MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72
SHA3-384 hash: ebefc46b2cccd802596e6eaaaa07cdbc4e24ebd73318683b5d52e5d18e7e5220b8d280c33fa4d6dedcfe64c45442e606
SHA1 hash: 35f62e6cc17c8bc982db07c556216d98fd600c02
MD5 hash: 76d64bdec97716fc5db19bf4d9fd3255
humanhash: quebec-yankee-delta-speaker
File name:N2K18_Payment_Copy.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:2'283 bytes
First seen:2021-11-18 19:17:08 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:JVkNGJYuIoviVLF5FFOY9NFMffNx0WVPvyJCCKaV7A9F0ZTFkFo9bFQZpFOyoQeM:bXgHpUfXbVPaEqnIoTS
Threatray 3'296 similar samples on MalwareBazaar
TLSH T17E417B38FD1BBB824831F57661A78CD5CEEC1017DB443C3C21124C7849918BD6A9C0BB
Reporter abuse_ch
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
227
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.ISB.Downloadergen81.29593.26257.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/6196a6ed4912a8c920a2e38a/reports/e7073933-1ad2-4b9e-bea0-c86d5633fd21/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Nanocore Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892242
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: NanoCore
Sigma detected: Suspicious PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Nanocore RAT
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524716 Sample: N2K18_Payment_Copy.vbs Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 13 other signatures 2->74 10 wscript.exe 2 2->10         started        14 jsc.exe 2->14         started        16 jsc.exe 2->16         started        18 jsc.exe 2->18         started        process3 file4 58 C:\Users\Public\Downloads\HBar.ps1, ASCII 10->58 dropped 88 VBScript performs obfuscated calls to suspicious functions 10->88 90 Wscript starts Powershell (via cmd or directly) 10->90 92 Obfuscated command line found 10->92 20 powershell.exe 18 10->20         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        27 conhost.exe 18->27         started        signatures5 process6 signatures7 76 Bypasses PowerShell execution policy 20->76 29 powershell.exe 14 16 20->29         started        33 conhost.exe 20->33         started        process8 dnsIp9 66 transfer.sh 144.76.136.153, 443, 49759, 49762 HETZNER-ASDE Germany 29->66 94 Creates an undocumented autostart registry key 29->94 96 Writes to foreign memory regions 29->96 98 Injects a PE file into a foreign processes 29->98 35 jsc.exe 29->35         started        40 jsc.exe 29->40         started        42 jsc.exe 29->42         started        signatures10 process11 dnsIp12 60 jamcav.duckdns.org 185.140.53.3, 49776, 49777, 49788 DAVID_CRAIGGG Sweden 35->60 62 192.168.2.1 unknown unknown 35->62 52 C:\Users\user\AppData\Roaming\...\run.dat, data 35->52 dropped 78 Uses netsh to modify the Windows network and firewall settings 35->78 80 Modifies the windows firewall 35->80 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->82 64 legend4000.duckdns.org 52.170.223.88, 4000, 49841 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 40->64 54 C:\ProgramData\XXX\Microsoft.Exe, PE32 40->54 dropped 84 Protects its processes via BreakOnTermination flag 40->84 86 Creates an autostart registry key pointing to binary in C:\Windows 40->86 44 netsh.exe 40->44         started        56 C:\Users\user\...behaviorgraphoogleCrashHandler.exe, PE32 42->56 dropped 46 GoogleCrashHandler.exe 42->46         started        file13 signatures14 process15 process16 48 conhost.exe 44->48         started        50 conhost.exe 46->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 19:18:06 UTC
AV detection:
3 of 44 (6.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwgbkruqolw6r2aoxboh6pxujosto6eddqunvnngkyvam4vrxrza._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
njrat
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
njrat
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
njrat
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
njrat
5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5
njrat
6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985
njrat
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
njrat
816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed
njrat
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
njrat
c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36
njrat
+ 3'286 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:njrat botnet:hacked evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211118-xzyqhaacf5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
Executes dropped EXE
Modifies Windows Firewall
NanoCore
njRAT/Bladabindi
Malware Config
C2 Extraction:
jamcav.duckdns.org:6746
Malware family:
Winnti Group
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8d8c15469072/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Visual Basic Script (vbs) vbs 8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/207365/

Comments