MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cd989d1605001f657003ed53ceefc05c88dc119bd30a933199110e0129ccbb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cd989d1605001f657003ed53ceefc05c88dc119bd30a933199110e0129ccbb1
SHA3-384 hash: 93b1a5fd503f5197b9c9d27004257ea481b40b9a9238b03dd07b11825455d87843c8ee3cbac874f6da51971e91881a90
SHA1 hash: 5cc44b5b1e15cadb5ec4b1c7677bc7bc48545af6
MD5 hash: c027425b162a24d56b7f4c55de36e992
humanhash: bravo-nebraska-mike-mirror
File name:Archivos_documentos_589632456.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:73'534 bytes
First seen:2024-03-13 14:42:25 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:application/octet-stream
ssdeep 384:STTTTTTTTTTDDTqGnjlezREmstIDp6uewzTTTTTTTTTTDDTT:O9mhZewT
TLSH T1A3735E13A3E44804F9FA5B5499B4A6A1DA3F7CA9197DDC5C05AD908C0BFF9408E90FB3
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter e24111111111111
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
GR GR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/478934/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.20751.2708.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
masquerade
Link:
https://www.filescan.io/uploads/65f1bb79869de776ad02bdc0/reports/6630cd58-521f-4c07-81c7-30484eb3b626/overview
Verdict:
Malicious
Labled as:
PowerShell/TrojanDownloader.Agent
Link:
https://www.hybrid-analysis.com/sample/5cd989d1605001f657003ed53ceefc05c88dc119bd30a933199110e0129ccbb1
Result
Verdict:
MALICIOUS
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1408371
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1408371 Sample: Archivos_documentos_589632456.vbs Startdate: 13/03/2024 Architecture: WINDOWS Score: 100 52 adminplusnj.duckdns.org 2->52 54 paste.ee 2->54 56 2 other IPs or domains 2->56 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 76 18 other signatures 2->76 10 wscript.exe 1 2->10         started        13 powershell.exe 11 2->13         started        signatures3 72 Uses dynamic DNS services 52->72 74 Connects to a pastebin service (likely for C&C) 54->74 process4 signatures5 88 VBScript performs obfuscated calls to suspicious functions 10->88 90 Suspicious powershell command line found 10->90 92 Wscript starts Powershell (via cmd or directly) 10->92 96 2 other signatures 10->96 15 powershell.exe 7 10->15         started        94 Wscript called in batch mode (surpress errors) 13->94 18 wscript.exe 1 13->18         started        20 conhost.exe 1 13->20         started        process6 signatures7 98 Suspicious powershell command line found 15->98 100 Found suspicious powershell code related to unpacking or dynamic code loading 15->100 102 Wscript called in batch mode (surpress errors) 15->102 22 powershell.exe 14 17 15->22         started        27 conhost.exe 15->27         started        104 Wscript starts Powershell (via cmd or directly) 18->104 29 powershell.exe 7 18->29         started        process8 dnsIp9 58 textbin.net 148.72.177.212, 443, 49705, 49707 AS-30083-GO-DADDY-COM-LLCUS United States 22->58 60 pasteio.com 172.67.164.22, 443, 49708, 49722 CLOUDFLARENETUS United States 22->60 62 paste.ee 172.67.187.200, 443, 49709, 49723 CLOUDFLARENETUS United States 22->62 50 C:\Users\user\AppData\...\Documento.lnk, MS 22->50 dropped 82 Writes to foreign memory regions 22->82 84 Injects a PE file into a foreign processes 22->84 31 RegSvcs.exe 2 2 22->31         started        34 powershell.exe 13 22->34         started        86 Suspicious powershell command line found 29->86 37 powershell.exe 15 29->37         started        40 conhost.exe 29->40         started        file10 signatures11 process12 dnsIp13 64 adminplusnj.duckdns.org 186.169.69.60, 49710, 49712, 49724 COLOMBIATELECOMUNICACIONESSAESPCO Colombia 31->64 48 C:\...\Archivos_documentos_589632456.vbs, data 34->48 dropped 78 Writes to foreign memory regions 37->78 80 Injects a PE file into a foreign processes 37->80 42 powershell.exe 11 37->42         started        44 RegSvcs.exe 37->44         started        46 RegSvcs.exe 37->46         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5cd989d1605001f657003ed53ceefc05c88dc119bd30a933199110e0129ccbb1/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-03-13 14:43:04 UTC
File Type:
Text (VBS)
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ltmytulakaa7mvyah3ktz3x4axei3qizxuyksmyzseioaeu4zoyq._file
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat trojan
Link:
https://tria.ge/reports/240313-r6z91sff4y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Blocklisted process makes network request
njRAT/Bladabindi
Malware Config
C2 Extraction:
adminplusnj.duckdns.org:5552
Dropper Extraction:
https://textbin.net/raw/ezjmofz3s6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cd989d1605001f657003ed53ceefc05c88dc119bd30a933199110e0129ccbb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Visual Basic Script (vbs) vbs 5cd989d1605001f657003ed53ceefc05c88dc119bd30a933199110e0129ccbb1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2782241/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2782240/
Cape
Cape
https://www.capesandbox.com/analysis/478934/

Comments