MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f91391d692321a6d4597dd649668b54cf8aa9af06e5ab9668862fb4d072df917. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f91391d692321a6d4597dd649668b54cf8aa9af06e5ab9668862fb4d072df917
SHA3-384 hash: 38c1fe7678ed8d41354209eea73211dcfb9f4063495cb988a16fc3581f635d4ed89b1f86b3ff3c0a2cec0f67f835b60e
SHA1 hash: dd7529e5462ac5360e62f3651388d744ac67c1d6
MD5 hash: dbe84e78d5544dcbd32a70e7c642aa51
humanhash: lion-juliet-stairway-neptune
File name:f91391d692321a6d4597dd649668b54cf8aa9af06e5ab9668862fb4d072df917
Download: download sample
Signature njrat
Create hunting rule
File size:3'350'016 bytes
First seen:2020-11-11 11:34:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 646167cce332c1c252cdcb1839e0cf48 (8'473 x RedLineStealer, 4'851 x Amadey, 290 x Smoke Loader)
ssdeep 98304:jviz/27qWGq/TzuqCDl2Ptao7jC7wjNV:jviq75/Tzuft6NV
Threatray 421 similar samples on MalwareBazaar
TLSH 79F5334266DC002BC4B5037028FD13C71FB5BCB16379978AB0CF649D19A64B1B6B6FA6
Reporter seifreed
Tags:NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.Generic-6895514-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a window
Delayed reading of the file
Creating a process with a hidden window
Connection attempt
Searching for the window
Deleting a recently created file
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/532212
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to log keystrokes (.Net Source)
Contains functionality to spread to USB devices (.Net source)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 315208 Sample: WM1DCYpK4n Startdate: 12/11/2020 Architecture: WINDOWS Score: 100 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected Njrat 2->42 44 7 other signatures 2->44 9 WM1DCYpK4n.exe 1 13 2->9         started        12 rundll32.exe 2->12         started        process3 file4 26 C:\Users\user\AppData\Local\Temp\...\CDS.exe, PE32 9->26 dropped 28 C:\Users\user\AppData\Local\...\lua51.dll, PE32 9->28 dropped 30 C:\Users\user\AppData\Local\...\lua5.1.dll, PE32 9->30 dropped 14 CDS.exe 3 9->14         started        process5 dnsIp6 36 192.168.2.1 unknown unknown 14->36 32 C:\Users\user\AppData\Local\...\crypted.exe, PE32 14->32 dropped 18 crypted.exe 5 4 14->18         started        file7 process8 dnsIp9 34 127.0.0.1 unknown unknown 18->34 46 Antivirus detection for dropped file 18->46 48 Multi AV Scanner detection for dropped file 18->48 50 Machine Learning detection for dropped file 18->50 22 netsh.exe 1 3 18->22         started        signatures10 process11 process12 24 conhost.exe 22->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f91391d692321a6d4597dd649668b54cf8aa9af06e5ab9668862fb4d072df917/
Threat name:
Win32.Trojan.Strictor
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 11:37:58 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ejzdvusging2rmx3vsjm2fvjt4kvgxqnznlszuiml5u2bzn7elq._file
Verdict:
malicious
Similar samples:
0ff87f26d86e8c42816ece8f60d12f31e76b83740baecd0a58f84a04961658ba
njrat
2b942243439c92b4921032a08567d76c0baff766661083fe8f6a9ab66966926d
njrat
72186f2bd535a54efe912025ee41ff582ea5eeeb08709988e7e89e3822dbf391
njrat
a3feb1f837ab57c218bfb325fb808534d1f25ff26ff7a3a75578dc165c8a3ff4
njrat
af21243da675a515c8e2ca9d00b5628c1201125b1a29d46a9df0cb0b63769942
njrat
b2a9afcf53b4804d0d6b525b0480c1e01f72a151c536d2436e1ae2017d7bcccb
njrat
c49196fbcc615b4145c095b26fd716cb4540b0b7a58693eaa987ebc485e20865
njrat
d955c191cd93fda7011c207646af6060c86ac97aefaf555a7c914124f3eaaccd
njrat
eccc7b043b9cdcd8a3766cde17f331e63a6be6f7fb7a99e5cc7f6863406c299e
njrat
f2292fec01b4672cf1bd05d2022e7ab814c53378e900cf7679b3917fe317965b
njrat
+ 411 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
evasion persistence
Link:
https://tria.ge/reports/201111-2bz63ge6ln/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Adds Run key to start application
JavaScript code in executable
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
Unpacked files
SH256 hash:
f91391d692321a6d4597dd649668b54cf8aa9af06e5ab9668862fb4d072df917
MD5 hash:
dbe84e78d5544dcbd32a70e7c642aa51
SHA1 hash:
dd7529e5462ac5360e62f3651388d744ac67c1d6
Link:
https://www.unpac.me/results/6664870b-2f92-4005-8de8-6e8c009e0972/
SH256 hash:
f02eaea66e7ecb8912c0574760675f62c926ec302ee6c2880d6b888966fce51e
MD5 hash:
1e286ffad20123b349c27dc0506feb58
SHA1 hash:
2321ed5b0133a580024ea1ebf9cff18e500a2de1
Link:
https://www.unpac.me/results/6664870b-2f92-4005-8de8-6e8c009e0972/
SH256 hash:
a4e80520f870047b8a9e64914920fe14db19eee57d16993a7db1b34d88c4187a
MD5 hash:
a0236fd48dc4fe56a82521f75bc81bf8
SHA1 hash:
e3922b264b4a23605c0e7f82f4f75ce7e50c2d16
Link:
https://www.unpac.me/results/6664870b-2f92-4005-8de8-6e8c009e0972/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments