MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 620428519e13cbb1c4b3d71c1bce411bf3054e0501358f6b27cc92268d2f420b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	620428519e13cbb1c4b3d71c1bce411bf3054e0501358f6b27cc92268d2f420b
SHA3-384 hash:	bea398d72f9ec8fd80880567efcecd2bf4ca23ab44835f9669e991f08a4c3bda9dd135ef5cba7594b82920c290d12cb3
SHA1 hash:	aababfac374f119ff5d7a1e27ca571bd34d48b50
MD5 hash:	b10bd7b489f04d375eb1ecd36dc843c5
humanhash:	uranus-diet-july-purple
File name:	W8398673_Payment_Invoice.vbs
Download:	download sample
Signature	njrat Create hunting rule
File size:	1'596 bytes
First seen:	2021-08-15 07:38:53 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:rEEPdqnWahNHJPpUI0I2rWGItUIZOIIIPITI3uFIJwIEIfILdgcjacdgcquU2b7v:3+/x2Ahn1wE+FIzhg3Nz
Threatray	3'761 similar samples on MalwareBazaar
TLSH	T1A4317E04703319D3EA06D42231A731DDBD312708AABB8B71145EEA42AA409BF5C5CAB7
Reporter	abuse_ch
Tags:	NjRAT RAT vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

300

Origin country :

n/a

Vendor Threat Intelligence

Detection:

NanoCore

Link:

https://www.capesandbox.com/analysis/179319/

Detection(s):

SecuriteInfo.com.VB.Trojan.Valyria.5174.30601.18260.UNOFFICIAL

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/833134

Signature

Creates an undocumented autostart registry key

Multi AV Scanner detection for submitted file

Sigma detected: CrackMapExec PowerShell Obfuscation

VBScript performs obfuscated calls to suspicious functions

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/620428519e13cbb1c4b3d71c1bce411bf3054e0501358f6b27cc92268d2f420b/

Threat name:

Script-WScript.Trojan.Valyria

Status:

Malicious

First seen:

2021-08-15 07:39:05 UTC

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=miccqum6cpf3drft24obxtsbdpzqktqfae2y62zhzsjcndjpiifq._file

Verdict:

malicious

Label(s):

avemaria

nanocorerat

Similar samples:

116aa7bc57d59020e469c51acb832bfb44fa109a65155e9749506168860f6e06

7f1cd16cd2d2e5644752a3e0fd411c3902bad47051779d5bd539e9650f53787c

8065cd13f47664398c8c02165ca41f9c7f8f823e018f2773e947d63c8ba4bc2b

89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f

a0710f6483cebd22f615c3435ee70a971d490f15c9529c3f2450e3cb73d35a16

d1b19d456e97bede86d5bbe8c09b027b00c330e568c0474abb3e60ad154bc62d

ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32

+ 3'751 additional samples on MalwareBazaar

Result

Malware family:

warzonerat

Score:

10/10

Tags:

family:nanocore family:warzonerat infostealer keylogger persistence rat spyware stealer suricata trojan

Link:

https://tria.ge/reports/210815-93j5tfnl56/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Blocklisted process makes network request

Warzone RAT Payload

NanoCore

WarzoneRat, AveMaria

suricata: ET MALWARE DTLoader Binary Request M2

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

suricata: ET MALWARE Possible NanoCore C2 60B

Malware Config

C2 Extraction:

waromo6700.duckdns.org:6700
augcavite.duckdns.org:3500

Dropper Extraction:

https://transfer.sh/TBK/bypass.txt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/620428519e13/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/620428519e13cbb1c4b3d71c1bce411bf3054e0501358f6b27cc92268d2f420b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

vbs 620428519e13cbb1c4b3d71c1bce411bf3054e0501358f6b27cc92268d2f420b

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/179319/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample