 hash: 43d7cce406499c701ae4db200de093256554278abe72fd8bb56f5a1f502eb6ac516c59e43893d9ce6eb724d624d23ec9
SHA1 hash: 38c02175c1cd6abd2374bd0c12157d7395de4f36
MD5 hash: 5611852a2a2746a6c52b68189619a528
humanhash: hawaii-thirteen-double-river
File name:f66ba3c9a85a0a54242aa2a905df2120305cec66efbc9a1a02db3c66ff50b722
Download: download sample
Signature njrat
Create hunting rule
File size:350'126 bytes
First seen:2021-02-28 07:06:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:w5PWNgiqLeg0sSETm6VeV3B5m/F4SO3ZOOEY2ODCQOz32yd:YOe9/1mxV3XPS8EIM2yd
Threatray 57 similar samples on MalwareBazaar
TLSH 57747B027688D711C46421B689DBC27817E4AE8B5A73C61B3FCC7F9F3A31392AD0565B
Reporter JAMESWT_WT
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/119770/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/621202
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 359593 Sample: sduvJ7GlPP Startdate: 28/02/2021 Architecture: WINDOWS Score: 100 23 Malicious sample detected (through community Yara rule) 2->23 25 Antivirus / Scanner detection for submitted sample 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 9 other signatures 2->29 8 sduvJ7GlPP.exe 1 2->8         started        process3 file4 19 C:\Users\user\AppData\...\sduvJ7GlPP.exe.log, ASCII 8->19 dropped 31 Injects a PE file into a foreign processes 8->31 12 sduvJ7GlPP.exe 3 2 8->12         started        signatures5 process6 dnsIp7 21 127.0.0.1 unknown unknown 12->21 15 netsh.exe 1 3 12->15         started        process8 process9 17 conhost.exe 15->17         started       
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f66ba3c9a85a0a54242aa2a905df2120305cec66efbc9a1a02db3c66ff50b722/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-02-26 08:02:00 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
2caacde56329c3cb26c041d2535a5121d02fc195193f4046aabec42d61655d68
njrat
59b230d608d121a6969fa2eab41b020c57f99328319ebd92ef00cb4081562589
njrat
72146e890efa1de6ee90e445ceb11ad9dc3b053fa5e82757756a393ee4617a77
njrat
7f5f68e3163fd4aae367b129dc4d519000905b78d66e6933e7b091053eadd98f
njrat
ae9f21e994994c7d538df1032eb81cba7c3cbff6a76e8c15d91c8fe6f78dfa28
njrat
b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b
njrat
ea9c85df4bf9c40e375d88e19cc1d83220580f0b14a6392b2a48dc1d1e24737c
njrat
f1d81ae5a4ea7a71d5d7147565fecca141a8e03148ef3c9e7583b9159923d17a
njrat
f95573e18dd16600bedc2ab6917774a91603d5e90ae5deccfa969a8311802972
njrat
f9b03c723f0707c47dc00e0d77ac55559d2cd07cd6b38a67126e535068ca05dc
njrat
+ 47 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat evasion trojan
Link:
https://tria.ge/reports/210228-j4d1by13se/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies Windows Firewall
njRAT/Bladabindi
Unpacked files
SH256 hash:
572ac1807d7bf08e3a25837a27bc08af7abffb4e8c1016801e24ab81c9c79925
MD5 hash:
ebff06526552f2a2ff20b2c5b6acd976
SHA1 hash:
de4740f162722aa8c6a05a1fe111b1357d8b591a
Link:
https://www.unpac.me/results/7875761a-e297-42bc-b7a1-1e089364ec42/
SH256 hash:
5c2e588094d8080f49b3eefd7a4e86452ebec8f2e21a691cdf4ac2e5239d72c1
MD5 hash:
523f06bbca131b5e5fc60407044e596f
SHA1 hash:
c748d474bbb5188c01be74e99802061d2881aab0
Detections:
win_njrat_w1
Create hunting rule
win_njrat_g1
Create hunting rule
Link:
https://www.unpac.me/results/7875761a-e297-42bc-b7a1-1e089364ec42/
SH256 hash:
f66ba3c9a85a0a54242aa2a905df2120305cec66efbc9a1a02db3c66ff50b722
MD5 hash:
5611852a2a2746a6c52b68189619a528
SHA1 hash:
38c02175c1cd6abd2374bd0c12157d7395de4f36
Link:
https://www.unpac.me/results/7875761a-e297-42bc-b7a1-1e089364ec42/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f66ba3c9a85a0a54242aa2a905df2120305cec66efbc9a1a02db3c66ff50b722

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/119770/

Comments