MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0ab3ba06ede4ced5c9ea2a9d87c49063249d1480c72b56ba4371b69b92c6fee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 7

Intelligence 7 IOCs 1 YARA 1 File information Comments

SHA256 hash:	a0ab3ba06ede4ced5c9ea2a9d87c49063249d1480c72b56ba4371b69b92c6fee
SHA3-384 hash:	cf2028c560211ae821e60e34ed255d2bcfff352789167bb8d69cdc862a520f3af25014584ac68bfa617f45486986cf2d
SHA1 hash:	714b32a5115ca560e59436d53404c6761ac599e9
MD5 hash:	72d788c844ca40bec84baf77ebcd531c
humanhash:	maine-carpet-fanta-william
File name:	W00903InvoicePayment.vbs
Download:	download sample
Signature	njrat Create hunting rule
File size:	949 bytes
First seen:	2021-08-20 16:26:45 UTC
Last seen:	Never
File type:	vbs
MIME type:	text/plain
ssdeep	12:uhutV6Q7zMBNAkiuNounuAbZbGJA8kcXO2qvELJ7g3NnLd+KPj2T+TOM:uOVzSNpiIpGScXO2qvEcNngKG+TOM
Threatray	95 similar samples on MalwareBazaar
TLSH	T12C11C0394DA58EAA0345D0B100C78DCCDF20C7573798FE3A2834B4595D9CE395E8DA0B
Reporter	abuse_ch
Tags:	NjRAT RAT vbs

abuse_ch

njrat C2:
20.194.35.6:8023

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
20.194.35.6:8023	https://threatfox.abuse.ch/ioc/192490/

Intelligence

File Origin

# of uploads :

# of downloads :

204

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/181004/

Detection(s):

SecuriteInfo.com.VB.Trojan.Valyria.5194.7693.8941.UNOFFICIAL

Result

Verdict:

MALICIOUS

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/836556

Signature

Creates an undocumented autostart registry key

Obfuscated command line found

Sigma detected: Suspicious PowerShell Command Line

VBScript performs obfuscated calls to suspicious functions

Wscript starts Powershell (via cmd or directly)

Yara detected Powershell download and execute

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a0ab3ba06ede4ced5c9ea2a9d87c49063249d1480c72b56ba4371b69b92c6fee/

Threat name:

Script.Trojan.Valyria

Status:

Malicious

First seen:

2021-08-20 16:27:12 UTC

AV detection:

8 of 46 (17.39%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ucvtxido3zgo2xe6uku5q7cjayzetukibrzlk25eg4nwtojmn7xa._file

Verdict:

suspicious

njrat

766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e

njrat

7f1cd16cd2d2e5644752a3e0fd411c3902bad47051779d5bd539e9650f53787c

njrat

88614f9e923a5d979c64bee190f05f0932bc01f351ded417c59e1b2a92be560b

njrat

89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f

njrat

ce30c428376eac3095f203ebe88f94a38737dc82f2ad018b2ae6c8569b389c5a

njrat

d1b19d456e97bede86d5bbe8c09b027b00c330e568c0474abb3e60ad154bc62d

njrat

f44394f10dd10600a8f25093e76fac442c594ea85debf6bfea0933766529f747

njrat

ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32

njrat

+ 85 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat botnet:hacked trojan

Link:

https://tria.ge/reports/210820-7zrzqegvzs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

Suspicious use of SetThreadContext

Blocklisted process makes network request

njRAT/Bladabindi

Malware Config

C2 Extraction:

christophermiehl775.duckdns.org:8023

Dropper Extraction:

http://transfer.sh/1nV4RCt/bypass.txt

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a0ab3ba06ede4ced5c9ea2a9d87c49063249d1480c72b56ba4371b69b92c6fee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PowerShell_Case_Anomaly Create hunting rule
Author:	Florian Roth
Description:	Detects obfuscated PowerShell hacktools
Reference:	https://twitter.com/danielhbohannon/status/905096106924761088

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/181004/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample