MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1b114c09344edc0be3459e3a93f47ef584df37b58500b7f420f8232e7cac6f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1b114c09344edc0be3459e3a93f47ef584df37b58500b7f420f8232e7cac6f5
SHA3-384 hash: e8ad4053de87dc57170a119e749a0a39e402ab673634600414620e4ffcf40921968a423e851f1340046042c9689e4f46
SHA1 hash: 3e1682855ad4035134f6ebd68d56824535b4ca03
MD5 hash: 4cb86eadbadba68752d539597e6ab5ad
humanhash: cup-autumn-triple-twenty
File name:DOCUMENTO (FGE).vbs
Download: download sample
Signature njrat
Create hunting rule
File size:222'878 bytes
First seen:2023-02-23 06:50:21 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 192:qEo4cwiS9RSBzHqlBZFrtzKZ1eNEQii1WEjiX1vq:oUidzHqtKd1i
Threatray 1'087 similar samples on MalwareBazaar
TLSH T12324A511BEAF204976D31013A7FFF5F58B3EE1927B19D49A289C074847D5F86C8A0A93
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:NjRAT RAT vbs


Avatar
abuse_ch
njrat C2:
46.246.12.12:1994

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Detection:
DLAgent09 Downloader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/369174/
Detection(s):
Sanesecurity.Malware.28845.BadVBS.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/63f70cd92fa3ab63402040b2/reports/ca776371-96af-464c-b6fc-7e3bd800dbb3/overview
Verdict:
Malicious
Labled as:
GT:VB.Downloader.1
Link:
https://www.hybrid-analysis.com/sample/b1b114c09344edc0be3459e3a93f47ef584df37b58500b7f420f8232e7cac6f5
Result
Verdict:
MALICIOUS
Result
Threat name:
Njrat, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1181102
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Njrat
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 813933 Sample: DOCUMENTO (FGE).vbs Startdate: 23/02/2023 Architecture: WINDOWS Score: 100 76 Snort IDS alert for network traffic 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for URL or domain 2->80 82 9 other signatures 2->82 9 wscript.exe 1 2->9         started        12 wscript.exe 1 2->12         started        14 wscript.exe 1 2->14         started        process3 signatures4 86 VBScript performs obfuscated calls to suspicious functions 9->86 88 Suspicious powershell command line found 9->88 90 Wscript starts Powershell (via cmd or directly) 9->90 16 powershell.exe 7 9->16         started        19 powershell.exe 7 12->19         started        22 powershell.exe 14->22         started        process5 dnsIp6 70 Suspicious powershell command line found 16->70 72 Obfuscated command line found 16->72 74 Drops VBS files to the startup folder 16->74 24 powershell.exe 14 17 16->24         started        28 conhost.exe 16->28         started        66 192.168.2.1 unknown unknown 19->66 30 powershell.exe 14 19->30         started        32 conhost.exe 19->32         started        34 powershell.exe 22->34         started        36 conhost.exe 22->36         started        signatures7 process8 file9 62 C:\Users\user\...\Roda.vbs:Zone.Identifier, ASCII 24->62 dropped 64 C:\Users\user\AppData\Roaming\...\Roda.vbs, Unicode 24->64 dropped 92 Writes to foreign memory regions 24->92 94 Injects a PE file into a foreign processes 24->94 38 cmd.exe 1 24->38         started        41 RegAsm.exe 2 2 24->41         started        44 cmd.exe 30->44         started        46 svchost.exe 30->46         started        48 RegAsm.exe 30->48         started        50 RegAsm.exe 30->50         started        52 cmd.exe 34->52         started        54 RegAsm.exe 34->54         started        signatures10 process11 dnsIp12 84 Uses schtasks.exe or at.exe to add and modify task schedules 38->84 56 schtasks.exe 1 38->56         started        68 fortuna777.duckdns.org 46.246.12.12, 1994, 49702 PORTLANEwwwportlanecomSE Sweden 41->68 58 schtasks.exe 1 44->58         started        60 schtasks.exe 52->60         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1b114c09344edc0be3459e3a93f47ef584df37b58500b7f420f8232e7cac6f5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-02-23 02:09:26 UTC
File Type:
Text (VBS)
AV detection:
4 of 38 (10.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wgyrjqetitw4bprulhr2sp2h55me3433lbiaw72cb6bdfz6ky32q._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
2729c82ff2347665864955ce4564a251c7d366d022cf88303d247ba9df7cf6d5
njrat
48aab1c694a3bd849241df0849c3a9db84301913d60d9bb8d50b869486967821
njrat
54716a9a3a8fb7cc6be3074ea0472703ec03e1421d553b0dc6b3ebe7b1ec10bb
njrat
57cb093510514d18e117230d0b01837dfa0492bf89f76638bd8bc7cdcf7422d0
njrat
78d7c849e8c0ca246c289242e281cdce5606728978b8cfdaef36153e77e14072
njrat
a72215f71cc5fe73bacc1a7735dd6cd79587373ca54d4648de9bf9173a21b8a5
njrat
b05939920d359a0f2d4e03431a81ab7ee33c831f59f47f569ccdc6750a1827b6
njrat
dbabe5bc4bfa164771c72f900adf02b24165fc6824771b0a00c42f29baa5ba68
njrat
+ 1'077 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat trojan
Link:
https://tria.ge/reports/230223-hmg5nafa47/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Drops startup file
Blocklisted process makes network request
njRAT/Bladabindi
Malware Config
C2 Extraction:
fortuna777.duckdns.org:1994
Dropper Extraction:
https://firebasestorage.googleapis.com/v0/b/lengua-y-literatura-1422e.appspot.com/o/dll.txt?alt=media&token=1c5d4ddd-8eda-411b-9af8-dcb5ccb40c0f
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b1b114c09344/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b1b114c09344edc0be3459e3a93f47ef584df37b58500b7f420f8232e7cac6f5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/369174/

Comments