MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 39ea311cb6b0131d43cdbc20532029aae7f9239ed3b7e6a46c3c822741e8c655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	39ea311cb6b0131d43cdbc20532029aae7f9239ed3b7e6a46c3c822741e8c655
SHA3-384 hash:	a1bdf22a63f2e6b691b98f62d550816dd170b85ab15115dfc756fe22fe9b8c71eb7158e829b64189e4b071e24815ddb5
SHA1 hash:	9eacde4072a6884db43943e83860d9c036e98177
MD5 hash:	7ce9bd5c3fc06bc7727d14aaf2929e1e
humanhash:	winner-twelve-maryland-south
File name:	NHCIYUEGJZVIPHCJBJRIOD.ps1
Download:	download sample
Signature	njrat Create hunting rule
File size:	386'355 bytes
First seen:	2022-05-26 18:53:29 UTC
Last seen:	Never
File type:	ps1
MIME type:	text/plain
ssdeep	6144:0xhRC/36X1L1i1x1N1/Ko/KhuOBBrc9cWcBchcMXYUTp3tmedNn4X3:0kH/GBMv2
Threatray	244 similar samples on MalwareBazaar
TLSH	T10B841D2D1F736F4FA1993A5479114E08A0996A4CB0C918F6C9C23733C8FD9A28D7E76D
Reporter	MichaelGalde
Tags:	NjRAT ps1

Intelligence

File Origin

# of uploads :

# of downloads :

529

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Script.SNH-genTrj.20636.18374.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed packed replace.exe

Link:

https://www.filescan.io/uploads/628fcd09370bb1455cc851b8/reports/60244025-9711-4d85-9530-f4ffca38951e/overview

Result

Verdict:

UNKNOWN

Result

Threat name:

Njrat

Detection:

malicious

Classification:

troj.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/1002318

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Injects a PE file into a foreign processes

Malicious sample detected (through community Yara rule)

Snort IDS alert for network traffic

Writes to foreign memory regions

Yara detected Generic Downloader

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/39ea311cb6b0131d43cdbc20532029aae7f9239ed3b7e6a46c3c822741e8c655/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2022-05-26 18:54:16 UTC

File Type:

Text

AV detection:

1 of 41 (2.44%)

Threat level:

5/5

Verdict:

malicious

Label(s):

njrat

3cead87d0418ee97c2fbddf19c699c58203c40e524e76bb08f26dcce9eb6dfdf

njrat

448d23c53cc9f4a1a97683474c4e2e7a45ac05570effebc9018924a2c3cc44dc

njrat

84f416154320af7571f93624d2005f846720a86c59a003ccf6939d3599b7e52c

njrat

8dfe0003ce22bfa6f3123e30eb90e3d10e9ef16f7a206ffed6955846e0c11c06

njrat

bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c

njrat

c46f8bdc611e253950773ca2daf8a59ebedd55b1d50c33b011a0709fe63c35e0

njrat

eb2b24470ff5572e47f2e39e4557f35a01233c68ce9b9db6b5eada127108d6ad

njrat

f1aea885141ff01f8db0c1eeea40190915f79a43d033c2e0f58784d87d540bad

njrat

+ 234 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:sheeda suricata trojan

Link:

https://tria.ge/reports/220526-xj7ngaaaar/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Drops startup file

njRAT/Bladabindi

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

Malware Config

C2 Extraction:

148.163.80.217:6668

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/39ea311cb6b0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/39ea311cb6b0131d43cdbc20532029aae7f9239ed3b7e6a46c3c822741e8c655

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	OBFUS_PowerShell_Replace_Tilde Create hunting rule
Author:	SECUINFRA Falcon Team
Description:	Detects usage of Replace to replace tilde. Often observed in obfuscation
Reference:	https://bazaar.abuse.ch/sample/4c391b57d604c695925938bfc10ceb4673edd64e9655759c2aead9e12b3e17cf/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample