MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bf5f251905471ab07782554a58cfa444e4693c4b1ecad16471c489924fd1fe3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 7 File information Comments

SHA256 hash:	3bf5f251905471ab07782554a58cfa444e4693c4b1ecad16471c489924fd1fe3
SHA3-384 hash:	3663cce96f26334d8cbecca8b3d44240c18bf9b6b0d3f8b6b363e1f48495c72f22319d711200b087fa309de11d93430e
SHA1 hash:	4ee3d2cb05f798845fc47e2b8735380fbc09f501
MD5 hash:	6672396fbc8d95998e078ddbc3b67085
humanhash:	kitten-network-river-pip
File name:	FEDSD87210078.vbs
Download:	download sample
Signature	njrat Create hunting rule
File size:	1'248 bytes
First seen:	2021-08-12 12:26:31 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:fPqR2zR8GvsSN/XxGTXO2UEcNbgygWVRaZ:fPaW8GPBXe7UEc+yZLQ
Threatray	3'987 similar samples on MalwareBazaar
TLSH	T1A521F6034C98EC96164CF54122838DE4C263A7B70B8D2636187965132DAC79EBD4DF5B
Reporter	abuse_ch
Tags:	NjRAT RAT vbs

abuse_ch

njrat C2:
103.147.184.73:7103

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
103.147.184.73:7103	https://threatfox.abuse.ch/ioc/174267/

Intelligence

File Origin

# of uploads :

# of downloads :

361

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/178705/

Result

Verdict:

UNKNOWN

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/831748

Signature

Creates an undocumented autostart registry key

Obfuscated command line found

Sigma detected: Suspicious PowerShell Command Line

VBScript performs obfuscated calls to suspicious functions

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3bf5f251905471ab07782554a58cfa444e4693c4b1ecad16471c489924fd1fe3/

Threat name:

Script.Downloader.Heuristic

Status:

Malicious

First seen:

2021-08-12 12:27:04 UTC

AV detection:

2 of 46 (4.35%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hp27eumqkry2wb3yevkkldh2irhene6ewhwk2fshdrejsjh5d7rq._file

Verdict:

malicious

Label(s):

asyncrat

avemaria

nanocorerat

njrat

127a77aec69d301ec0eff62153eb160c7a195df26de7ac8617572b2433be6528

njrat

18b96a50da281d031e2ce58c2143a9c1bf4868c710bbcc61b7d147038b449e2b

njrat

1c6adefb631929c92c652eaad245e909b6fc8e872b24a026d7d5bdd385ef0b73

njrat

ce30c428376eac3095f203ebe88f94a38737dc82f2ad018b2ae6c8569b389c5a

njrat

dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33

njrat

f1041f8beb103e1f63fa8d5234ed3b5a55a37d1c675755040dbb08836c210a90

njrat

+ 3'977 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat rat suricata

Link:

https://tria.ge/reports/210812-kgvt64tdx6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Blocklisted process makes network request

Async RAT payload

AsyncRat

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Malware Config

C2 Extraction:

103.147.184.73:7920

Dropper Extraction:

http://transfer.sh/1suBwJb/book_bypass.txt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/3bf5f2519054/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3bf5f251905471ab07782554a58cfa444e4693c4b1ecad16471c489924fd1fe3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse Create hunting rule
Author:	ditekSHen
Description:	Detects file containing reversed ASEP Autorun registry keys

Rule name:	INDICATOR_SUSPICIOUS_EXE_attrib Create hunting rule
Author:	ditekSHen
Description:	Detects executables using attrib with suspicious attributes attributes

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/178705/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample