MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3e7c51d2872014402332aa1e75d853db3d157c7521908852363618a3cdcc5be9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3e7c51d2872014402332aa1e75d853db3d157c7521908852363618a3cdcc5be9
SHA3-384 hash: 061cffd48327a680c0c2eb19fab87a635f5d9408dec47997060c10b8af019c40ca34632f206ab4a89110e33b5ebe41b0
SHA1 hash: 7c6b915684cacddeff53b78394e07789b55d0b2a
MD5 hash: a124bd8fd1451e19150b422695548e0e
humanhash: delta-magnesium-florida-arizona
File name:QA6433_#002.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:1'592 bytes
First seen:2021-11-23 15:19:42 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:71IcHsVhhVF1htV/OveCCGzhVS8k8k8k8k8kkk8k8k8k8k8kK8k8k8k8k8kDK8kv:p2F1B/OveChj5jZgri4
Threatray 127 similar samples on MalwareBazaar
TLSH T1D53182E1BA383BA1C323AAEC63419D31A1745437D590CDBF7F5CC0DA65D80600C8B5CA
Reporter abuse_ch
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.ISB.Downloadergen76.13645.25665.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/619d06bdb71ceed4152d20b7/reports/090bc144-fd00-428a-af47-2314b61d23c6/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/894855
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Detected njRat
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Sigma detected: Change PowerShell Policies to a Unsecure Level
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527334 Sample: QA6433_#002.vbs Startdate: 23/11/2021 Architecture: WINDOWS Score: 100 37 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Detected njRat 2->41 43 5 other signatures 2->43 10 wscript.exe 1 2->10         started        process3 signatures4 53 VBScript performs obfuscated calls to suspicious functions 10->53 55 Wscript starts Powershell (via cmd or directly) 10->55 13 powershell.exe 14 21 10->13         started        process5 dnsIp6 35 fs13n4.sendspace.com 69.31.136.57, 443, 49753 GTT-BACKBONEGTTDE United States 13->35 31 C:\Users\Public\Downloads\HBar.ps1, ASCII 13->31 dropped 57 Creates an undocumented autostart registry key 13->57 59 Bypasses PowerShell execution policy 13->59 18 powershell.exe 14 13->18         started        21 conhost.exe 13->21         started        file7 signatures8 process9 signatures10 45 Writes to foreign memory regions 18->45 47 Injects a PE file into a foreign processes 18->47 23 aspnet_regsql.exe 18->23         started        process11 dnsIp12 33 13.92.159.78, 49810, 6434 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->33 49 Uses netsh to modify the Windows network and firewall settings 23->49 51 Modifies the windows firewall 23->51 27 netsh.exe 23->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3e7c51d2872014402332aa1e75d853db3d157c7521908852363618a3cdcc5be9/
Threat name:
Script-WScript.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-11-23 15:20:15 UTC
File Type:
Text (VBS)
AV detection:
9 of 44 (20.45%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hz6fduuheakeaizsviphlwct3m6rk7dvegiiqurwgymkhtomlpuq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
50f551c42e486b7373af0849ad98d55e2fd33fba29242b0f7146063827c8cb2d
njrat
6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985
njrat
758aed1d47c292461a1234024fd162f05a850122842160793c72e389b829d0b4
njrat
7e31b3a603afe3a04745f35987db0d90e2643676b920df2185e11ae06ad32a4f
njrat
816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed
njrat
8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72
njrat
bef49ecdc6d9018cb57d8edc53e2177387659c128abca00c86578cda6e88e61e
njrat
c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36
njrat
f230a396fdf98fb0a561e33d5fffcc3638531f2fa14b736faa449c459e05dab2
njrat
+ 117 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked evasion suricata trojan
Link:
https://tria.ge/reports/211123-sqtb7saeaj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Modifies Windows Firewall
Blocklisted process makes network request
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
Dropper Extraction:
https://fs13n4.sendspace.com/dlpro/3137f454c7a01624c025f577c50150f1/619cfd5e/tza6mk/HSJWE.txt
Malware family:
njRat
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/3e7c51d28720/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3e7c51d2872014402332aa1e75d853db3d157c7521908852363618a3cdcc5be9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Visual Basic Script (vbs) vbs 3e7c51d2872014402332aa1e75d853db3d157c7521908852363618a3cdcc5be9

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/208736/

Comments