MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d60845023b6f4924993a60e60e1db49c5b6cc9ede4e09560d3542dd5f1bee603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d60845023b6f4924993a60e60e1db49c5b6cc9ede4e09560d3542dd5f1bee603
SHA3-384 hash: 0e17ece5d649d11f30872732d3c35f51a2a45b956d0797df700ac2fb7ffcfed10cdfd2a7ec8bc857451a78bb28225297
SHA1 hash: 5ea8bd6abd7d1f78873cb641e812904375000917
MD5 hash: bda6aa1c44cb84f5fefecb0e2f421e57
humanhash: nuts-california-twelve-stream
File name:Invoice#1096.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:3'574 bytes
First seen:2021-09-01 14:58:04 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 48:2iMKRkQYvcNzzzzzzzzzzzzzzzkt1zzzzzzzzzzzzzzzDQraKBAdOsQiL6dXJ2GD:2HKtqt2NBAdODgkJjWRZ2rb
Threatray 115 similar samples on MalwareBazaar
TLSH T1A4710328B5A8B062FDF608AD8758AEC35CFC002677DEC22327E3F65DD04C91B588D564
Reporter abuse_ch
Tags:NjRAT RAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
617
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184499/
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/843432
Signature
C2 URLs / IPs found in malware configuration
Creates an undocumented autostart registry key
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: CrackMapExec PowerShell Obfuscation
VBScript performs obfuscated calls to suspicious functions
Very long command line found
Wscript starts Powershell (via cmd or directly)
Yara detected MSILLoadEncryptedAssembly
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d60845023b6f4924993a60e60e1db49c5b6cc9ede4e09560d3542dd5f1bee603/
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2yeekar3n5esjgj2mdta4hnutrnwzspn4tqjkygtkqw5l4n64ybq._file
Verdict:
suspicious
Similar samples:
0b365ef77b8b8ed330a2e48b081a20d9eb5b275b276306e5b51615cf10821fe0
njrat
66af5edcb0b90924a25f4cf764ae81eb754b58da9bde404761f48eafd1ead410
njrat
7f1cd16cd2d2e5644752a3e0fd411c3902bad47051779d5bd539e9650f53787c
njrat
89aea7429e8634bbba4d97c8576adb9568cdf91830d15ecd2c34c5a290f7b83f
njrat
8c9d614da4ea17f4261a105adbe73992c0df1f5639310f78db244fdf3fe338fe
njrat
ce30c428376eac3095f203ebe88f94a38737dc82f2ad018b2ae6c8569b389c5a
njrat
d424a08c1e1eac484c029a6ef4008bf991aebf26a86aa02fecd18ad60bb24a0f
njrat
d9d27f03e2f8bc97451296da9a7ddeac39ede3240306fa198bf898434b58c53c
njrat
df047189f75d998dc499072881c762fd001360f5cf184b801cb8c232b5c567f6
njrat
ee3e682e4fa43cda0810b952e2df8b07c4fd952fe49c22c8dc4fbee1247f0b6b
njrat
+ 105 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:boss trojan
Link:
https://tria.ge/reports/210901-n5axzhjf4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Blocklisted process makes network request
njRAT/Bladabindi
Malware Config
C2 Extraction:
103.147.184.73:7103
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/d60845023b6f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d60845023b6f4924993a60e60e1db49c5b6cc9ede4e09560d3542dd5f1bee603

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CN_disclosed_20180208_c
Create hunting rule
Author:Florian Roth
Description:Detects malware from disclosed CN malware set
Reference:https://twitter.com/cyberintproject/status/961714165550342146
Rule name:INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse
Create hunting rule
Author:ditekSHen
Description:Detects file containing reversed ASEP Autorun registry keys
Rule name:INDICATOR_SUSPICIOUS_EXE_attrib
Create hunting rule
Author:ditekSHen
Description:Detects executables using attrib with suspicious attributes attributes
Rule name:MALWARE_Win_NjRAT
Create hunting rule
Author:ditekSHen
Description:Detects NjRAT / Bladabindi
Rule name:Njrat
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect njRAT in memory
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184499/

Comments