Malware Bazaar: https://bazaar.abuse.ch/browse/signature/njrat/
njrat was written in Visual Basic. The source code has been leaked, and samples have been observed in the wild which have been modified/customized by attackers:
0c588a633e7979a81579f3317dd735884f660ccc7b78ebf20be8654f2546a915.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
48cc6bd83e2933df14dafd0ed0e119215ed134fc57167b768c48202b54d4bb41.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
4ef128a8ae0eb9a7ab045791ddcfd834f173ad5cb98dd51c9cc84fb99f8cbef2.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
5a89e39ab6b87ed1d0810009c093db235fca513f11a49d13653dfb26534cb265.exe: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS WindowsAnalyzing a few samples, I was able to find some unique command line strings. I wrote a one-liner to find common strings within these samples:
for i in *.exe; do strings $i | sort | uniq; ; done | sort | uniq -c | sort -nI ended up with this YARA rule:
rule njrat
{
meta:
description = "njrat"
strings:
$c1 = "cmd.exe /k ping 0 & del " ascii wide
$c2 = "cmd.exe /c ping 0 -n 2 & del" ascii wide
$c3 = "ping -n 3 127.0.0.1 & copy /Y" ascii wide
$g1 = "get_OSFullName"
$g2 = "get_OSVersion"
$g3 = "get_Parent"
$g4 = "get_Position"
$g5 = "get_PrimaryScreen"
$g6 = "get_Registry"
$g7 = "get_ServicePack"
$g8 = "get_UserName"
$g9 = "get_Width"
$g10 = "get_Default"
condition:
any of ($c*) or 6 of ($g*)
}
DMFR SECURITY 
Pingback: YARA Rules Index – DMFR SECURITY
Pingback: Week 02 – 2022 – This Week In 4n6