MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630
SHA3-384 hash: b886e40bf0002399e4e498d611e78284cfcd0ab71655b90f31acdd4b94ed2496239c250e65afb9782ceeb6f4512a3a60
SHA1 hash: edd2ddc7484f13e7917e49bad0ad47576ebda279
MD5 hash: 33a4d0c52af54627fbd2068dcdcaba2b
humanhash: jupiter-fifteen-hydrogen-louisiana
File name:ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630
Download: download sample
Signature njrat
Create hunting rule
File size:3'675'740 bytes
First seen:2021-09-23 06:37:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:JlULCIhnnwBjxyhmwXSj74UV8/BzBBR2Sda:yCIhnnwBhL+BzI7
Threatray 1'016 similar samples on MalwareBazaar
TLSH T13A063301F8C061B3D66168759A76BA527A3D7E204F21C6DB93E4AE5DED340C06332BB7
File icon (PE):PE icon
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter JAMESWT_WT
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630
Verdict:
Malicious activity
Analysis date:
2021-09-23 06:56:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dab9e836-d6ed-429e-9445-3688184ccd75

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/190532/
Detection(s):
Win.Packed.Bladabindi-9840992-0
Create hunting rule

SecuriteInfo.com.Gen.Variant.Razy.582340.18684.14597.UNOFFICIAL
Create hunting rule

Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d29c3cb6-5b13-4275-9be4-6b5cfe617e42
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
spre.troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/856211
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Creates autorun.inf (USB autostart)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to evade analysis by execution special instruction which cause usermode exception
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 488639 Sample: oKCicGQ5eG Startdate: 23/09/2021 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for dropped file 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 7 other signatures 2->77 12 oKCicGQ5eG.exe 9 2->12         started        process3 file4 53 C:\Users\user\AppData\...\????????.sfx.exe, PE32 12->53 dropped 55 C:\Users\...\ks4.021.3.10.391ru_25000.exe, PE32 12->55 dropped 15 ????????.sfx.exe 8 12->15         started        process5 file6 57 C:\Users\user\AppData\Local\...\????????.exe, PE32 15->57 dropped 67 Multi AV Scanner detection for dropped file 15->67 19 ????????.exe 7 15->19         started        signatures7 process8 signatures9 79 Antivirus detection for dropped file 19->79 81 Multi AV Scanner detection for dropped file 19->81 83 Detected unpacking (changes PE section rights) 19->83 85 4 other signatures 19->85 22 server.exe 2 17 19->22         started        process10 file11 47 C:\system.exe, PE32 22->47 dropped 49 C:\Umbrella.flv.exe, PE32 22->49 dropped 51 C:\autorun.inf, Microsoft 22->51 dropped 89 Antivirus detection for dropped file 22->89 91 Multi AV Scanner detection for dropped file 22->91 93 Creates autorun.inf (USB autostart) 22->93 95 8 other signatures 22->95 26 svchost.exe 5 22->26         started        29 netsh.exe 1 3 22->29         started        signatures12 process13 signatures14 97 Antivirus detection for dropped file 26->97 99 Multi AV Scanner detection for dropped file 26->99 101 Detected unpacking (changes PE section rights) 26->101 103 4 other signatures 26->103 31 server.exe 12 26->31         started        35 conhost.exe 29->35         started        process15 file16 59 C:\Windows\SysWOW64xplower.exe, PE32 31->59 dropped 61 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 31->61 dropped 63 C:\Users\user\...\Microsoft Corporation.exe, PE32 31->63 dropped 65 2 other malicious files 31->65 dropped 69 Hides threads from debuggers 31->69 37 svchost.exe 31->37         started        41 netsh.exe 31->41         started        signatures17 process18 file19 45 C:\Users\user\AppData\Roaming\server.exe, PE32 37->45 dropped 87 Hides threads from debuggers 37->87 43 conhost.exe 41->43         started        signatures20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2021-09-20 07:41:39 UTC
AV detection:
22 of 45 (48.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75jyywsccn2dcdf7jgum2v2oyvesqyomq334ufyz6a5ti47ogyya._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
02e942f8c34ceff45b57b50cd0790d3139c4903c6aec68d434e97e9c334dc76c
njrat
4f21ab65d432de2cf873d496e6a54514e12c62f4cc12623cab84f001b7380cb2
njrat
6aae470221ba1879a26af8172df018f07eafa1f26857a8b33092b7da5582317c
njrat
7e4bc5c98691dd99d7c856dc26110113c15d72fb5b8a73db75a9c9b2bee021e2
njrat
7fb40d2c4011f9aa66d25183702ac6872fff070ff9c7433fab6d3785ebc95f4c
njrat
8080524135f4518bd83acbe95dc37cb615fdcf4be70308a6e9555060ecd2f10c
njrat
a80220c129dabdfc9a8159b120994e4e8a21b8c7a4709b8c6df717401d7b3924
njrat
b0b851f99f1cc076735446c7604066a790017d08654f864851622781847ea92e
njrat
d2330df06094349f53773a89ff96e2f009e744b249fb1960e536bbbfaf7b5321
njrat
+ 1'006 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:xmrig evasion miner
Link:
https://tria.ge/reports/210923-hd3p1afcd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops autorun.inf file
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops startup file
Loads dropped DLL
Disables Task Manager via registry modification
Executes dropped EXE
Modifies Windows Firewall
xmrig
Unpacked files
SH256 hash:
863c15a9452859a3128f106a0b1ce06cc80585b83cd9e0699031992017b88591
MD5 hash:
5c97fff9a5bce935ab26aa4ff389c6e0
SHA1 hash:
943b2a0e0518c6e0c80c16ada209c904ee26f325
Link:
https://www.unpac.me/results/799b4d20-06ab-48e3-9cd0-2f2ec2940d5e/
SH256 hash:
ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630
MD5 hash:
33a4d0c52af54627fbd2068dcdcaba2b
SHA1 hash:
edd2ddc7484f13e7917e49bad0ad47576ebda279
Link:
https://www.unpac.me/results/799b4d20-06ab-48e3-9cd0-2f2ec2940d5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff538c5a421374310cbf49a8cd574ec5492861cc86f7ca1719f03b3473ee3630

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EnigmaStub
Create hunting rule
Author:@bartblaze
Description:Identifies Enigma packer stub.
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_smominru_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.smominru.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/190532/

Comments