MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b83cbd6a35bbf62bc865b1037db4f3a3b6a35d5be7f99f1db620cc8b7ca1437. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b83cbd6a35bbf62bc865b1037db4f3a3b6a35d5be7f99f1db620cc8b7ca1437
SHA3-384 hash: 73109b4653106a94005182bc207225e5d82ceb2cdaa1b678e95e27dd99baf0c62750c8b67de81b136c8907220ad83e41
SHA1 hash: a7180061ccbf2add84fe873f15d09f9511740338
MD5 hash: 984ff6ee5d1b7a975d9f95937101dfbc
humanhash: december-uranus-blue-cat
File name:RFQ-474552121.PDF.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:1'614'396 bytes
First seen:2021-10-16 14:20:51 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:k191X1Y1O1r1R181MP1D1F1610kLT1WPfYFuTyWfuZd:WZujZd
Threatray 156 similar samples on MalwareBazaar
TLSH T1C2758F10EB1DF7CE899295B0256A483EAA534F0B7698CF4934ACC914EF1D72C4DF9523
Reporter abuse_ch
Tags:NjRAT RAT vbs

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
172.111.219.40:2020 https://threatfox.abuse.ch/ioc/234881/

Intelligence

File Origin
# of uploads :
1
# of downloads :
637
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197883/
Detection(s):
SecuriteInfo.com.PSH.Agent.CK.7326.25150.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/616adfd2db358dd15ebd328f/reports/9a7b04a1-06e8-45b5-b986-0ef442a64ea5/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871615
Signature
.NET source code contains potential unpacker
Bypasses PowerShell execution policy
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: WScript or CScript Dropper
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 504040 Sample: RFQ-474552121.PDF.vbs Startdate: 16/10/2021 Architecture: WINDOWS Score: 100 105 Malicious sample detected (through community Yara rule) 2->105 107 Yara detected Powershell download and execute 2->107 109 Yara detected Njrat 2->109 111 6 other signatures 2->111 12 wscript.exe 1 2->12         started        process3 signatures4 123 VBScript performs obfuscated calls to suspicious functions 12->123 125 Wscript starts Powershell (via cmd or directly) 12->125 15 powershell.exe 17 28 12->15         started        process5 dnsIp6 95 162.159.130.233, 443, 49826 CLOUDFLARENETUS United States 15->95 97 cdn.discordapp.com 162.159.133.233, 443, 49749 CLOUDFLARENETUS United States 15->97 77 C:\Users\Public\test.ps1, ASCII 15->77 dropped 79 C:\Users\Public\run.ps1, ASCII 15->79 dropped 81 C:\Users\Public\alosh.ps1, ASCII 15->81 dropped 83 3 other malicious files 15->83 dropped 101 Creates an undocumented autostart registry key 15->101 103 Uses schtasks.exe or at.exe to add and modify task schedules 15->103 20 wscript.exe 15->20         started        23 wscript.exe 15->23         started        25 wscript.exe 15->25         started        27 3 other processes 15->27 file7 signatures8 process9 signatures10 113 Wscript starts Powershell (via cmd or directly) 20->113 29 cmd.exe 20->29         started        32 powershell.exe 23->32         started        34 cmd.exe 25->34         started        process11 signatures12 127 Obfuscated command line found 29->127 36 mshta.exe 29->36         started        40 conhost.exe 29->40         started        42 wscript.exe 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        48 InstallUtil.exe 32->48         started        50 mshta.exe 34->50         started        52 conhost.exe 34->52         started        process13 dnsIp14 93 192.168.2.1 unknown unknown 36->93 115 Bypasses PowerShell execution policy 36->115 54 powershell.exe 36->54         started        117 Wscript starts Powershell (via cmd or directly) 42->117 57 powershell.exe 42->57         started        59 powershell.exe 42->59         started        61 powershell.exe 50->61         started        signatures15 process16 signatures17 119 Writes to foreign memory regions 54->119 121 Injects a PE file into a foreign processes 54->121 63 InstallUtil.exe 54->63         started        66 conhost.exe 54->66         started        68 Dism.exe 57->68         started        71 conhost.exe 57->71         started        73 conhost.exe 59->73         started        process18 dnsIp19 99 new.libya2020.com.ly 172.111.219.40, 2020 M247GB United States 63->99 85 C:\Users\user\AppData\...\WimProvider.dll.mui, PE32 68->85 dropped 87 C:\Users\user\AppData\...\VhdProvider.dll.mui, PE32 68->87 dropped 89 C:\Users\user\...\UnattendProvider.dll.mui, PE32 68->89 dropped 91 49 other files (none is malicious) 68->91 dropped 75 DismHost.exe 68->75         started        file20 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b83cbd6a35bbf62bc865b1037db4f3a3b6a35d5be7f99f1db620cc8b7ca1437/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 14:21:07 UTC
AV detection:
4 of 45 (8.89%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rob4xvvdlo7wfpeglmidpw2phi5wunovxz7zt4o3migmrn6kcq3q._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0b365ef77b8b8ed330a2e48b081a20d9eb5b275b276306e5b51615cf10821fe0
njrat
3a257336a2fd2160305094d425c7426dc07b5aa311eb7e31d5ac5d71d2cf8d4e
njrat
7202ac55d7b97627bbe84ca2f7517b3af368c788c2a42af24bec1f2464a8aea6
njrat
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
njrat
c1545dbc06eb4bd3681801efd6a9c6a14f1312f1cf528f23d5b2a576fa148191
njrat
c3ecb60634ee3e18fb05e1ebb99ceeb681719627c85eb5a5aa662242adb0b67f
njrat
d424a08c1e1eac484c029a6ef4008bf991aebf26a86aa02fecd18ad60bb24a0f
njrat
d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c
njrat
df047189f75d998dc499072881c762fd001360f5cf184b801cb8c232b5c567f6
njrat
ee3e682e4fa43cda0810b952e2df8b07c4fd952fe49c22c8dc4fbee1247f0b6b
njrat
+ 146 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:+++++55555++++ trojan
Link:
https://tria.ge/reports/211016-rnz7ascaf6/
Behaviour
Kills process with taskkill
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Suspicious use of SetThreadContext
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
njRAT/Bladabindi
Malware Config
C2 Extraction:
new.libya2020.com.ly:2020
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8b83cbd6a35b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b83cbd6a35bbf62bc865b1037db4f3a3b6a35d5be7f99f1db620cc8b7ca1437

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197883/

Comments