MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a
SHA3-384 hash: e125c2dae470e00042dedf5779f56b430ab353816c5123da8483946ce3f5fabc5c1bd9cd93a99ac68a3f1e6b737b8c7d
SHA1 hash: b4d86cb80270c5644365b501e214828cd84a26d0
MD5 hash: 075e49ee69a826d394bc2a5844d27a12
humanhash: carbon-earth-oklahoma-saturn
File name:075e49ee69a826d394bc2a5844d27a12.exe
Download: download sample
Signature njrat
Create hunting rule
File size:4'820'992 bytes
First seen:2023-11-25 05:40:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 98304:RH0aix0hofBIJA91WExIRxar9cNqqCNtpa:RHvW0DAfWSIY+rCNt
Threatray 1'278 similar samples on MalwareBazaar
TLSH T12E26331736B88562D176D7B106F140E32836FA612F79C1EF53DEA8291D133A46A32F87
TrID 83.0% (.CPL) Windows Control Panel Item (generic) (197083/11/60)
6.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
4.4% (.EXE) Win64 Executable (generic) (10523/12/4)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.8% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon f8f0f4c8c8c8d8f0 (8'803 x RedLineStealer, 5'078 x Amadey, 288 x Smoke Loader)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
34.77.105.34:6152

Intelligence

File Origin
# of uploads :
1
# of downloads :
457
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/460120/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Сreating synchronization primitives
Sending a custom TCP request
Searching for the window
Creating a file in the %AppData% directory
Creating a process with a hidden window
Searching for synchronization primitives
DNS request
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Blocking the User Account Control
Unauthorized injection to a recently created process
Launching the process to change the firewall settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
advpack autoit CAB control explorer greyware installer keylogger lolbin lolbin mshtml packed rundll32 setupapi sfx shell32
Link:
https://www.filescan.io/uploads/656188ee2efa450749a458c9/reports/53598100-0930-4784-ac67-67140c16b13e/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9e481804-8d6b-4db7-a39b-bfeff0d668ca
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1347678
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Contains functionality to modify clipboard data
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Disables UAC (registry)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Snort IDS alert for network traffic
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1347678 Sample: tAe8OhE9gQ.exe Startdate: 25/11/2023 Architecture: WINDOWS Score: 100 49 itc.sytes.net 2->49 61 Snort IDS alert for network traffic 2->61 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 10 other signatures 2->67 11 tAe8OhE9gQ.exe 1 4 2->11         started        15 sv5.exe 3 2->15         started        17 rundll32.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 43 C:\Users\...\kfa21.3.10.391ru_uk_25765.exe, PE32 11->43 dropped 45 C:\Users\user\AppData\...\CryptedFile.exe, PE32 11->45 dropped 77 Creates multiple autostart registry keys 11->77 21 CryptedFile.exe 1 9 11->21         started        25 kfa21.3.10.391ru_uk_25765.exe 4 66 11->25         started        signatures6 process7 file8 39 C:\Users\user\AppData\Local\Temp\...\3822.exe, PE32 21->39 dropped 69 Antivirus detection for dropped file 21->69 71 Multi AV Scanner detection for dropped file 21->71 73 Machine Learning detection for dropped file 21->73 75 2 other signatures 21->75 27 3822.exe 1 5 21->27         started        41 C:\Users\user\AppData\Local\...\setup.dll, PE32 25->41 dropped signatures9 process10 file11 47 C:\Users\user\AppData\Roaming\sv5.exe, PE32 27->47 dropped 79 Antivirus detection for dropped file 27->79 81 Multi AV Scanner detection for dropped file 27->81 83 Machine Learning detection for dropped file 27->83 31 sv5.exe 4 4 27->31         started        signatures12 process13 dnsIp14 51 itc.sytes.net 34.77.105.34, 49738, 6152 GOOGLEUS United States 31->51 53 Antivirus detection for dropped file 31->53 55 Multi AV Scanner detection for dropped file 31->55 57 Protects its processes via BreakOnTermination flag 31->57 59 5 other signatures 31->59 35 netsh.exe 2 31->35         started        signatures15 process16 process17 37 conhost.exe 35->37         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-11-21 03:30:00 UTC
File Type:
PE+ (Exe)
Extracted files:
281
AV detection:
18 of 23 (78.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uacnvgeliuknkaqwpep5g47bzmstjjbiqeihgghtfg4plsaqb5a._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
22c729d8f90b69b76d5a3f5f2dce8c149ff62d25f2b6d8d60a9557d4b0ebdc07
njrat
2551a571a99fb4d75cdcb33388ee46757767d949fb098658e38144f77733db97
njrat
2c916a10a631eaf7666091451c1b618a4bc6e2c159306d9723b6f0ab54e579fe
njrat
3888e180beb35b0ebef5b78b77e27f47879ea46b32adee17e65278d3d3a7fe47
njrat
78973c8f956a77c6c88aa4b508ce289d2c59966e1e7f2af4fc9cfd9e2368df66
njrat
78cb0c7ea82e64dec145b41cd56d77693e75e312f27a83ae102680233089f549
njrat
fce1030962997ccaf65a9ac2fcb94e4f834ff6f9b007f757773202a0ebdc5ebb
njrat
fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a
njrat
+ 1'268 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:personage_loc2 evasion persistence trojan
Link:
https://tria.ge/reports/231125-gde39she9y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
AutoIT Executable
Adds Run key to start application
Checks for any installed AV software in registry
Checks whether UAC is enabled
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
UAC bypass
njRAT/Bladabindi
Malware Config
C2 Extraction:
itc.sytes.net:6152
Unpacked files
SH256 hash:
fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a
MD5 hash:
075e49ee69a826d394bc2a5844d27a12
SHA1 hash:
b4d86cb80270c5644365b501e214828cd84a26d0
Link:
https://www.unpac.me/results/c3e655cb-c64c-400d-ac07-c87a79109231/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fd0026d4c45a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd0026d4c45a28a6a810b3c8fe9b9f0e5929a52144088398c7994dc7ae40807a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/460120/

Comments