YARAify Scan Results

Task Information

---

Task ID:	d892eb64-c683-11f0-adeb-42010aa4000b
File name:	0c95b8310cc1e1bce8866e50145db3f3
Task parameters:	ClamAV scan:	True
	Unpack:	False
	Share file:	True

ClamAV Results

---

The file matched the following open source and commercial ClamAV rules.

Signature:	Sanesecurity.Malware.29063.UNOFFICIAL Alert Create hunting rule

Signature:	Win.Dropper.Nanocore-10030076-0 Alert Create hunting rule

Signature:	Win.Dropper.njRAT-10015886-0 Alert Create hunting rule

Signature:	Win.Packed.Generic-9795615-0 Alert Create hunting rule

Signature:	Win.Packed.Krypt-6888233-0 Alert Create hunting rule

Signature:	Win.Packed.Msilperseus-9220094-0 Alert Create hunting rule

Signature:	Win.Trojan.Generic-6417450-0 Alert Create hunting rule

YARA Results

---

Static Analysis

The following YARA rules matched on the file (static analysis).

Rule name:	CN_disclosed_20180208_c Alert Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146
TLP:	TLP:WHITE
Repository:	Neo23x0

Rule name:	CN_disclosed_20180208_c_RID2E71 Alert Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146
TLP:	TLP:WHITE

Rule name:	MAL_njrat Alert Create hunting rule
Author:	SECUINFRA Falcon Team
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	malware_Njrat_strings Alert Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory
TLP:	TLP:WHITE
Repository:	JPCERTCC

Rule name:	MALWARE_Win_NjRAT Alert Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi / NjRAT Golden
TLP:	TLP:WHITE
Repository:	diˈtekSHən

Rule name:	Multifamily_RAT_Detection Alert Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables
TLP:	TLP:WHITE
Repository:

Rule name:	NET Alert Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	NETexecutableMicrosoft Alert Create hunting rule
Author:	malware-lu
TLP:	TLP:WHITE
Repository:

Rule name:	Njrat Alert Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory
TLP:	TLP:WHITE
Repository:

Rule name:	Njrat Alert Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat
TLP:	TLP:WHITE
Repository:

Rule name:	pe_imphash Alert Create hunting rule
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	RAT_win_njrat Alert Create hunting rule
Author:	KrknSec
Description:	Detects njRAT binaries.
Reference:	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Skystars_LightDefender_Njrat_Rule Alert Create hunting rule
Author:	Skystars LightDefender
Description:	Detects Njrat
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Skystars_Malware_Imphash Alert Create hunting rule
Author:	Skystars LightDefender
Description:	imphash
TLP:	TLP:WHITE
Repository:	MalwareBazaar

Rule name:	Sus_CMD_Powershell_Usage Alert Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
TLP:	TLP:WHITE
Repository:	YARAify

Rule name:	Windows_Trojan_Njrat_30f3c220 Alert Create hunting rule
TLP:	TLP:WHITE
Repository:	elastic

Rule name:	Windows_Trojan_Njrat_30f3c220 Alert Create hunting rule
Author:	Elastic Security
TLP:	TLP:WHITE
Repository:	elastic

Unpacker

The following YARA rules matched on the unpacked file.

Unpacked Files

---

The following files could be unpacked from this sample.