MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e4450dd8d590694026bf3d81392b022dbdaa06d7a75a0bbfb85ac56df07a00c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e4450dd8d590694026bf3d81392b022dbdaa06d7a75a0bbfb85ac56df07a00c
SHA3-384 hash: f36e9f16300dfc7d55e7a9177cbf74527a5cec25a32777399d43f4ebcaf8eb8792d9b0d4bc5c002ec96b90850ead5f99
SHA1 hash: 386ab951f39a4619bb34bfcf8233ad82baf01a69
MD5 hash: ea0dfab18dee0477721480d4c349139d
humanhash: speaker-fruit-table-virginia
File name:#P0082.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:3'569 bytes
First seen:2021-08-31 16:36:42 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:2iMabBKIQYvcNzzzzzzzzzzzzzzzkt1zzzzzzzzzzzzzzzDQraKBAdOsQiL6dXJn:2HaQnqt2NBAdODgkJjWRZ2rb
Threatray 1'340 similar samples on MalwareBazaar
TLSH T152710428B5A8B462FDF608AC8758AEC35CFC002677DEC22317E3F65DD04C91B588D564
Reporter abuse_ch
Tags:NjRAT RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
692
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184262/
Result
Threat name:
AsyncRAT Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842818
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Sigma detected: CrackMapExec PowerShell Obfuscation
Sigma detected: Suspicious PowerShell Keywords
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AsyncRAT
Yara detected MSILLoadEncryptedAssembly
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e4450dd8d590694026bf3d81392b022dbdaa06d7a75a0bbfb85ac56df07a00c/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzcfbxmnledjiatl6pmbhevqeln5vidnpj22bo73qwwfnxyhuaga._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
Similar samples:
0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712
njrat
0b365ef77b8b8ed330a2e48b081a20d9eb5b275b276306e5b51615cf10821fe0
njrat
3bf5f251905471ab07782554a58cfa444e4693c4b1ecad16471c489924fd1fe3
njrat
766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
njrat
9bd7726cd18307f64b1646ff93474899b48c8873b511f96dd5e0f9634236115b
njrat
b51c07d9a4e50ac499514d378320260821bd7486acd1077a6bddf8ab70c6a2b3
njrat
fb995db9b8431b4a1a4fc350913c363e86c79c44d4c3bd92b96f1a43de3d2189
njrat
+ 1'330 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:njrat botnet:hacked rat suricata trojan
Link:
https://tria.ge/reports/210831-ygxdcm8b9e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
Async RAT payload
AsyncRat
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
Malware Config
C2 Extraction:
jilldoggyy.duckdns.org:7840
jilldoggyy.duckdns.org:7829
jilldoggyy.duckdns.org:7841
103.147.185.192:7840
103.147.185.192:7829
103.147.185.192:7841
20.194.35.6:8023
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5e4450dd8d59/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e4450dd8d590694026bf3d81392b022dbdaa06d7a75a0bbfb85ac56df07a00c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Visual Basic Script (vbs) vbs 5e4450dd8d590694026bf3d81392b022dbdaa06d7a75a0bbfb85ac56df07a00c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/184262/

Comments