MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c6adefb631929c92c652eaad245e909b6fc8e872b24a026d7d5bdd385ef0b73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c6adefb631929c92c652eaad245e909b6fc8e872b24a026d7d5bdd385ef0b73
SHA3-384 hash: 35e7d373016e6e8ca66b8ff22f14b22ab9a090568f870691c1cdd2a5a8c1ddfdd36ebde74d01b5b31b48baca7ff07759
SHA1 hash: 7fcf17c5a51e19d0b2def5719a36b581f391d9fc
MD5 hash: 0f5caf7f3e8ccbee02e21575b337d031
humanhash: sixteen-robert-skylark-low
File name:W002.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:727 bytes
First seen:2021-08-11 15:20:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:dXVlTX7Fl9kQOGv9IXOMBNpQf+8irXWMMeRo8N5zliwqhP/jvVlg7:Tl7FeG9gOSNpdXLMeyMgV67
Threatray 426 similar samples on MalwareBazaar
TLSH T1A0014C00B901F1F39106F747DEF11379A6E7B6A49891F991206C869F10BB4AE3E83E50
Reporter abuse_ch
Tags:NjRAT RAT vbs

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
13.77.222.211:7827 https://threatfox.abuse.ch/ioc/171885/

Intelligence

File Origin
# of uploads :
1
# of downloads :
415
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/178309/
Detection(s):
SecuriteInfo.com.VBS.Agent.VRQtr.199.6824.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/831079
Signature
Creates an undocumented autostart registry key
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
VBScript performs obfuscated calls to suspicious functions
Wscript starts Powershell (via cmd or directly)
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c6adefb631929c92c652eaad245e909b6fc8e872b24a026d7d5bdd385ef0b73/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-08-11 15:21:06 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=drvn563ddeu4sldff2vnerpjbg3pzduhfmskajwx2w65hbppbnzq._file
Verdict:
malicious
Similar samples:
62820764aa07d5d7aa0cd0f3f6decc6aa576fcd411e7561646151aa77d765174
njrat
87f4a4c323f26710b7acdc123173fa63f4ccb4f3c8239dfaa489ee69ab89f7cc
njrat
88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b
njrat
a895ff58cb18d3a5fa3900d36f150c9a1bd213240f77ef8218fec015d6355825
njrat
ab59fbf0ee10b8c5428479b1f5dfdb5cfc87dd40407b3742814ab34611f32b1d
njrat
ce30c428376eac3095f203ebe88f94a38737dc82f2ad018b2ae6c8569b389c5a
njrat
dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33
njrat
eeeb29513e624adb88d3c2e9f89379361aa356001dc338cb6ec9034a48bdc2cd
njrat
f44394f10dd10600a8f25093e76fac442c594ea85debf6bfea0933766529f747
njrat
+ 416 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat persistence suricata trojan upx
Link:
https://tria.ge/reports/210811-8fxbtrycwj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
UPX packed file
BitRAT
BitRAT Payload
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Malware Config
Dropper Extraction:
http://transfer.sh/1tECsY6/REd.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1c6adefb6319/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c6adefb631929c92c652eaad245e909b6fc8e872b24a026d7d5bdd385ef0b73

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Visual Basic Script (vbs) vbs 1c6adefb631929c92c652eaad245e909b6fc8e872b24a026d7d5bdd385ef0b73

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/178309/

Comments