MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36
SHA3-384 hash: cbbd31584c93911567e9a114e385cd69d8bc6b26aa20115cccf9363ce69b63fc96de386671a95ef2b4700d1bffeed5c5
SHA1 hash: 2ee3f12297514b90e5c38045f52b3593c4439317
MD5 hash: a19d14dd9f9fc40dcee050f211075042
humanhash: chicken-mars-fix-fruit
File name:928272_Payment_Receipt.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:2'282 bytes
First seen:2021-11-18 19:16:59 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 24:JVkNGJYuIoviVLF5FFOY9NFMffNxVPvyJCCKaV7A9F0ZTFkFo9bFQZpFOyoQeFiT:bXgHpUfLVPaEqnIoTS
Threatray 3'296 similar samples on MalwareBazaar
TLSH T10A414B39FD1BBB864821F97661E78DD5CEEC1017DB543C3C21124C7949918BD6A9C0BB
Reporter abuse_ch
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
229
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.ISB.Downloadergen81.7851.28478.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/6196a6b343e8f62b66992c15/reports/cb1bf9fb-2eef-4f3d-8e11-a11e97bbabca/overview
Result
Verdict:
SUSPICIOUS
Result
Threat name:
Nanocore Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/892261
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates an undocumented autostart registry key
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Obfuscated command line found
Protects its processes via BreakOnTermination flag
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: NanoCore
Sigma detected: Suspicious PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Nanocore RAT
Yara detected Njrat
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 524736 Sample: 928272_Payment_Receipt.vbs Startdate: 18/11/2021 Architecture: WINDOWS Score: 100 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 14 other signatures 2->74 10 wscript.exe 2 2->10         started        14 jsc.exe 2->14         started        16 jsc.exe 2->16         started        18 jsc.exe 2->18         started        process3 file4 58 C:\Users\Public\Downloads\HBar.ps1, ASCII 10->58 dropped 88 VBScript performs obfuscated calls to suspicious functions 10->88 90 Wscript starts Powershell (via cmd or directly) 10->90 92 Obfuscated command line found 10->92 20 powershell.exe 14 10->20         started        23 conhost.exe 14->23         started        25 conhost.exe 16->25         started        27 conhost.exe 18->27         started        signatures5 process6 signatures7 76 Bypasses PowerShell execution policy 20->76 29 powershell.exe 14 17 20->29         started        33 conhost.exe 20->33         started        process8 dnsIp9 66 transfer.sh 144.76.136.153, 443, 49730, 49751 HETZNER-ASDE Germany 29->66 94 Creates an undocumented autostart registry key 29->94 96 Writes to foreign memory regions 29->96 98 Injects a PE file into a foreign processes 29->98 35 jsc.exe 29->35         started        40 jsc.exe 29->40         started        42 jsc.exe 29->42         started        signatures10 process11 dnsIp12 60 legend4000.duckdns.org 52.170.223.88, 4000, 49838 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 35->60 52 C:\ProgramData\XXX\Microsoft.Exe, PE32 35->52 dropped 78 Protects its processes via BreakOnTermination flag 35->78 80 Creates an autostart registry key pointing to binary in C:\Windows 35->80 44 netsh.exe 35->44         started        62 jamcav.duckdns.org 185.140.53.3, 49795, 49796, 49800 DAVID_CRAIGGG Sweden 40->62 64 192.168.2.1 unknown unknown 40->64 54 C:\Users\user\AppData\Roaming\...\run.dat, data 40->54 dropped 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->82 56 C:\Users\user\...behaviorgraphoogleCrashHandler.exe, PE32 42->56 dropped 84 Uses netsh to modify the Windows network and firewall settings 42->84 86 Modifies the windows firewall 42->86 46 GoogleCrashHandler.exe 42->46         started        file13 signatures14 process15 process16 48 conhost.exe 44->48         started        50 conhost.exe 46->50         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36/
Threat name:
Script.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 19:17:05 UTC
AV detection:
3 of 44 (6.82%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6jvngmazg7uwpjjneb5vfbotii7jrxc7macgul2an74hvlmdm3a._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
njrat
Create hunting rule
Similar samples:
07f511ce3b6a8fb409c1a05ea3e01a6d92422674224109c8d0889a017122098c
njrat
2b8a102443d6ed4c84471a54f058f24f5f55485bba73ebd785fdce294e337110
njrat
3d8811d64e17d5ea06d0edae6163b90b2400d06d9afa60ae689d6fe9232bca86
njrat
4d394ed696ee7fb3d53a7b064c53f2157b28d9f192de912fe311dd284845e4c9
njrat
5a8b4dc95322eed89a2c77350395f8c1f79394369bebec84703ae285092a37f5
njrat
6cb5a93eec2726f651d8a61a9e865d46a93324992d9a2467edb6b83b64789985
njrat
7ceb354c4f419b3daed055ae62d5b1aaf58a7b715f8e9de08e5379e7e70ebeb6
njrat
816d9c966736b02b56d23629f8968fdb4f910fd575c4c07b524bd51948c5d4ed
njrat
8d8c15469072ede8e80eb85c7f3ef44ba53778831c28dab5a6562a0672b1bc72
njrat
9f96527c9f839559485e89c5c5ff8f95708035fd55c9fac0c2edf3764224d860
njrat
+ 3'286 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:nanocore family:njrat botnet:hacked evasion keylogger persistence spyware stealer suricata trojan
Link:
https://tria.ge/reports/211118-xzdqbsfccn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Blocklisted process makes network request
Executes dropped EXE
Modifies Windows Firewall
NanoCore
njRAT/Bladabindi
suricata: ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
Malware Config
C2 Extraction:
jamcav.duckdns.org:6746
Malware family:
Winnti Group
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c793569980c9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c793569980c9bf4b3d296903da942e9a11f4c6e2fb0023517a037fc3d56c1b36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207363/

Comments