MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed
SHA3-384 hash: e7b8cf8e6855e82fa77134c76f58abe775918988d7b32c03e633a14fbd2f6872ed9102415bd39764e1d6819e967a9583
SHA1 hash: 5a37a0a1d44f7fd4323234d1a6c8264da4a64ee4
MD5 hash: 13f187df5383e456f90b6c337d9fc0e7
humanhash: connecticut-october-autumn-idaho
File name:U2M19O_Payment_Copy.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:2'284 bytes
First seen:2021-11-18 19:17:12 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:JVkNGJYuIoviVLF5FFOY9NFMffNscNVPvyJCCKaV7A9F0ZTFkFo9bFQZpFOyoQeM:bXgHpUfucNVPaEqnIoTS
Threatray 3'296 similar samples on MalwareBazaar
TLSH T165417B38FD1BBB824831F57661A78DD5CEEC1017DB443C3C21124C7849918BD6AAC0BB
Reporter abuse_ch
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.ISB.Downloadergen81.26391.19526.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/6196a6ee43e8f62b66992c5b/reports/d60287a1-42c3-437a-8ac2-ae228abc757f/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Nanocore Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892222
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: NanoCore
Sigma detected: Suspicious PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Nanocore RAT
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524708 Sample: U2M19O_Payment_Copy.vbs Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 63 jamcav.duckdns.org 2->63 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 12 other signatures 2->77 11 wscript.exe 2 2->11         started        15 jsc.exe 2->15         started        17 jsc.exe 2->17         started        19 jsc.exe 2->19         started        signatures3 process4 file5 61 C:\Users\Public\Downloads\HBar.ps1, ASCII 11->61 dropped 91 VBScript performs obfuscated calls to suspicious functions 11->91 93 Wscript starts Powershell (via cmd or directly) 11->93 95 Obfuscated command line found 11->95 21 powershell.exe 16 11->21         started        24 conhost.exe 15->24         started        26 conhost.exe 17->26         started        28 conhost.exe 19->28         started        signatures6 process7 signatures8 79 Bypasses PowerShell execution policy 21->79 30 powershell.exe 14 18 21->30         started        34 conhost.exe 21->34         started        process9 dnsIp10 69 transfer.sh 144.76.136.153, 443, 49753, 49759 HETZNER-ASDE Germany 30->69 97 Creates an undocumented autostart registry key 30->97 99 Writes to foreign memory regions 30->99 101 Injects a PE file into a foreign processes 30->101 36 jsc.exe 30->36         started        41 jsc.exe 30->41         started        43 jsc.exe 30->43         started        45 jsc.exe 30->45         started        signatures11 process12 dnsIp13 65 legend4000.duckdns.org 52.170.223.88, 4000, 49853 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->65 55 C:\ProgramData\XXX\Microsoft.Exe, PE32 36->55 dropped 81 Protects its processes via BreakOnTermination flag 36->81 83 Creates an autostart registry key pointing to binary in C:\Windows 36->83 47 netsh.exe 36->47         started        67 jamcav.duckdns.org 185.140.53.3, 49816, 49821, 49822 DAVID_CRAIGGG Sweden 41->67 57 C:\Users\user\AppData\Roaming\...\run.dat, International 41->57 dropped 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->85 87 Uses netsh to modify the Windows network and firewall settings 43->87 89 Modifies the windows firewall 43->89 59 C:\Users\user\...behaviorgraphoogleCrashHandler.exe, PE32 45->59 dropped 49 GoogleCrashHandler.exe 45->49         started        file14 signatures15 process16 process17 51 conhost.exe 47->51         started        53 conhost.exe 49->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 19:18:07 UTC
AV detection:
3 of 44 (6.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qfwzzfthg2ycwvwsgyu7rfup3nhzcd6voxcma62sjpkrssgf2twq._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
njrat
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
njrat
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
njrat
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
njrat
5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5
njrat
6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985
njrat
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
njrat
8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72
njrat
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
njrat
c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36
njrat
+ 3'286 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:njrat botnet:hacked evasion keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211118-xzyqhafccq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
Executes dropped EXE
Modifies Windows Firewall
NanoCore
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Possible NanoCore C2 60B
Malware Config
C2 Extraction:
jamcav.duckdns.org:6746
Malware family:
Winnti Group
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/816d9c966736/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207366/

Comments