MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 418328a5e258a80cb3b3f29c4f645d926e1ae88a1c5834153fa9c9e89324b34a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 418328a5e258a80cb3b3f29c4f645d926e1ae88a1c5834153fa9c9e89324b34a
SHA3-384 hash: 0f7f031f94f7b850081eccb8cf03afbd0561242215bfc44777b5e1e862b1ee52f1a752a686c0016bc5620081bb86f89e
SHA1 hash: c02916b8f768cd82007578380c88df807b0f7a8d
MD5 hash: 428955314dac479f78dcca50bd51dbfa
humanhash: fruit-mike-kitten-wolfram
File name:Sample Order.doc
Download: download sample
Signature njrat
Create hunting rule
File size:177'152 bytes
First seen:2020-07-22 05:21:24 UTC
Last seen:2020-07-22 05:47:16 UTC
File type:Word file doc
MIME type:application/msword
ssdeep 3072:bILb/a6eCMtSRmaiETN4rL2BmIMwNSnJDmm81QWjP1zE:c+CRDim2rqxMwNAJX8ewP1g
TLSH 5A04D00670A1FE12E46258328DE6C2D57B36BE5B9D42860F764C371C6F726BC8E46387
Reporter abuse_ch
Tags:doc Endurance NjRAT RAT


Avatar
abuse_ch
Malspam distributing njrat:

HELO: 162-144-86-207.unifiedlayer.com
Sending IP: 162.144.86.207
From: Zahid Kahid <info@oldbelize.com>
Reply-To: rpltayag@gmail.com
Subject: ORDER
Attachment: Sample Order.doc

NjRAT payload URL:
http://198.23.213.30/word.exe

NjRAT C2:
xvetcons085.linkpc.net:6694 (54.37.36.116)

Intelligence

File Origin
# of uploads :
2
# of downloads :
246
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
MiscreantPunch.EvilMacro.AODBWSRBMS.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.DL.170224.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROAndTheTangerineDream.M1.20200630.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.CROAndTheTangerineDream.M2.20200630.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a file
Unauthorized injection to a recently created process by context flags manipulation
Sending an HTTP GET request to an infection source by exploiting the app vulnerability
Creating a process from a recently created file
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394284
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249512 Sample: Sample Order.doc Startdate: 22/07/2020 Architecture: WINDOWS Score: 100 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus detection for dropped file 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 18 other signatures 2->66 11 WINWORD.EXE 136 78 2->11         started        16 svchost.exe 2 2->16         started        18 svchost.exe 2->18         started        20 svchost.exe 2->20         started        process3 dnsIp4 58 198.23.213.30, 49721, 80 AS-COLOCROSSINGUS United States 11->58 52 C:\Users\user\AppData\Roaming\...\UFOXV.exe, PE32 11->52 dropped 88 Document exploit detected (creates forbidden files) 11->88 90 Document exploit detected (process start blacklist hit) 11->90 22 UFOXV.exe 3 11->22         started        92 Injects a PE file into a foreign processes 16->92 25 svchost.exe 16->25         started        27 svchost.exe 18->27         started        29 svchost.exe 20->29         started        file5 signatures6 process7 signatures8 76 Antivirus detection for dropped file 22->76 78 Multi AV Scanner detection for dropped file 22->78 80 Drops PE files to the user root directory 22->80 82 Drops PE files with benign system names 22->82 31 UFOXV.exe 1 4 22->31         started        process9 file10 54 C:\Users\user\svchost.exe, PE32 31->54 dropped 34 svchost.exe 3 31->34         started        process11 signatures12 68 Antivirus detection for dropped file 34->68 70 Multi AV Scanner detection for dropped file 34->70 72 Drops PE files to the startup folder 34->72 74 Injects a PE file into a foreign processes 34->74 37 svchost.exe 4 5 34->37         started        42 svchost.exe 34->42         started        44 svchost.exe 34->44         started        process13 dnsIp14 56 xvetcons085.linkpc.net 185.244.30.201, 49724, 49725, 49726 DAVID_CRAIGGG Netherlands 37->56 50 C:\...\ba96c317f576c7773f0a2d7d150f32d1.exe, PE32 37->50 dropped 84 System process connects to network (likely due to code injection or exploit) 37->84 86 Creates autostart registry keys with suspicious names 37->86 46 netsh.exe 3 37->46         started        file15 signatures16 process17 process18 48 conhost.exe 46->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/418328a5e258a80cb3b3f29c4f645d926e1ae88a1c5834153fa9c9e89324b34a/
Threat name:
Script-Macro.Downloader.Obfuser
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 05:23:06 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=igbsrjpclcuazm5t6koe6zc5sjxbv2ekdrmdifj7vhe6rezewnfa._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro
Link:
https://tria.ge/reports/200722-m71wz64v86/
Behaviour
Suspicious Office macro
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/418328a5e258a80cb3b3f29c4f645d926e1ae88a1c5834153fa9c9e89324b34a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Word file doc 418328a5e258a80cb3b3f29c4f645d926e1ae88a1c5834153fa9c9e89324b34a

(this sample)

njrat

Executable exe 476d02f7c777bb08d97cf87c305e3cb4f41501c1b15ddd88e55f31bff0767b0a

  
URLhaus
https://urlhaus.abuse.ch/url/417668/
  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 476d02f7c777bb08d97cf87c305e3cb4f41501c1b15ddd88e55f31bff0767b0a
  
Dropping
MD5 c016c1bdb8995100702bd07d1108b886

Comments