MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a996ff95783d0e2bc97c3e95539de831788725c7b97514ff88041f041c6172c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a996ff95783d0e2bc97c3e95539de831788725c7b97514ff88041f041c6172c9
SHA3-384 hash: c1f16caeb440ab6119bc4713d00d4f63d7ae761d99be834bb51cef0e4fcb36e46357b1a6d27945062564158a383a096d
SHA1 hash: 1cb46725c52f87119146b6e12092779827e42c29
MD5 hash: 78f682ff5ec94db41c3dcfc558a7027d
humanhash: double-arkansas-edward-fruit
File name:Quotation.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:7'753 bytes
First seen:2021-09-21 19:18:18 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 96:P7NTJhS9INIKMVGQRX8+HLz9spiINIVIWjnCQRX8Lnaa:P7NT2INIRRX8+Hm4INIVI8xRXAx
Threatray 612 similar samples on MalwareBazaar
TLSH T1A5F12F3CE60376DD741D5E2D09CB77295A10C0B5C953E6F9C740FAAC69EEB40AB51238
Reporter abuse_ch
Tags:NjRAT RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
501
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189966/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen48.7338.31181.UNOFFICIAL
Create hunting rule

Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/855152
Signature
Creates an undocumented autostart registry key
Multi AV Scanner detection for domain / URL
Sigma detected: CrackMapExec PowerShell Obfuscation
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a996ff95783d0e2bc97c3e95539de831788725c7b97514ff88041f041c6172c9/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vglp7flyhuhcxsl4h2kvhhpigf4iojohxf2rj74iaqpqihdboleq._file
Verdict:
malicious
Similar samples:
0741c36ad10f51f858eefc2e2f0879c9ef1ae90af61d766bd50ebcc67f4d5579
njrat
0b365ef77b8b8ed330a2e48b081a20d9eb5b275b276306e5b51615cf10821fe0
njrat
51e6527daa5a10028c434c7ceaed1570ddd95e1de0eafa702f77860cec3d0b7c
njrat
766d8e9d2d0de0a0ba2440a847e7eb7da3e69d51331e15a61ec1d25d3d92fc3e
njrat
a0ab3ba06ede4ced5c9ea2a9d87c49063249d1480c72b56ba4371b69b92c6fee
njrat
b4a79b7fac8b571454b8d2373623a9fa825c1bc2ef6d1370b831782237d24984
njrat
b610d1ae855f79028cabdbd3c1160bc330ef68a7f30ab5544d00b09af341cc68
njrat
d1b19d456e97bede86d5bbe8c09b027b00c330e568c0474abb3e60ad154bc62d
njrat
f44394f10dd10600a8f25093e76fac442c594ea85debf6bfea0933766529f747
njrat
ffec1862f56857ad722abbcb98be7af86f2cf0763371bcb40273f0d884157c32
njrat
+ 602 additional samples on MalwareBazaar
Result
Malware family:
bitrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat trojan upx
Link:
https://tria.ge/reports/210921-x1hexaada9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Blocklisted process makes network request
UPX packed file
BitRAT
BitRAT Payload
Malware Config
Dropper Extraction:
http://13.112.210.240/bypass.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a996ff95783d0e2bc97c3e95539de831788725c7b97514ff88041f041c6172c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:CN_disclosed_20180208_c_RID2E71
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189966/

Comments