MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fafaa07d26fc1017ada9e6fa48663712b448d569b8c8c499f19e16c6031fcfc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fafaa07d26fc1017ada9e6fa48663712b448d569b8c8c499f19e16c6031fcfc7
SHA3-384 hash: 029705745bcadd5669cb498dd6da02c923a5ea2790c6f15a0c3a61b7a2e3df2681c2ce4634e2d73cf906f67b8c13dc30
SHA1 hash: b42b0562c330963289601159ae035f657361516a
MD5 hash: ca9285e325d67d57d6391623a2ef4485
humanhash: ack-beer-july-papa
File name:GMSetup.bin
Download: download sample
Signature njrat
Create hunting rule
File size:1'888'911 bytes
First seen:2022-07-11 12:19:16 UTC
Last seen:2022-07-11 12:55:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a594319a0d69dbc452e748bcf05892e (21 x ParallaxRAT, 20 x Gh0stRAT, 15 x NetSupport)
ssdeep 24576:t4nXubIQGyxbPV0db26WQGIrC198eaM6116ym4sv1Et9uGpckT52zedlq89Ws5uJ:tqe3f6VrE8fl11TiSffPMWrQ0ZkF
TLSH T13795C03FF268A53EC46A1B3245B39250997BBA60B41A8C1F07FC384DCF765601E3B656
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter KdssSupport
Tags:exe NjRAT


Avatar
KdssSupport
Uploaded with API

Intelligence

File Origin
# of uploads :
2
# of downloads :
279
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
GMSetup.exe
Verdict:
Malicious activity
Analysis date:
2022-07-11 12:00:55 UTC
Tags:
installer rat njrat bladabindi trojan
Link:
https://app.any.run/tasks/381856bc-9ff3-4de9-93d2-1f7479166483

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/286220/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/25089/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
overlay packed setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/62cc15968cb06ef4b09f13e2/reports/6d915f5c-d2ff-40ec-9c4b-17eefa32d4dc/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8ef7a675-1eb8-42d5-af91-1aaf2c1257a1
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1028905
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates autorun.inf (USB autostart)
Creates autostart registry keys with suspicious names
Detected njRat
Drops PE files to the startup folder
Drops PE files with benign system names
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Sigma detected: Drops fake system file at system root drive
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Yara detected Generic Downloader
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 661395 Sample: GMSetup.bin Startdate: 11/07/2022 Architecture: WINDOWS Score: 84 74 0.tcp.eu.ngrok.io 2->74 76 Snort IDS alert for network traffic 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 12 other signatures 2->82 12 GMSetup.exe 2 2->12         started        16 system.exe 3 2->16         started        18 system.exe 2 2->18         started        20 system.exe 2->20         started        signatures3 process4 file5 64 C:\Users\user\AppData\Local\...behaviorgraphMSetup.tmp, PE32 12->64 dropped 92 Obfuscated command line found 12->92 22 GMSetup.tmp 34 18 12->22         started        signatures6 process7 file8 54 C:\Program Files (x86)\...\is-SS6EG.tmp, PE32 22->54 dropped 56 C:\Program Files (x86)\...\Desktop.exe (copy), PE32 22->56 dropped 58 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->58 dropped 60 2 other files (none is malicious) 22->60 dropped 25 Desktop.exe 6 22->25         started        process9 file10 62 C:\Program Files (x86)behaviorgrapheometryDash\qq.exe, PE32 25->62 dropped 28 qq.exe 1 7 25->28         started        31 cmd.exe 1 25->31         started        process11 file12 66 C:\Users\user\AppData\Roaming\system.exe, PE32 28->66 dropped 33 system.exe 2 9 28->33         started        38 conhost.exe 31->38         started        process13 dnsIp14 68 18.158.249.75, 16986, 49783, 49784 AMAZON-02US United States 33->68 70 18.192.31.165, 16986, 49803, 49809 AMAZON-02US United States 33->70 72 4 other IPs or domains 33->72 48 C:\svchost.exe, PE32 33->48 dropped 50 C:\...\b989150b0fb7ab15ed94baec0cf33f54.exe, PE32 33->50 dropped 52 C:\autorun.inf, Microsoft 33->52 dropped 84 Antivirus detection for dropped file 33->84 86 Multi AV Scanner detection for dropped file 33->86 88 Protects its processes via BreakOnTermination flag 33->88 90 7 other signatures 33->90 40 taskkill.exe 1 33->40         started        42 netsh.exe 1 3 33->42         started        file15 signatures16 process17 process18 44 conhost.exe 40->44         started        46 conhost.exe 42->46         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fafaa07d26fc1017ada9e6fa48663712b448d569b8c8c499f19e16c6031fcfc7/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2022-07-11 12:20:10 UTC
File Type:
PE (Exe)
AV detection:
21 of 26 (80.77%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7l5ka7jg7qibplnj435eqzrxck2ervljxdemjgprtylmmay7z7dq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220711-phstxshaaj/
Behaviour
Suspicious use of WriteProcessMemory
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
2da4fcfa3c04239552c6ae9ffba1f39f9a3cd4e56b90665af8c15ada4486305d
MD5 hash:
106fb11b1b25dca687b5874189cd14ff
SHA1 hash:
ca227aca5d99d8b67ebfe3e867e9ffe187f5419b
Link:
https://www.unpac.me/results/eeb129ea-59ca-4566-957a-81e9f6549177/
SH256 hash:
7be30eeb2f7648333091c1cce44a0f6242cbacd91fda6dc25ff3edbc3aa24d76
MD5 hash:
a6ae429772d3816ffe8ca7d972321b82
SHA1 hash:
b81f8eab8d16cee3813fcbf76ff397ffa415eb14
Link:
https://www.unpac.me/results/eeb129ea-59ca-4566-957a-81e9f6549177/
SH256 hash:
fafaa07d26fc1017ada9e6fa48663712b448d569b8c8c499f19e16c6031fcfc7
MD5 hash:
ca9285e325d67d57d6391623a2ef4485
SHA1 hash:
b42b0562c330963289601159ae035f657361516a
Link:
https://www.unpac.me/results/eeb129ea-59ca-4566-957a-81e9f6549177/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fafaa07d26fc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fafaa07d26fc1017ada9e6fa48663712b448d569b8c8c499f19e16c6031fcfc7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe fafaa07d26fc1017ada9e6fa48663712b448d569b8c8c499f19e16c6031fcfc7

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/286220/

Comments