MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c46f8bdc611e253950773ca2daf8a59ebedd55b1d50c33b011a0709fe63c35e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c46f8bdc611e253950773ca2daf8a59ebedd55b1d50c33b011a0709fe63c35e0
SHA3-384 hash: 78054dad19d40e6ce91f40c2f934d180ea55b4f95cd379866d3a8b28ee1f4c4b93f78e4e5ebaa4539c777936b2837e90
SHA1 hash: b91020420d2247d48f8c4014ecf7693afef06150
MD5 hash: 257e0b90503375cb64018979493a0375
humanhash: november-nuts-texas-fruit
File name:Serbver.ps1
Download: download sample
Signature njrat
Create hunting rule
File size:3'755'000 bytes
First seen:2022-05-16 15:25:48 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:UvCIIoislD4moeUoaLLMTqWs28zQIIrIdb3BX/rdRTlT91VpkPt1IeSyuV49g2iH:z
Threatray 285 similar samples on MalwareBazaar
TLSH T1AF06AEAD0B36AB967649374878040F450654566CF1E410789A8B37A3CAFFEF2807D7BE
Reporter pr0xylife
Tags:NjRAT ps1

Intelligence

File Origin
# of uploads :
1
# of downloads :
331
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/995098
Signature
Bypasses PowerShell execution policy
Creates processes via WMI
Injects a PE file into a foreign processes
PowerShell case anomaly found
Snort IDS alert for network traffic
Uses dynamic DNS services
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 627590 Sample: Serbver.ps1 Startdate: 16/05/2022 Architecture: WINDOWS Score: 72 62 dan9400.duckdns.org 2->62 66 Snort IDS alert for network traffic 2->66 68 Uses dynamic DNS services 2->68 70 PowerShell case anomaly found 2->70 10 powershell.exe 28 2->10         started        14 powershell.exe 8 2->14         started        16 powershell.exe 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 58 C:\ProgramData\...\RLNJJODYBBDHUERXKVQNSE.ps1, ASCII 10->58 dropped 60 C:\ProgramData\...\RLNJJODYBBDHUERXKVQNSE.bat, ASCII 10->60 dropped 78 Bypasses PowerShell execution policy 10->78 20 powershell.exe 34 10->20         started        22 powershell.exe 10->22         started        24 conhost.exe 10->24         started        26 cmd.exe 1 14->26         started        28 conhost.exe 14->28         started        30 cmd.exe 16->30         started        32 conhost.exe 16->32         started        34 cmd.exe 18->34         started        36 conhost.exe 18->36         started        signatures6 process7 process8 38 wscript.exe 20->38         started        41 wscript.exe 22->41         started        43 powershell.exe 14 26->43         started        45 powershell.exe 30->45         started        47 powershell.exe 34->47         started        signatures9 72 Creates processes via WMI 38->72 74 Writes to foreign memory regions 43->74 76 Injects a PE file into a foreign processes 43->76 49 jsc.exe 43->49         started        51 jsc.exe 45->51         started        process10 process11 53 WerFault.exe 49->53         started        56 WerFault.exe 51->56         started        dnsIp12 64 192.168.2.1 unknown unknown 53->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c46f8bdc611e253950773ca2daf8a59ebedd55b1d50c33b011a0709fe63c35e0/
Threat name:
Script-PowerShell.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2022-05-16 15:26:08 UTC
File Type:
Text (PowerShell)
AV detection:
9 of 26 (34.62%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1b5ae550c7aaa211a5964cded7cf7752400467513a66643076e3723d868afbcb
njrat
23719f11a3288fc85d2256428d42a90622f8e900fbfb877d9d513da8c4d75030
njrat
32c17b45985fbefcf67e054af34e00eb56c0577edfa13d03abb2b8d8e041a513
njrat
35b37b30779ff09b08ee04b1a284ec172dbf9767bd6afac8ade45ac09fe186b7
njrat
3cead87d0418ee97c2fbddf19c699c58203c40e524e76bb08f26dcce9eb6dfdf
njrat
8dfe0003ce22bfa6f3123e30eb90e3d10e9ef16f7a206ffed6955846e0c11c06
njrat
bdbc7e20f13cee3e9ff2e82c41bd6f8740fec1ade4a0686b50c6eafce574341c
njrat
beb3054ea8b10d507ef20e05f6887042244de6c8f70bbcc5065b6ff1aa546f10
njrat
e51d5a34e88b31078df596dfc8a162c2cd2a0d4e3d3e8228301e3cec9f88d22c
njrat
eb2b24470ff5572e47f2e39e4557f35a01233c68ce9b9db6b5eada127108d6ad
njrat
+ 275 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:may9400 suricata trojan upx
Link:
https://tria.ge/reports/220516-st6rpsggb4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops startup file
UPX packed file
Process spawned unexpected child process
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
dan9400.duckdns.org:9400
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c46f8bdc611e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c46f8bdc611e253950773ca2daf8a59ebedd55b1d50c33b011a0709fe63c35e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments