MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ace3a764ec8da4bfed78cbbf5d6facb8612178967feb186ef1f6a32f4cf85fce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 4

Intelligence 4 IOCs YARA 4 File information Comments

SHA256 hash:	ace3a764ec8da4bfed78cbbf5d6facb8612178967feb186ef1f6a32f4cf85fce
SHA3-384 hash:	8eaaff9d51a11c7246ec42accc8f050625f30cc63b8d15c028c4d05b8764abd4bf871fd95fd27bd0f248500bce975e40
SHA1 hash:	b43054fdad6f340963086f025c423b4d802a150b
MD5 hash:	1b8ea7e30bf66c89d5260ee521560dfd
humanhash:	winner-sink-four-pennsylvania
File name:	IBCITITMMXXX103CHRE00702H000001.xlsm
Download:	download sample
Signature	njrat Create hunting rule
File size:	142'747 bytes
First seen:	2020-07-05 16:05:33 UTC
Last seen:	2020-07-05 16:44:17 UTC
File type:	xlsm
MIME type:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
ssdeep	3072:Vus75/5BOG4kgGkmlWADTvu4+P697QV/P3v/Oh06aASJ:Vusl/qGNJkmMGu697QV/Pf2m6aASJ
TLSH	5DD3F182B35AF0CFE5D287B1A083A7EB33D596989D05C956A043F27C2D74C232F16E95
Reporter	abuse_ch
Tags:	NjRAT RAT xlsm

abuse_ch

Malspam distributing njrat:

HELO: correo.cajamar.com
Sending IP: 62.201.4.99
From: Noureddine Ballout <nballout@creditl.com>
Subject: FW:Swift_IBCITITMMXXX103CHRE00702H000001
Attachment: IBCITITMMXXX103CHRE00702H000001.xlsm

NjRAT payload URL:
http://hasteemart.com/IBCITITMMXXX103CHRE00702H000001.exe

Intelligence

File Origin

# of uploads :

# of downloads :

135

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

TwinWave.EvilDoc.AutoTriggerEvilMrFantasy.20200705.UNOFFICIAL

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ace3a764ec8da4bfed78cbbf5d6facb8612178967feb186ef1f6a32f4cf85fce/

Threat name:

Win32.Trojan.Powload

Status:

Malicious

First seen:

2020-07-05 13:13:34 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vtr2ozhmrwsl73lyzo7v235mxbqsc6ewp7vrq3xr62rs6thyl7ha._file

Result

Malware family:

njrat

Score:

10/10

Tags:

evasion persistence trojan family:njrat

Link:

https://tria.ge/reports/200705-62p4ng64vs/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

Office loads VBA resources, possible macro or embedded object present

Suspicious use of SetThreadContext

Modifies service

Adds Run entry to start application

Drops startup file

Loads dropped DLL

Blacklisted process makes network request

Executes dropped EXE

Modifies Windows Firewall

Process spawned unexpected child process

njRAT/Bladabindi

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	SharedStrings Create hunting rule
Author:	Katie Kleemola
Description:	Internal names found in LURK0/CCTV0 samples

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

xlsm ace3a764ec8da4bfed78cbbf5d6facb8612178967feb186ef1f6a32f4cf85fce

(this sample)

njrat

exe 7721280dd1b071f1d61b5db72d4765395673dd55a4a8e4fd59c2ee8b42548aad

URLhaus

https://urlhaus.abuse.ch/url/407969/

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 7721280dd1b071f1d61b5db72d4765395673dd55a4a8e4fd59c2ee8b42548aad

Dropping

MD5 2b4810b156c5265143b96dfebd78ab8d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample