MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9eb46ce54466b221c7f56d3af4c22be517472189d7e907ead1b4c3fa4cfeb831. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	9eb46ce54466b221c7f56d3af4c22be517472189d7e907ead1b4c3fa4cfeb831
SHA3-384 hash:	b0f357c2291321f506fc6b6a8f626306b2e6b17fbf21b961478ebdd814331fbff5b6baf8a63e4165a72d3c6b280008e1
SHA1 hash:	e91593b1a0e7df15765b33250477f584f12d42c0
MD5 hash:	ea7a70eb4f75f34597cea8f569a39543
humanhash:	batman-nitrogen-comet-island
File name:	RFQ.scr
Download:	download sample
Signature	njrat Create hunting rule
File size:	331'216 bytes
First seen:	2020-07-07 18:26:34 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	3072:JdgsFpAi9lLWZfCzAR9cHf3buyzTLopGMJummrv591cQJspT8I6YG1o:vFpAi7WI9fayvMpGMJuHJipT8I6Lo
Threatray	210 similar samples on MalwareBazaar
TLSH	F364280CBBD5E02FCE6A493EB423CAA4D1259D526103D3DB7C46B1B41B376EF8A641E1
Reporter	abuse_ch
Tags:	NjRAT RAT scr

abuse_ch

Malspam distributing njrat:

HELO: ne.newwebcity.live
Sending IP: 45.95.171.25
From: Jeremy Vanhoegaerden <order@cognizant-be.com>
Subject: P.O_JULY (Begium)
Attachment: NEW-P.O JULY_2020.doc.IMG (contains "RFQ.scr")

NjRAT C2:
donugobillions.duckdns.org:1176 (37.120.140.167)

Intelligence

File Origin

# of uploads :

# of downloads :

310

Origin country :

n/a

Vendor Threat Intelligence

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/22400/

Detection(s):

PUA.Win.Adware.Browsefox-6628766-0

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Running batch commands

Launching a process

Creating a file in the %AppData% subdirectories

Creating a process from a recently created file

DNS request

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a recently created process by context flags manipulation

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9eb46ce54466b221c7f56d3af4c22be517472189d7e907ead1b4c3fa4cfeb831/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-07 18:28:08 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t22gzzkem2zcdr7vnu5pjqrl4uluoimj27uqp2wrwtb7uth6xayq._file

Verdict:

malicious

Label(s):

agenttesla

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200707-vpcshvw2kn/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Adds Run entry to start application

Loads dropped DLL

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

img 8ab2f3fab2f7797a180848274f3464710a963382776080210b7fe1b49594acb8

njrat

exe 9eb46ce54466b221c7f56d3af4c22be517472189d7e907ead1b4c3fa4cfeb831

(this sample)

Dropped by

MD5 766433ee95a1b414a9706b3731401dc3

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/22400/

Dropped by

SHA256 8ab2f3fab2f7797a180848274f3464710a963382776080210b7fe1b49594acb8

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample