MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61a8385def4eb1be1e85b3f1bdb3b98721af8f522c675c89f18a24707ad5905a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61a8385def4eb1be1e85b3f1bdb3b98721af8f522c675c89f18a24707ad5905a
SHA3-384 hash: f16dfff78c523f0409b6f3a74130587f93e129512c0bb84eae6446baa2bfaa23f16fc7b26a7c012ca63206381928a1b3
SHA1 hash: b3c3d3a794adad9447ae12d7122f7bb2b67f3a50
MD5 hash: 9180372d6bceb05b046f15cf65ec734e
humanhash: alanine-utah-sodium-florida
File name:Invoice#4110.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:728 bytes
First seen:2021-08-23 17:48:52 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 12:0ChGFWNZ8XNoxAbOJk82cG2bwELPdg3Nfd+aaiTC:HgFWNZ8XQXG2UE7kNEuC
Threatray 100 similar samples on MalwareBazaar
TLSH T1BC012B0B4D29CDDB0149F18242C38DEDC6604A674F806E7A2478754B6DAD22F6DCCD47
Reporter abuse_ch
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
567
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/181573/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen76.15898.14124.UNOFFICIAL
Create hunting rule

Result
Verdict:
SUSPICIOUS
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/837728
Signature
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Suspicious PowerShell Command Line
Sigma detected: Suspicious PowerShell Keywords
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected MSILLoadEncryptedAssembly
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61a8385def4eb1be1e85b3f1bdb3b98721af8f522c675c89f18a24707ad5905a/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-08-23 17:49:08 UTC
AV detection:
4 of 46 (8.70%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgudqxppj2y34hufwpy33m5zq4q27d2sfrtvzcprrisha6wvsbna._file
Verdict:
suspicious
Similar samples:
0b365ef77b8b8ed330a2e48b081a20d9eb5b275b276306e5b51615cf10821fe0
njrat
416f3b7993ceaa6819402c66c9b2de0a4de163cd9765dd8dffe81cdbab538c48
njrat
66af5edcb0b90924a25f4cf764ae81eb754b58da9bde404761f48eafd1ead410
njrat
7f1cd16cd2d2e5644752a3e0fd411c3902bad47051779d5bd539e9650f53787c
njrat
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
njrat
8c9d614da4ea17f4261a105adbe73992c0df1f5639310f78db244fdf3fe338fe
njrat
ce30c428376eac3095f203ebe88f94a38737dc82f2ad018b2ae6c8569b389c5a
njrat
d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c
njrat
df047189f75d998dc499072881c762fd001360f5cf184b801cb8c232b5c567f6
njrat
f44394f10dd10600a8f25093e76fac442c594ea85debf6bfea0933766529f747
njrat
+ 90 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:boss suricata trojan
Link:
https://tria.ge/reports/210823-x1vpxgdzjj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
103.147.184.73:7103
Dropper Extraction:
https://transfer.sh/JE1c/bypass.txt
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/61a8385def4e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61a8385def4eb1be1e85b3f1bdb3b98721af8f522c675c89f18a24707ad5905a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PowerShell_Case_Anomaly
Create hunting rule
Author:Florian Roth
Description:Detects obfuscated PowerShell hacktools
Reference:https://twitter.com/danielhbohannon/status/905096106924761088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Visual Basic Script (vbs) vbs 61a8385def4eb1be1e85b3f1bdb3b98721af8f522c675c89f18a24707ad5905a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/181573/

Comments