MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b3a93f5a5efb31c708cf4c1e2ab591c9f478d9578a7742922680ecb3202049dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b3a93f5a5efb31c708cf4c1e2ab591c9f478d9578a7742922680ecb3202049dc
SHA3-384 hash: b5e28a5ca696a7376f5166e3d599c76934a9dd26608fe0f1a21d8cf2e5a1134e9aed5eca81df83d81adfd4eb4329df91
SHA1 hash: 3a94601afd0ec7062e2c0f4677734e3c2adb52e7
MD5 hash: 8b1d08ddce4ce01d0c9fbf56ab4cee40
humanhash: connecticut-gee-dakota-juliet
File name:PN# & Qty Needed.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:1'571'482 bytes
First seen:2022-09-29 10:37:36 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24576:/qztO8vxfCvL1TUBlTyD43pjSB+fX9vHdkBcoYX+3RpPEeg:/qfXl24ZjIoXyQ
Threatray 1'791 similar samples on MalwareBazaar
TLSH T1CE756A3235DFAD8AF769C94D830C2B040C641BD752DB9F4B99F0D16E21A9D0C9BEE864
Reporter 0xToxin
Tags:NjRAT vbs

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
91.193.75.242:1849 https://threatfox.abuse.ch/ioc/858552/

Intelligence

File Origin
# of uploads :
1
# of downloads :
221
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/314718/
Detection(s):
SecuriteInfo.com.PUA.Base64EXE-2.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.26270.JsHeur.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm greyware obfuscated setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/6335758bd089a0c15dd2b768/reports/f8ee3e06-cf13-433e-a750-d1f05d0063e9/overview
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
njRat
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1079955
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Detected njRat
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 712531 Sample: PN# & Qty Needed.vbs Startdate: 29/09/2022 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 6 other signatures 2->55 10 wscript.exe 2 2->10         started        14 lbpwnlr.pif 1 2->14         started        16 lbpwnlr.pif 2->16         started        18 lbpwnlr.pif 2->18         started        process3 file4 45 C:\Users\user\AppData\Local\Temp\YPDIE.exe, PE32 10->45 dropped 69 Benign windows process drops PE files 10->69 71 VBScript performs obfuscated calls to suspicious functions 10->71 20 YPDIE.exe 69 10->20         started        73 Writes to foreign memory regions 14->73 75 Allocates memory in foreign processes 14->75 77 Injects a PE file into a foreign processes 14->77 24 RegSvcs.exe 1 14->24         started        26 RegSvcs.exe 16->26         started        28 RegSvcs.exe 18->28         started        signatures5 process6 file7 43 C:\Users\user\AppData\Local\...\lbpwnlr.pif, PE32 20->43 dropped 65 Machine Learning detection for dropped file 20->65 67 Drops PE files with a suspicious file extension 20->67 30 lbpwnlr.pif 1 2 20->30         started        signatures8 process9 signatures10 79 Multi AV Scanner detection for dropped file 30->79 81 Machine Learning detection for dropped file 30->81 83 Writes to foreign memory regions 30->83 85 2 other signatures 30->85 33 RegSvcs.exe 5 2 30->33         started        process11 dnsIp12 47 rick63.publicvm.com 91.193.75.242, 1849, 49731, 49732 DAVID_CRAIGGG Serbia 33->47 57 Tries to steal Instant Messenger accounts or passwords 33->57 59 Uses netsh to modify the Windows network and firewall settings 33->59 61 Tries to harvest and steal ftp login credentials 33->61 63 Modifies the windows firewall 33->63 37 netsh.exe 3 33->37         started        39 vbc.exe 33->39         started        signatures13 process14 process15 41 conhost.exe 37->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b3a93f5a5efb31c708cf4c1e2ab591c9f478d9578a7742922680ecb3202049dc/
Threat name:
Script.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-09-29 10:38:07 UTC
File Type:
Text
AV detection:
5 of 39 (12.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wout6ws67my4ocgpjqpcvnmrzh2hrwkxrj3ufergqdwlgibajhoa._file
Verdict:
malicious
Similar samples:
02f864baf71847c5832c94f396bb14ba3fd5c1b7d96936427c358f37a6cfa105
njrat
0758171eb92e029d38cef3237e2cdd899827cdeeb3386761933254981b707809
njrat
3d10c53032ea46fb31e8b921c09466bf4a93347f5809c181a0d41ac8e423a153
njrat
508363ac23d75a1e265f6ba9dc64f3fe227ec361f8ebfa21d03bbed7a2c878c0
njrat
69230008ebd4db702b501b5d35d6c5551ae5d1cc779d0bbcf4526f606f332650
njrat
6d833bd671f179c8dfdf89aac0bc77cd7bb49f82a98cbf5d8122a9d47fa98e9f
njrat
a96ccfc5b5b64660b986d22b9bcc96cb5e178d3d506893bd24a959a5338a4a32
njrat
aa005608adb8e7e3c775383f20f2608164056713bcbb92d0ec5c99994d8af750
njrat
ee61ac3cd6ac0319af2ca16d292464c08c018c15cd54f48c27df5907c9fca089
njrat
+ 1'781 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:omenx evasion persistence trojan
Link:
https://tria.ge/reports/220929-mpdmgabedq/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Modifies Windows Firewall
njRAT/Bladabindi
Malware Config
C2 Extraction:
rick63.publicvm.com:1849
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b3a93f5a5efb31c708cf4c1e2ab591c9f478d9578a7742922680ecb3202049dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:CN_disclosed_20180208_c_RID2E71
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:malware_Njrat_strings
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:MAL_njrat
Create hunting rule
Author:SECUINFRA Falcon Team
Rule name:MAL_Winnti_Sample_May18_1
Create hunting rule
Author:Florian Roth
Description:Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Reference:https://401trg.pw/burning-umbrella/
Rule name:MAL_Winnti_Sample_May18_1_RID3003
Create hunting rule
Author:Florian Roth
Description:Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Reference:https://401trg.pw/burning-umbrella/
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_LightDefender_Njrat_Rule
Create hunting rule
Author:Skystars LightDefender
Description:Detects Njrat
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_netsh_firewall_command
Create hunting rule
Author:SECUINFRA Falcon Team
Rule name:win_njrat_w1
Create hunting rule
Author:Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/314718/

Comments