MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
SHA3-384 hash:	952ce7c7a75ecf6324699d6936f0f518c184b5cb9c2893ec238dca8798b2acdb650d30ef85cbc23be2001049e5ce730b
SHA1 hash:	e7b0029f57d414c59fac378cd8d96277195b0bc3
MD5 hash:	8414a4e55d98be8c6db2a6402dc5dcf7
humanhash:	item-equal-blossom-eleven
File name:	Pending_invoice#YT.vbs
Download:	download sample
Signature	njrat Create hunting rule
File size:	1'604 bytes
First seen:	2021-08-17 14:11:20 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	24:rEEPdqnWahNogJPpUI0I2rWGItUIZOIIIPITI3uFIJwIEIfILdgcjacdgcquU2bD:3+Fx2Ahn1wE+FIzhg3Nz
Threatray	1'284 similar samples on MalwareBazaar
TLSH	T181317E04703319D3EA06D52231A731DDBD312708AABB8B71145EDA52AA409BF5C5CAB7
Reporter	abuse_ch
Tags:	NjRAT RAT vbs

Intelligence

File Origin

# of uploads :

1

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/180093/

Detection(s):

SecuriteInfo.com.VB.Trojan.Valyria.5174.31896.29900.UNOFFICIAL

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

68 / 100

Link:

https://www.joesandbox.com/analysis/834432

Signature

Creates an undocumented autostart registry key

Multi AV Scanner detection for submitted file

Sigma detected: CrackMapExec PowerShell Obfuscation

VBScript performs obfuscated calls to suspicious functions

Wscript starts Powershell (via cmd or directly)

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e/

Threat name:

Script.Trojan.Valyria

Status:

Malicious

First seen:

2021-08-17 14:12:09 UTC

File Type:

Text (VBS)

AV detection:

6 of 46 (13.04%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ozwy5hjnbxqkboreicuepz7lpwr6nhkrgmpbljq6yhjf2pms7q7a._file

Verdict:

malicious

Label(s):

asyncrat

Similar samples:

0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712

0b365ef77b8b8ed330a2e48b081a20d9eb5b275b276306e5b51615cf10821fe0

3bf5f251905471ab07782554a58cfa444e4693c4b1ecad16471c489924fd1fe3

89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f

9bd7726cd18307f64b1646ff93474899b48c8873b511f96dd5e0f9634236115b

baccae266c8f6949ef7959d266763ec5e61c6a13a748ddedf77acae4f4174b31

d1b19d456e97bede86d5bbe8c09b027b00c330e568c0474abb3e60ad154bc62d

ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32

+ 1'274 additional samples on MalwareBazaar

Result

Malware family:

asyncrat

Score:

10/10

Tags:

family:asyncrat rat suricata

Link:

https://tria.ge/reports/210817-mn7vd6kwzs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Blocklisted process makes network request

Async RAT payload

AsyncRat

suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)

suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Malware Config

C2 Extraction:

103.147.184.73:7920

Dropper Extraction:

https://transfer.sh/1fxtG6x/bypassbook.txt

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/766d8e9d2d0d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

vbs 766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/180093/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample