MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 416f3b7993ceaa6819402c66c9b2de0a4de163cd9765dd8dffe81cdbab538c48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 416f3b7993ceaa6819402c66c9b2de0a4de163cd9765dd8dffe81cdbab538c48
SHA3-384 hash: c709a2260e8d46bdfef3aaf984ba0a175529d977e7cd9d9314d3a3b7bb22576f4d9d8f3a733f05f14f8dec0425a777d3
SHA1 hash: 91f69b2ac54c42fd64d83e91412e1e903d74c6e4
MD5 hash: 3c541111822f3cd1f538dd67ed1e018a
humanhash: whiskey-romeo-nuts-vermont
File name:payment.PDF.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:581 bytes
First seen:2021-05-24 17:44:00 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:oEFjPhku/mV/M29meCXGCE0YSMM+Cq7MMVaiOMI:RJPOsaC4SMMs7MMhzI
Threatray 18 similar samples on MalwareBazaar
TLSH 77F0F6C8100C21652FA218DB4E4F1D5C9218D574FBAFD620B56FE4A3A50F6E4466F742
Reporter abuse_ch
Tags:NjRAT RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.VBS.Heur.Zephyr.1.2E6171F6.Gen.22676.24354.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Sending a UDP request
Creating a file
Running batch commands
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/790661
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Powershell creates an autostart link
Sigma detected: MSHTA Spawning Windows Shell
Uses an obfuscated file name to hide its real file extension (double extension)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSILLoadEncryptedAssembly
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 423060 Sample: payment.PDF.vbs Startdate: 24/05/2021 Architecture: WINDOWS Score: 100 49 new.libya2020.com.ly 2->49 61 Multi AV Scanner detection for domain / URL 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 7 other signatures 2->67 11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 73 VBScript performs obfuscated calls to suspicious functions 11->73 75 Wscript starts Powershell (via cmd or directly) 11->75 14 powershell.exe 14 24 11->14         started        process6 dnsIp7 51 onedrive.live.com 14->51 53 d6zptg.bn.files.1drv.com 14->53 55 4 other IPs or domains 14->55 41 PowerShell_transcr....20210524195835.txt, UTF-8 14->41 dropped 43 C:\Users\Public\msi.ps1, ASCII 14->43 dropped 45 C:\ProgramData\Microsoft Arts\...\chrome.lnk, MS 14->45 dropped 57 Creates an undocumented autostart registry key 14->57 59 Powershell creates an autostart link 14->59 19 cmd.exe 1 14->19         started        22 conhost.exe 14->22         started        file8 signatures9 process10 signatures11 69 Obfuscated command line found 19->69 24 mshta.exe 19 19->24         started        27 conhost.exe 1 19->27         started        process12 signatures13 71 Bypasses PowerShell execution policy 24->71 29 powershell.exe 14 24->29         started        process14 signatures15 77 Writes to foreign memory regions 29->77 79 Injects a PE file into a foreign processes 29->79 32 aspnet_compiler.exe 2 5 29->32         started        35 aspnet_compiler.exe 4 29->35         started        37 conhost.exe 29->37         started        39 aspnet_compiler.exe 29->39         started        process16 dnsIp17 47 new.libya2020.com.ly 46.243.237.31, 1515 M247GB Netherlands 32->47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/416f3b7993ceaa6819402c66c9b2de0a4de163cd9765dd8dffe81cdbab538c48/
Threat name:
Script-WScript.Downloader.Zephyr
Create hunting rule
Status:
Malicious
First seen:
2021-05-24 17:44:10 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifxtw6mtz2vgqgkafrtmtmw6bjg6cy6ns5s53dp75aonxk2trrea._file
Verdict:
suspicious
Similar samples:
1b34eb8148662e0e7c52c0e316f01fd396e72a115d143868bc3cdc474b8ae01e
njrat
20fe42296f9029c30fca68a7ff0b2b81c8498c7df69c66f131232029c0277fb5
njrat
22d324acbf31c5772d53e0db23ead97333c08ada1b2be009d2aeb9ef38c68411
njrat
a550fdbbfd0b9b50ebff8877004ffa9914d0587c618389332c1c70a7b5b8bf0e
njrat
c05aa4fa8dde819670fc412f5db60eff7dffa25d9064ca10d29b18eb607416f6
njrat
d56d0c25380a2d547450c1f1f3374535e2689fe40d894b2b542921b16802a56d
njrat
d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c
njrat
df047189f75d998dc499072881c762fd001360f5cf184b801cb8c232b5c567f6
njrat
e63d3be538ff76863ee863299e16a554e83908abaab1b59128b398d898cebcf7
njrat
f81e70dd7eb0fa56a4c392c00f3552857a39b53222f0def135bf57c4cc0ef1d2
njrat
+ 8 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210524-qd64sl6sen/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/416f3b7993ceaa6819402c66c9b2de0a4de163cd9765dd8dffe81cdbab538c48

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments