MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d04a0d8fac45912b00ddc206423b2a0536e2a035642729535852f6d163946ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d04a0d8fac45912b00ddc206423b2a0536e2a035642729535852f6d163946ee
SHA3-384 hash: 325dab2029fa82911584d9c1552088264b6c74eab06439f236b2af2417a0ee10908c14101466e7fab05e1d07658f4c48
SHA1 hash: 71934dc525d7cff4d493a5737d34188dd1906ec4
MD5 hash: 9dc5849357ad8c24dee16b6103c76e07
humanhash: ceiling-berlin-uniform-lake
File name:tmpuB1xoC.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:775'862 bytes
First seen:2022-08-06 06:30:56 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:sG3GGmGLG35GNPhYHzbSHPADT5f03MbRmVH0zBd0grSpGBzGGGGGGGhGGGGGGGCa:tiR35vRTnV1hd
TLSH T1EEF4004A35F6AD7DCCE205331EAFFC997B7DB9126C3D255A60F203068EC26421E4619E
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter 0xToxin
Tags:NjRAT RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/296797/
Detection(s):
SecuriteInfo.com.VBS.Heur.ObfDldr.44.7A47367A.Gen.6403.13809.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Tags:
javascript
Link:
https://www.filescan.io/uploads/62ee0b2cbcf76fcb6ceb6e8a/reports/f882db21-5d4d-46c2-a386-75a17a1cba64/overview
Result
Verdict:
MALICIOUS
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1047158
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Obfuscated command line found
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679649 Sample: tmpuB1xoC.vbs Startdate: 06/08/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Antivirus detection for dropped file 2->52 54 9 other signatures 2->54 8 wscript.exe 1 2->8         started        11 wscript.exe 1 2->11         started        process3 signatures4 60 VBScript performs obfuscated calls to suspicious functions 8->60 62 Suspicious powershell command line found 8->62 64 Wscript starts Powershell (via cmd or directly) 8->64 13 powershell.exe 9 8->13         started        16 powershell.exe 8 11->16         started        process5 signatures6 66 Suspicious powershell command line found 13->66 68 Obfuscated command line found 13->68 70 Drops VBS files to the startup folder 13->70 18 powershell.exe 14 16 13->18         started        23 conhost.exe 13->23         started        25 BackgroundTransferHost.exe 13 13->25         started        27 powershell.exe 12 16->27         started        29 conhost.exe 16->29         started        process7 dnsIp8 40 cdn.discordapp.com 162.159.133.233, 443, 49739, 49740 CLOUDFLARENETUS United States 18->40 36 C:\Users\user\...\VU45vy.vbs:Zone.Identifier, ASCII 18->36 dropped 38 C:\Users\user\AppData\Roaming\...\VU45vy.vbs, Little-endian 18->38 dropped 56 Writes to foreign memory regions 18->56 58 Injects a PE file into a foreign processes 18->58 31 RegSvcs.exe 2 2 18->31         started        42 162.159.135.233, 443, 49758, 49759 CLOUDFLARENETUS United States 27->42 34 RegSvcs.exe 1 27->34         started        file9 signatures10 process11 dnsIp12 44 puerto2547.duckdns.org 190.70.123.162, 2547, 49742 EPMTelecomunicacionesSAESPCO Colombia 31->44 46 192.168.2.1 unknown unknown 31->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d04a0d8fac45912b00ddc206423b2a0536e2a035642729535852f6d163946ee/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-08-06 06:31:08 UTC
File Type:
Text (VBS)
AV detection:
8 of 26 (30.77%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fuckbwh2yrmrfman3qqgii5subjw4kqdkzbhffjvquxw2frzi3xa._file
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat trojan
Link:
https://tria.ge/reports/220806-hgxcdsbffl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Blocklisted process makes network request
njRAT/Bladabindi
Malware Config
C2 Extraction:
puerto2547.duckdns.org:2547
Dropper Extraction:
https://cdn.discordapp.com/attachments/979582020927774773/980218074567421972/dl.txt
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d04a0d8fac4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d04a0d8fac45912b00ddc206423b2a0536e2a035642729535852f6d163946ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Visual Basic Script (vbs) vbs 2d04a0d8fac45912b00ddc206423b2a0536e2a035642729535852f6d163946ee

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/296797/

Comments