MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c
SHA3-384 hash: 40b439a5d77a01f7eea57049fd3180dc5a7a162446b85f342fb66b73049c4d9017dcdf3820a74a2e2bf7a27ae2f5fd0a
SHA1 hash: 45db2a32dd53fb4c08b781e137f62a6ef1d23412
MD5 hash: 4b0434d0d23bc7b3488fce647bf28a68
humanhash: fanta-rugby-muppet-echo
File name:Serverr.ps1
Download: download sample
Signature njrat
Create hunting rule
File size:3'633'254 bytes
First seen:2022-05-06 12:08:37 UTC
Last seen:2022-05-06 12:22:20 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:Ie/+33eITsPXOtpncI+YvuBYriu44yzXMPFz5hJRZF20iuLC+JjGsh1PV0jCF4/h:B
Threatray 956 similar samples on MalwareBazaar
TLSH T1D4F5AEE95E4DB1E17F41FE8CD8CA2DCE2AA1423179A020395E77F4868D934EDA44BDC4
Reporter pr0xylife
Tags:May9400 NjRAT ps1

Intelligence

File Origin
# of uploads :
2
# of downloads :
348
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PowerShell.Runner.AQ.9967.5330.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Result
Threat name:
BitRAT Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/989052
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
PowerShell case anomaly found
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Yara detected BitRAT
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 621548 Sample: Serverr.ps1 Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 63 bitrat9300.duckdns.org 2->63 65 Snort IDS alert for network traffic 2->65 67 Multi AV Scanner detection for domain / URL 2->67 69 Found malware configuration 2->69 71 8 other signatures 2->71 9 powershell.exe 28 2->9         started        13 powershell.exe 8 2->13         started        15 powershell.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 57 C:\ProgramData\...\LUNSZTNOXSSVCTNEVRBDGH.ps1, ASCII 9->57 dropped 59 C:\ProgramData\...\LUNSZTNOXSSVCTNEVRBDGH.bat, ASCII 9->59 dropped 79 Bypasses PowerShell execution policy 9->79 19 powershell.exe 32 9->19         started        21 powershell.exe 9->21         started        23 conhost.exe 9->23         started        25 cmd.exe 1 13->25         started        27 conhost.exe 13->27         started        29 cmd.exe 15->29         started        31 conhost.exe 15->31         started        33 cmd.exe 17->33         started        35 conhost.exe 17->35         started        signatures6 process7 process8 37 wscript.exe 19->37         started        40 wscript.exe 21->40         started        42 powershell.exe 25->42         started        44 powershell.exe 29->44         started        46 powershell.exe 33->46         started        signatures9 73 Creates processes via WMI 37->73 75 Writes to foreign memory regions 42->75 77 Injects a PE file into a foreign processes 42->77 48 aspnet_regbrowsers.exe 42->48         started        51 aspnet_regbrowsers.exe 42->51         started        53 aspnet_regbrowsers.exe 44->53         started        55 aspnet_regbrowsers.exe 46->55         started        process10 dnsIp11 61 dan9400.duckdns.org 194.147.140.17, 49794, 49848, 9300 PTPEU unknown 48->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c/
Threat name:
Script-PowerShell.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-06 12:09:09 UTC
File Type:
Text (PowerShell)
AV detection:
9 of 26 (34.62%)
Threat level:
  1/5
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
03674af9c28f5702955756f95a9173954188deb1d4f14b0bc8f0457e9383d6db
njrat
1c6adefb631929c92c652eaad245e909b6fc8e872b24a026d7d5bdd385ef0b73
njrat
3bf5f251905471ab07782554a58cfa444e4693c4b1ecad16471c489924fd1fe3
njrat
51af4d4e1af93fd32fd240a7ec9df52e2af9f7d7567c7f7dff776ce0b4852323
njrat
704e26dbdebc8b3ad1391f5b9d671f8b9550609455821540151ff70e17bed798
njrat
ce30c428376eac3095f203ebe88f94a38737dc82f2ad018b2ae6c8569b389c5a
njrat
dcb73a0ea23548167bd5724418377fe1e8c88f1be3125c0df6cc89722bb26f33
njrat
+ 946 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:bitrat family:njrat botnet:may9400 suricata trojan upx
Link:
https://tria.ge/reports/220506-pbfwsacedk/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops startup file
UPX packed file
BitRAT
Process spawned unexpected child process
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
suricata: ET MALWARE Observed Malicious SSL Cert (BitRAT CnC)
Malware Config
C2 Extraction:
dan9400.duckdns.org:9400
bitrat9300.duckdns.org:9300
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdbc7e20f13c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments