MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b58425d746d06b145008132053d1f57079cf757eaae75b589b7950f2d95f88a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3b58425d746d06b145008132053d1f57079cf757eaae75b589b7950f2d95f88a
SHA3-384 hash: b5217c4a9e4463eedb85465c1c923fcb0855a5a70d492ffcd8b28a12f818a7e3248723f3e99c9be99d6d066c37038224
SHA1 hash: cc77704a0c0f6789463f428636b066b0359763e3
MD5 hash: 4661189a896b8d9b46bdc7f493293e58
humanhash: spring-massachusetts-salami-jupiter
File name:openword1.ps1
Download: download sample
Signature njrat
Create hunting rule
File size:393'474 bytes
First seen:2022-05-26 18:49:04 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 6144:MxhRC/36X1L1i1x1N1/Ko/KhuOBBrc9cWcBchcMXYUTp3tmedNn4Xc:MkH/GBMvL
Threatray 290 similar samples on MalwareBazaar
TLSH T1EC841F2D1F736F4FA2993A5479114E08B099664CB0C918F6C9C23733C8FD9A2897E76D
Reporter MichaelGalde
Tags:NjRAT ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
521
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell.Runner.AQ.29578.6753.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1002313
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PowerShell case anomaly found
Writes to foreign memory regions
Yara detected Generic Downloader
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 634809 Sample: openword1.ps1 Startdate: 26/05/2022 Architecture: WINDOWS Score: 100 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 5 other signatures 2->54 8 powershell.exe 28 2->8         started        12 powershell.exe 8 2->12         started        14 powershell.exe 2->14         started        16 wscript.exe 2->16         started        process3 file4 42 C:\ProgramData\...\QPXCNKQPGRJWIWPIQLPDOP.ps1, ASCII 8->42 dropped 44 C:\ProgramData\...\QPXCNKQPGRJWIWPIQLPDOP.bat, ASCII 8->44 dropped 56 Bypasses PowerShell execution policy 8->56 18 powershell.exe 33 8->18         started        20 conhost.exe 8->20         started        22 cmd.exe 1 12->22         started        24 conhost.exe 12->24         started        26 cmd.exe 14->26         started        28 conhost.exe 14->28         started        signatures5 process6 process7 30 wscript.exe 18->30         started        33 powershell.exe 22->33         started        35 powershell.exe 26->35         started        signatures8 58 Creates processes via WMI 30->58 60 Writes to foreign memory regions 33->60 62 Injects a PE file into a foreign processes 33->62 37 jsc.exe 33->37         started        40 jsc.exe 35->40         started        process9 dnsIp10 46 148.163.80.217, 49768, 6668 IOFLOODUS United States 37->46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3b58425d746d06b145008132053d1f57079cf757eaae75b589b7950f2d95f88a/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-26 18:50:17 UTC
File Type:
Text (VBS)
AV detection:
3 of 40 (7.50%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1b5ae550c7aaa211a5964cded7cf7752400467513a66643076e3723d868afbcb
njrat
32c17b45985fbefcf67e054af34e00eb56c0577edfa13d03abb2b8d8e041a513
njrat
39ea311cb6b0131d43cdbc20532029aae7f9239ed3b7e6a46c3c822741e8c655
njrat
3cead87d0418ee97c2fbddf19c699c58203c40e524e76bb08f26dcce9eb6dfdf
njrat
8dfe0003ce22bfa6f3123e30eb90e3d10e9ef16f7a206ffed6955846e0c11c06
njrat
bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c
njrat
beb3054ea8b10d507ef20e05f6887042244de6c8f70bbcc5065b6ff1aa546f10
njrat
c46f8bdc611e253950773ca2daf8a59ebedd55b1d50c33b011a0709fe63c35e0
njrat
e51d5a34e88b31078df596dfc8a162c2cd2a0d4e3d3e8228301e3cec9f88d22c
njrat
eb2b24470ff5572e47f2e39e4557f35a01233c68ce9b9db6b5eada127108d6ad
njrat
+ 280 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:sheeda suricata trojan
Link:
https://tria.ge/reports/220526-xgxeqaeab7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops startup file
Process spawned unexpected child process
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
148.163.80.217:6668
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3b58425d746d06b145008132053d1f57079cf757eaae75b589b7950f2d95f88a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:OBFUS_PowerShell_Replace_Tilde
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects usage of Replace to replace tilde. Often observed in obfuscation
Reference:https://bazaar.abuse.ch/sample/4c391b57d604c695925938bfc10ceb4673edd64e9655759c2aead9e12b3e17cf/
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments