MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e1c8fbc6931af31a8c7d8a8a85792c44906728db795ca6df3f2d626c760c43b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs 2 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e1c8fbc6931af31a8c7d8a8a85792c44906728db795ca6df3f2d626c760c43b6
SHA3-384 hash: d09af5ee16b1c92cee61e216d980ff970acca9ec4f39bf64b619ddb3a3811be6354195ab9d382840c87def19ced61fc3
SHA1 hash: f262f5ede9adb3d9dca0e82cbccd9ce633653620
MD5 hash: 34f11d6afd3af1456fb499ba7296676e
humanhash: lactose-ink-hamper-moon
File name:Status-Report.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:50'319 bytes
First seen:2022-02-22 10:06:08 UTC
Last seen:2022-02-22 13:38:40 UTC
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:xHHHHHHHHHHHjHHHHHHHHHHHAHHHHHHHHHHHjHHHHHHHHHHHBHHHHHHHHHHHjHHh:u
Threatray 12 similar samples on MalwareBazaar
TLSH T14C33E22D5E23CFC9AC3C9F46F24C19B6AA879550F7078C4A529AC4973D731A0449BFA8
Reporter ankit_anubhav
Tags:ahkloader NjRAT thailand pass scam vbs

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://invoice-update.myiphost.com:1177/Vre https://threatfox.abuse.ch/ioc/390056/
136.243.111.71:126 https://threatfox.abuse.ch/ioc/390057/

Intelligence

File Origin
# of uploads :
2
# of downloads :
296
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/243229/
Detection(s):
SecuriteInfo.com.ISB.Downloadergen76.18616.24703.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6214b5cf875593a3cc020e5f/reports/da50477d-c598-4a79-92d1-4c0717aa0da5/overview
Result
Verdict:
UNKNOWN
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/943817
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Contains functionality to log keystrokes (.Net Source)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious names
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
May check the online IP address of the machine
Powershell drops PE file
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Suspicious PowerShell Invocations - Specific
Sigma detected: Windows Shell File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 576293 Sample: Status-Report.vbs Startdate: 22/02/2022 Architecture: WINDOWS Score: 100 119 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->119 121 Antivirus detection for URL or domain 2->121 123 .NET source code contains potential unpacker 2->123 125 8 other signatures 2->125 12 wscript.exe 1 2->12         started        15 cmd.exe 2->15         started        17 cmd.exe 2->17         started        19 5 other processes 2->19 process3 dnsIp4 157 VBScript performs obfuscated calls to suspicious functions 12->157 159 Wscript starts Powershell (via cmd or directly) 12->159 22 cmd.exe 1 12->22         started        25 cmd.exe 1 12->25         started        27 powershell.exe 15->27         started        29 conhost.exe 15->29         started        31 powershell.exe 17->31         started        33 conhost.exe 17->33         started        101 invoice-update.myiphost.com 136.243.111.71, 1177, 126, 49772 HETZNER-ASDE Germany 19->101 161 May check the online IP address of the machine 19->161 35 cmd.exe 19->35         started        37 conhost.exe 19->37         started        39 3 other processes 19->39 signatures5 process6 signatures7 137 Wscript starts Powershell (via cmd or directly) 22->137 139 Uses cmd line tools excessively to alter registry or file data 22->139 41 powershell.exe 17 26 22->41         started        46 conhost.exe 22->46         started        48 powershell.exe 15 25->48         started        50 conhost.exe 25->50         started        141 Writes to foreign memory regions 27->141 143 Injects a PE file into a foreign processes 27->143 52 aspnet_compiler.exe 27->52         started        54 aspnet_compiler.exe 31->54         started        145 Suspicious powershell command line found 35->145 process8 dnsIp9 103 archive.org 207.241.224.2, 443, 49756, 49759 INTERNET-ARCHIVEUS United States 41->103 105 ia801504.us.archive.org 207.241.228.154, 443, 49757 INTERNET-ARCHIVEUS United States 41->105 113 4 other IPs or domains 41->113 85 C:\ProgramData\Twitter\log\Untitled.exe, PE32+ 41->85 dropped 87 C:\Users\Public\1.vbs, ASCII 41->87 dropped 89 C:\Users\Public\1.bat, ASCII 41->89 dropped 93 2 other malicious files 41->93 dropped 149 Suspicious powershell command line found 41->149 151 Uses schtasks.exe or at.exe to add and modify task schedules 41->151 153 Powershell drops PE file 41->153 56 wscript.exe 1 41->56         started        59 powershell.exe 41->59         started        107 ia601509.us.archive.org 207.241.227.119, 443, 49760 INTERNET-ARCHIVEUS United States 48->107 109 onedrive.live.com 48->109 115 2 other IPs or domains 48->115 91 C:\Users\Public\Untitled.ps1, UTF-8 48->91 dropped 61 powershell.exe 21 48->61         started        111 invoice-update.myiphost.com 52->111 155 May check the online IP address of the machine 52->155 file10 signatures11 process12 file13 147 Wscript starts Powershell (via cmd or directly) 56->147 64 cmd.exe 1 56->64         started        95 C:\ProgramData\Facebook\...\Outlook.vbs, ASCII 61->95 dropped 97 C:\ProgramData\Facebook\...\Outlook.ps1, UTF-8 61->97 dropped 99 C:\ProgramData\Facebook\...\Outlook.bat, ASCII 61->99 dropped 67 schtasks.exe 61->67         started        signatures14 process15 signatures16 117 Uses cmd line tools excessively to alter registry or file data 64->117 69 reg.exe 64->69         started        72 reg.exe 1 1 64->72         started        74 reg.exe 64->74         started        76 conhost.exe 64->76         started        process17 signatures18 127 Creates autostart registry keys with suspicious values (likely registry only malware) 69->127 129 Creates autostart registry keys with suspicious names 69->129 131 Creates multiple autostart registry keys 69->131 133 Creates an autostart registry key pointing to binary in C:\Windows 69->133 78 powershell.exe 69->78         started        81 conhost.exe 69->81         started        135 Suspicious powershell command line found 72->135 process19 signatures20 163 Writes to foreign memory regions 78->163 165 Injects a PE file into a foreign processes 78->165 83 aspnet_compiler.exe 78->83         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e1c8fbc6931af31a8c7d8a8a85792c44906728db795ca6df3f2d626c760c43b6/
Threat name:
Script-WScript.Downloader.Nemucod
Create hunting rule
Status:
Malicious
First seen:
2022-02-22 10:07:09 UTC
File Type:
Text
AV detection:
11 of 28 (39.29%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4hepxrutdlzrvdd5rkfik6jmisigokg3pfoknxz7fvrgy5qmio3a._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301
njrat
28eedda7fdd4336733cff21b16f383544b8bcb44597edb985e773377735b353e
njrat
2c4a42604a823117d314490c8a40f3775995bd036cd46e72e23667137a17a8de
njrat
36a295fa703a772bf8ea59eabfb641ce62e1ad89f2cab23922be0fdf125a5351
njrat
995f60fa20fabc4943aaae2cc8c906eace61fc2d2940642c16dda037f5575e60
njrat
b553a9eb53c751594e33aedfd6abe0eeaa662ee286dfe10a43e54be846909b46
njrat
dcef9be7998958aa6f72aab41f6fb01c8bceb039b1fd111849c399bd5eab4fb4
njrat
e03a7b921d3ebd2e5d1f850933f956813abf8abd23d42451f2df9b32e1f8c178
njrat
e1c8fbc6931af31a8c7d8a8a85792c44906728db795ca6df3f2d626c760c43b6
njrat
f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c
njrat
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/220222-l5m1eagfdk/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Malware Config
Dropper Extraction:
https://archive.org/download/LMSPass/LMSPass.txt
https://archive.org/download/fg_20220221/fg.txt
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e1c8fbc6931a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e1c8fbc6931af31a8c7d8a8a85792c44906728db795ca6df3f2d626c760c43b6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/243229/

Comments