MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994
SHA3-384 hash: aa32e44ce7354b7c73ccb01e66f47ebbfc2a541c218323dc559c54cb2f64faa6fe416e20acf301a5e4607e2968a35793
SHA1 hash: d64a9461b703119695e76f880832924d487a648a
MD5 hash: 16dd6afc5e63f4edc4f35fd1176e63bd
humanhash: saturn-virginia-finch-kansas
File name:Documentacion.PDF.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:166'391 bytes
First seen:2021-09-15 12:45:52 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:4jmyjpItG7yzlmwAXPM2ixUr5p4xmku7hjlax82ye9OEYzAV+UGtK67xllUX:+F0Hg4497hwxtRnGtDxY
TLSH T16FF33127F72DE452CE170B7190F9C90E5B2E41140530F5A0F6A8EC5CB66B21CDBB92B6
Reporter abuse_ch
Tags:NjRAT RAT vbs


Avatar
abuse_ch
njrat C2:
181.140.202.66:1980

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
181.140.202.66:1980 https://threatfox.abuse.ch/ioc/222128/

Intelligence

File Origin
# of uploads :
1
# of downloads :
469
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188193/
Detection(s):
SecuriteInfo.com.VBS.Heur.Corona.4.35FF6E16.Gen.1629.1082.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/61751aa29a5a1e91c5d203a7/reports/0f5020ea-80df-4bc8-95ea-b892abf46aea/overview
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/851412
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Powershell drops PE file
Sigma detected: Drops script at startup location
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious PowerShell Invocations - Specific
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Shell Script Host drops VBS files
Wscript starts Powershell (via cmd or directly)
Yara detected AntiVM3
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483844 Sample: Documentacion.PDF.vbs Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 66 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->66 68 Yara detected AntiVM3 2->68 70 Yara detected Njrat 2->70 72 10 other signatures 2->72 9 wscript.exe 3 2->9         started        13 wscript.exe 1 2->13         started        process3 file4 48 C:\Users\user\...\Documentacion.PDF.vbs, ASCII 9->48 dropped 80 VBScript performs obfuscated calls to suspicious functions 9->80 82 Suspicious powershell command line found 9->82 84 Wscript starts Powershell (via cmd or directly) 9->84 88 3 other signatures 9->88 15 powershell.exe 14 19 9->15         started        86 Encrypted powershell cmdline option found 13->86 20 powershell.exe 19 13->20         started        signatures5 process6 dnsIp7 50 onedrive.live.com 15->50 52 hdpvrw.bl.files.1drv.com 15->52 54 bl-files.fe.1drv.com 15->54 46 C:\Users\user\AppData\Roaming\Hostdyn.exe, PE32 15->46 dropped 64 Powershell drops PE file 15->64 22 Hostdyn.exe 4 15->22         started        25 conhost.exe 15->25         started        56 192.168.2.1 unknown unknown 20->56 58 onedrive.live.com 20->58 60 2 other IPs or domains 20->60 27 Hostdyn.exe 20->27         started        29 conhost.exe 20->29         started        file8 signatures9 process10 signatures11 74 Machine Learning detection for dropped file 22->74 76 Adds a directory exclusion to Windows Defender 22->76 78 Injects a PE file into a foreign processes 22->78 31 Hostdyn.exe 22->31         started        34 powershell.exe 22->34         started        36 powershell.exe 27->36         started        38 Hostdyn.exe 27->38         started        process12 dnsIp13 62 pedrobedoya2021.duckdns.org 181.140.202.66, 1980, 49743 EPMTelecomunicacionesSAESPCO Colombia 31->62 40 conhost.exe 34->40         started        42 conhost.exe 36->42         started        44 conhost.exe 36->44         started        process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994/
Threat name:
Script-WScript.Trojan.Corona
Create hunting rule
Status:
Malicious
First seen:
2021-09-15 12:46:07 UTC
AV detection:
9 of 43 (20.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ynaxhx5fuguefoyu54p53whrlmezqv3xibdjw2mh2e4oczlyngka._file
Verdict:
malicious
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat suricata trojan
Link:
https://tria.ge/reports/210915-pzmdgadgcm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Drops startup file
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
pedrobedoya2021.duckdns.org:1980
Dropper Extraction:
https://onedrive.live.com/download?cid=4DBCDBEA8A120146&resid=4DBCDBEA8A120146%21152&authkey=AP1AB-SxiNqVg04
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c34173dfa5a1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c34173dfa5a1a842bb14ef1fddd8f15b0998577740469b6987d138e165786994

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:WScript_Shell_PowerShell_Combo
Create hunting rule
Author:Florian Roth
Description:Detects malware from Middle Eastern campaign reported by Talos
Reference:http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html
Rule name:WScript_Shell_PowerShell_Combo_RID32E7
Create hunting rule
Author:Florian Roth
Description:Detects malware from Middle Eastern campaign reported by Talos
Reference:http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188193/

Comments