MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8c245665c74cc678f4a9182b3a593ff0de9682ff0f96596eb59c158f2643373. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8c245665c74cc678f4a9182b3a593ff0de9682ff0f96596eb59c158f2643373
SHA3-384 hash: ab064945e67a1cb636265d0be5fdfd32ad2c6d7409c419fb211de0cb194240ac4cf325b274975b1b49b2407a401e27ca
SHA1 hash: f752c278fb4f2121f8cb4ffb910ad1e82656fcb4
MD5 hash: 15f364d2f942a4ddd1d9c3ecf7c26c32
humanhash: nevada-paris-happy-yellow
File name:VXUHEUR-Trojan.Script.Generic-f8c245665c74cc6.exe
Download: download sample
Signature njrat
Create hunting rule
File size:1'448'088 bytes
First seen:2022-08-22 06:55:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:3AHnh+eWsN3skA4RV1Hom2KXMmHacA/aaxmJD1rSEn1+Ox7AH0dgN3dcyIz5j:qh+ZkldoPK8YacAQJD1uEn7UHp3dcy0j
Threatray 1'548 similar samples on MalwareBazaar
TLSH T1CB65CFD27381C071FE9792778B36F243567A792D4937841F22983E6A7D71362023EA63
TrID 85.7% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
4.5% (.EXE) Win64 Executable (generic) (10523/12/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 6cecccccb4c2f2b2 (38 x AgentTesla, 30 x Formbook, 24 x PythonStealer)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
192.169.69.25:1041

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
192.169.69.25:1041 https://threatfox.abuse.ch/ioc/31482/

Intelligence

File Origin
# of uploads :
1
# of downloads :
346
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
VXUHEUR-Trojan.Script.Generic-f8c245665c74cc6.exe
Verdict:
Malicious activity
Analysis date:
2022-08-22 07:03:28 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/3fcae486-9cb6-4f8a-bd7a-a6fbebd9fd89

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/300144/
Detection(s):
Win.Trojan.Autoit-9857105-0
Create hunting rule

Win.Dropper.njRAT-9857539-1
Create hunting rule

Win.Trojan.njRAT-9864159-1
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Query of malicious DNS domain
Sending a TCP request to an infection source
Unauthorized injection to a system process
Enabling autorun by creating a file
Enabling a "Do not show hidden files" option
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/29631/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckNumberOfProcessor
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
autoit bladabindi fareit greyware hacktool keylogger overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/630328c9b6f2a6ec1d5dd57c/reports/7872390e-dd9b-4092-a383-3e0264975167/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a5b38489-5b1e-475e-a471-c64040fe1a82
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1055333
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to inject code into remote processes
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 687850 Sample: VXUHEUR-Trojan.Script.Gener... Startdate: 22/08/2022 Architecture: WINDOWS Score: 100 45 smokin10.duckdns.org 2->45 49 Snort IDS alert for network traffic 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 14 other signatures 2->55 8 VXUHEUR-Trojan.Script.Generic-f8c245665c74cc6.exe 5 2->8         started        12 aadcloudap.exe 1 2->12         started        14 RegAsm.exe 3 2->14         started        16 3 other processes 2->16 signatures3 process4 file5 43 C:\Users\user\AppData\...\aadcloudap.exe, PE32 8->43 dropped 63 Binary is likely a compiled AutoIt script file 8->63 65 Contains functionality to inject code into remote processes 8->65 67 Uses schtasks.exe or at.exe to add and modify task schedules 8->67 69 Injects a PE file into a foreign processes 8->69 18 RegAsm.exe 5 5 8->18         started        23 schtasks.exe 1 8->23         started        71 Antivirus detection for dropped file 12->71 73 Writes to foreign memory regions 12->73 75 Allocates memory in foreign processes 12->75 25 schtasks.exe 1 12->25         started        27 RegAsm.exe 3 12->27         started        29 conhost.exe 14->29         started        31 conhost.exe 16->31         started        33 conhost.exe 16->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 47 smokin10.duckdns.org 192.169.69.25, 1041, 49707, 49708 WOWUS United States 18->47 41 C:\Users\user\AppData\Roaming\...\Client.exe, PE32 18->41 dropped 57 Changes the view of files in windows explorer (hidden files and folders) 18->57 59 Drops PE files to the startup folder 18->59 61 Creates an autostart registry key pointing to binary in C:\Windows 18->61 37 conhost.exe 23->37         started        39 conhost.exe 25->39         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8c245665c74cc678f4a9182b3a593ff0de9682ff0f96596eb59c158f2643373/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2021-05-07 00:36:00 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
31 of 41 (75.61%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dbekzs4otggpd2ksgblhjmt74g6s2bp6d4wlfxllhavr4tegnzq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
063b9544262ae25393961c4f57a4e4c5a73032644d2a22ff423b8a53bc6c6a7d
njrat
10fb9346fd965b69c8aa00c9350988d18364857f65ff7e123263a67667413228
njrat
247b57d55cdaa287404a2db0faf75a023bc0ed937b9fd9319e14c415cdfe57c6
njrat
40d88f1138536eab0e3d8dfdb227e96d34ba265d34138ccb436191ecca4b8367
njrat
b1004609dd4604c78068f0f2ab7f2448b36259fedcb92043fd03cfaf46d3be5f
njrat
dd53f452a1265736a066c7073a0d83f42b861d1954a0ae02c654896692e4629a
njrat
dfd682d846b7bafdf130893d385c8d5a4fcc64d1c1b81e114e46e8deb08ae664
njrat
efcd93564fc1fcdfac673a30ac1150508e8cb4a3e4f981da05ef61392f684a1c
njrat
f19f9a9e40712335d74308b2e69f078dd6203dd1d6c519483c814c1cbe3d70ce
njrat
f44b014fde675419cf4c666a600aa312fccb57be890e12a03b2019d74fe4b1ca
njrat
+ 1'538 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:ramses persistence trojan
Link:
https://tria.ge/reports/220822-hqcdkscdbk/
Behaviour
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
AutoIT Executable
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
njRAT/Bladabindi
Malware Config
C2 Extraction:
smokin10.duckdns.org:1041
Unpacked files
SH256 hash:
40b75b1debb56ee21fef3b2e58d58d90c77b2991f51d1ca294540f592da1a884
MD5 hash:
8b4fb38b510d092fabdcc5aa24711625
SHA1 hash:
022b7c7603c2bf04599f783799eea487a6f35c2d
Link:
https://www.unpac.me/results/099256b3-a655-4903-a509-d4bdcaae70b6/
SH256 hash:
f8c245665c74cc678f4a9182b3a593ff0de9682ff0f96596eb59c158f2643373
MD5 hash:
15f364d2f942a4ddd1d9c3ecf7c26c32
SHA1 hash:
f752c278fb4f2121f8cb4ffb910ad1e82656fcb4
Link:
https://www.unpac.me/results/099256b3-a655-4903-a509-d4bdcaae70b6/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8c245665c74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8c245665c74cc678f4a9182b3a593ff0de9682ff0f96596eb59c158f2643373

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE).
Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:CN_disclosed_20180208_c_RID2E71
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer
Create hunting rule
Author:ditekSHen
Description:detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Rule name:malware_Njrat_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:MAL_njrat
Create hunting rule
Author:SECUINFRA Falcon Team
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/300144/

Comments