MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9ae91e6b312fadf8864035e4e737daf845cd41cd4b9e28e83fe9820277ea925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 11


Intelligence 11 IOCs 1 YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9ae91e6b312fadf8864035e4e737daf845cd41cd4b9e28e83fe9820277ea925
SHA3-384 hash: 9380f3502c2df37e6708a18d00d1e408f3f1e4ed23cd6103cd5f43b99db4e6bf16b95c0dc6fc69c07f4cec964f96eda2
SHA1 hash: a12f21b71c116d3b9669c94e454a532283a85c19
MD5 hash: f8ed697e63a97f53801c85a47b5350e3
humanhash: one-hot-bakerloo-bacon
File name:f8ed697e63a97f53801c85a47b5350e3.exe
Download: download sample
Signature njrat
Create hunting rule
File size:662'016 bytes
First seen:2021-09-06 22:12:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:JdsHhgIHd3/PyrSyMhGp/pxC1VWSqlCe2Je/V7NRNhvRccBpGP9SF9jh:HsHh15/PyOJhGBzq5qlCeRdbp8
Threatray 128 similar samples on MalwareBazaar
TLSH T12EE4F1253785FB4FC63E8E7988915C00BBE0EA368303F747ACE325DD658D6964F22592
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
181.140.210.25:1980

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
181.140.210.25:1980 https://threatfox.abuse.ch/ioc/216786/

Intelligence

File Origin
# of uploads :
1
# of downloads :
549
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f8ed697e63a97f53801c85a47b5350e3.exe
Verdict:
Malicious activity
Analysis date:
2021-09-06 22:24:56 UTC
Tags:
trojan rat njrat bladabindi
Link:
https://app.any.run/tasks/3b6a6079-ec78-47db-bca1-9af270c7dba7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185767/
Detection(s):
Win.Packed.Formbook-9883931-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/81cdb0ad-9b1b-4558-b90c-0f92f36c59f1
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/846171
Signature
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
njrat
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f9ae91e6b312fadf8864035e4e737daf845cd41cd4b9e28e83fe9820277ea925/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-24 10:53:00 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7gxjdzvtcl5n7cdeanpe4435v6cfzva42s46fdud72mcaj36vesq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
381bc1886d534d20d33107d09b09fd7e4fffba102c0314b6d8359be5ebb6231f
njrat
3dc8c608af3e6e6aec80dbed90a2565121bf097ae71071ce1d1fc4ecc3d8f39a
njrat
57cb093510514d18e117230d0b01837dfa0492bf89f76638bd8bc7cdcf7422d0
njrat
75c24172fad5dcee8c4a92b183d17b5da430fce1354536124a6183f27d043754
njrat
846d82f6f9d6b965ef683cd91724d72917263cf21e9f0f7e4ed2cb4f1ceacce8
njrat
b0eeb379c674f6caf454b18af219a5916889a33fddf5b7826c4d981a232d043d
njrat
c3bef104d99fc5433009d8fd1cc31d510d847e4c94bb536ac487a689d081decc
njrat
ce3f49f552210c00b360845000a735879ec0e2e2a3abe6999d7ff0b6774530e0
njrat
e31d4e1ec7e040af6d1964976234a3f8da61d12664fe4c85c768348fafcdb614
njrat
e63cc99dd10607d568a428f192577a19a915e284592ce1bd135d18576596977c
njrat
+ 118 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat evasion trojan
Link:
https://tria.ge/reports/210906-14l42sbee5/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
njRAT/Bladabindi
Malware Config
C2 Extraction:
pedrobedoya2021.duckdns.org:1980
Unpacked files
SH256 hash:
5f5257e30cfc2caab058013ffc60f90fb8a5d780a14834e1371054290b7658e4
MD5 hash:
b0e14c3526d6623ae9b7b5f5e0efde76
SHA1 hash:
f7d127bff2dfb1100ebd55fdd12dfb7a2b382fdc
Link:
https://www.unpac.me/results/25dbd5bc-09e5-4f48-ad7b-53190d6c8c98/
SH256 hash:
f9ae91e6b312fadf8864035e4e737daf845cd41cd4b9e28e83fe9820277ea925
MD5 hash:
f8ed697e63a97f53801c85a47b5350e3
SHA1 hash:
a12f21b71c116d3b9669c94e454a532283a85c19
Link:
https://www.unpac.me/results/25dbd5bc-09e5-4f48-ad7b-53190d6c8c98/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f9ae91e6b312/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9ae91e6b312fadf8864035e4e737daf845cd41cd4b9e28e83fe9820277ea925

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/185767/

Comments