MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f401d3eaa05785e0a1516f45eeebe598f3d660fcb48a217fdb24a3c2777c8ed5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f401d3eaa05785e0a1516f45eeebe598f3d660fcb48a217fdb24a3c2777c8ed5
SHA3-384 hash: da4d22d01bf2c923089ecb2a7b368ec0e1e08ea83a124e951c367674f2edcc64c786bad9aa07e2693c69d0f6fdb75997
SHA1 hash: 938a1b906f0e92f5efdf0fac69b173f70ff1c03e
MD5 hash: c34847ab40c8b63a4e101e695523888d
humanhash: hot-ohio-tango-solar
File name:Cobro Juridico Historial de pago.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:251'354 bytes
First seen:2023-05-31 08:03:21 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 3072:99u999i9y99y999999999996999999999999N9999Pj29N:L
Threatray 443 similar samples on MalwareBazaar
TLSH T1C6349F5223E61125B1763B9CAFB291344B1BBBA5697DC23E06BC340A1FE3940C4E57B7
TrID 66.6% (.TXT) Text - UTF-16 (LE) encoded (2000/1)
33.3% (.MP3) MP3 audio (1000/1)
Reporter abuse_ch
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
131
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/393953/
Detection(s):
SecuriteInfo.com.Script.SNH-gen.4564.27414.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6476ff74907fc4bd95dcf34b/reports/4a7cfb92-8754-4ffc-865b-62d2b0c311d1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f401d3eaa05785e0a1516f45eeebe598f3d660fcb48a217fdb24a3c2777c8ed5
Result
Verdict:
UNKNOWN
Result
Threat name:
Njrat, PasteDownloader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1245845
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Obfuscated command line found
Snort IDS alert for network traffic
Suspicious powershell command line found
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
VBScript performs obfuscated calls to suspicious functions
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Yara detected Njrat
Yara detected PasteDownloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 878864 Sample: Cobro_Juridico_Historial_de... Startdate: 31/05/2023 Architecture: WINDOWS Score: 100 126 wtools.io 2->126 128 jminversiones.duckdns.org 2->128 130 2 other IPs or domains 2->130 156 Snort IDS alert for network traffic 2->156 158 Found malware configuration 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 10 other signatures 2->162 12 wscript.exe 1 2->12         started        15 wscript.exe 2->15         started        17 wscript.exe 1 2->17         started        19 2 other processes 2->19 signatures3 process4 signatures5 180 VBScript performs obfuscated calls to suspicious functions 12->180 182 Suspicious powershell command line found 12->182 184 Wscript starts Powershell (via cmd or directly) 12->184 21 powershell.exe 7 12->21         started        24 powershell.exe 15->24         started        26 powershell.exe 7 17->26         started        28 powershell.exe 19->28         started        30 powershell.exe 19->30         started        process6 signatures7 164 Suspicious powershell command line found 21->164 166 Obfuscated command line found 21->166 168 Wscript called in batch mode (surpress errors) 21->168 49 2 other processes 21->49 32 wscript.exe 24->32         started        35 conhost.exe 24->35         started        37 wscript.exe 1 26->37         started        39 conhost.exe 26->39         started        41 wscript.exe 28->41         started        43 conhost.exe 28->43         started        45 wscript.exe 30->45         started        47 conhost.exe 30->47         started        process8 dnsIp9 148 Suspicious powershell command line found 32->148 150 Wscript starts Powershell (via cmd or directly) 32->150 53 powershell.exe 32->53         started        56 powershell.exe 37->56         started        58 powershell.exe 41->58         started        60 powershell.exe 45->60         started        120 wtools.io 104.21.6.247, 443, 49693, 49695 CLOUDFLARENETUS United States 49->120 122 pastebin.com 104.20.68.143, 443, 49692, 49694 CLOUDFLARENETUS United States 49->122 124 2 other IPs or domains 49->124 118 C:\Users\user\AppData\Local\Temp\xx.vbs, ASCII 49->118 dropped 152 Writes to foreign memory regions 49->152 154 Injects a PE file into a foreign processes 49->154 62 cmd.exe 1 49->62         started        64 powershell.exe 13 49->64         started        67 InstallUtil.exe 2 2 49->67         started        file10 signatures11 process12 dnsIp13 170 Suspicious powershell command line found 53->170 172 Obfuscated command line found 53->172 70 powershell.exe 53->70         started        74 conhost.exe 53->74         started        76 powershell.exe 56->76         started        78 conhost.exe 56->78         started        80 powershell.exe 58->80         started        82 conhost.exe 58->82         started        84 powershell.exe 60->84         started        86 conhost.exe 60->86         started        174 Uses schtasks.exe or at.exe to add and modify task schedules 62->174 88 schtasks.exe 1 62->88         started        116 C:\...\Cobro_Juridico_Historial_de_pago.vbs, Unicode 64->116 dropped 132 jminversiones.duckdns.org 46.246.4.2, 2054, 49703, 49704 PORTLANEwwwportlanecomSE Sweden 67->132 file14 signatures15 process16 dnsIp17 140 3 other IPs or domains 70->140 176 Writes to foreign memory regions 70->176 178 Injects a PE file into a foreign processes 70->178 90 cmd.exe 70->90         started        100 4 other processes 70->100 134 172.67.135.130, 443, 49709, 49712 CLOUDFLARENETUS United States 76->134 136 wtools.io 76->136 142 3 other IPs or domains 76->142 92 cmd.exe 76->92         started        94 powershell.exe 76->94         started        102 2 other processes 76->102 138 wtools.io 80->138 144 2 other IPs or domains 80->144 96 cmd.exe 80->96         started        104 2 other processes 80->104 146 4 other IPs or domains 84->146 98 cmd.exe 84->98         started        106 2 other processes 84->106 signatures18 process19 process20 108 schtasks.exe 90->108         started        110 schtasks.exe 92->110         started        112 schtasks.exe 96->112         started        114 schtasks.exe 98->114         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f401d3eaa05785e0a1516f45eeebe598f3d660fcb48a217fdb24a3c2777c8ed5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-05-31 08:04:05 UTC
File Type:
Text (VBS)
AV detection:
1 of 37 (2.70%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6qa5h2vak6c6bikrn5c6527ftdz5myh4wsfcc763esr4e534r3kq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
12e9242c40c20b40705862e8a09df9fc1f99f884f1899bebfe25310f9903a912
njrat
65439e1ba65950fc678c09e45679444e67d02ace8bb4fbb6f7ac4dc1d12138e9
njrat
691c353348c5e0d098cab395f8741e10777bc11dc2c1dbc35c1180607c6b25e8
njrat
b3bf0d040723a646920394e69b341d5f686bdbee4f5ac2c7e62b5e919b1c8bef
njrat
d1ad6abb5feb3bbd44fb42596c68273d2dfbf0d73516c0bc720d7e67a81e5670
njrat
ddbf87c038a937be2bd32363fb8f00b6dba1da698312ea5d989c02e0e727671c
njrat
+ 433 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/230531-jx9s4adf62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Blocklisted process makes network request
Malware Config
Dropper Extraction:
https://pastebin.com/raw/AnrGVgcW
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f401d3eaa057/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f401d3eaa05785e0a1516f45eeebe598f3d660fcb48a217fdb24a3c2777c8ed5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_VBS_Wscript_Shell
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the definition of 'Wscript.Shell' which is often used by Malware, FPs are possible and commmon

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Visual Basic Script (vbs) vbs f401d3eaa05785e0a1516f45eeebe598f3d660fcb48a217fdb24a3c2777c8ed5

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/393953/

Comments