We are hiring! Windows Kernel Developer (Remote), apply here!
flash

NJratccccassssG2.00.vbs

Status: finished
Submission Time: 2022-02-21 06:48:11 +01:00
Malicious
Trojan
Spyware
Exploiter
Evader
Njrat

Comments

Tags

Details

  • Analysis ID:
    575468
  • API (Web) ID:
    942990
  • Analysis Started:
    2022-02-21 06:48:13 +01:00
  • Analysis Finished:
    2022-02-21 06:58:29 +01:00
  • MD5:
    4833452ece935ea45c3b0912db2fc0bd
  • SHA1:
    111ba6889be1031376e62b1e87dd83041ace2352
  • SHA256:
    965b43f6e33c4b12172f54bd6361f892a3c7f8aa6d75ac3a8665b090ff9d819f
  • Technologies:
Full Report Management Report IOC Report Engine Info Verdict Score Reports

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious
17/58

malicious
5/34

malicious
11/43

malicious

IPs

IP Country Detection
201.121.59.253
Mexico
198.50.177.251
Canada
162.253.155.226
United States

Domains

Name IP Detection
venomsi.mypsx.net
201.121.59.253
njratcasanew.ueuo.com
162.253.155.226

URLs

Name Detection
venomsi.mypsx.net
http://198.50.177.251/rump/4.txt
http://nuget.org/NuGet.exe
Click to see the 13 hidden entries
http://njratcasanew.ueuo.com
http://198.50.177.251
http://pesterbdd.com/images/Pester.png
http://njratcasanew.ueuo.com/NJratNEW%20casa/base%2064%20NJratNEWcasa.txt
http://www.apache.org/licenses/LICENSE-2.0.html
https://contoso.com/
https://nuget.org/nuget.exe
http://njratcasanew.ueuo.comx
https://contoso.com/License
https://contoso.com/Icon
http://198.50.177.251x
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://github.com/Pester/Pester

Dropped files

Name File Type Hashes Detection
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VFM.vbs
Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
#
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_czz05exg.e0h.ps1
very short file (no magic)
#
Click to see the 12 hidden entries
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jv2klgm1.r0q.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lpv40imj.k0g.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_phjaxqgs.pd0.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tq5avew2.ytq.psm1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_v0iy51oe.tqh.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vfpndanb.rnb.ps1
very short file (no magic)
#
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wdyg2daj.ovs.psm1
very short file (no magic)
#
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ VFM.vbs:Zone.Identifier
ASCII text, with CRLF line terminators
#
C:\Users\user\Documents\20220221\PowerShell_transcript.347688.9YlVrO_k.20220221064925.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#
C:\Users\user\Documents\20220221\PowerShell_transcript.347688.IrFEJQAh.20220221064918.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20220221\PowerShell_transcript.347688.ynx6k2_L.20220221064946.txt
UTF-8 Unicode (with BOM) text, with CRLF line terminators
#
C:\Users\user\Documents\20220221\PowerShell_transcript.347688.yrGPxWUi.20220221064928.txt
UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
#