MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 15

Intelligence 15 IOCs YARA 20 File information Comments

SHA256 hash:	0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c
SHA3-384 hash:	6c08a0802dda4a3146081688e059753b822085ded10a0bc638180c09920e17c20b5231c12328c9b2098605807f01dc0c
SHA1 hash:	bd0d5af1ce9397bfd45fb70f6a7d22766ce8fde1
MD5 hash:	b24e5c03d3ee5aa07a4356b188ca08b5
humanhash:	gee-texas-cup-april
File name:	svchost.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	589'824 bytes
First seen:	2025-11-23 09:17:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	77eb68348ee30e01ec09fce3582c5f76 (19 x Simda, 2 x njrat, 2 x LummaStealer)
ssdeep	12288:vsjCF2QZiOU+4zX7wM45QygROD22O3ZGdZK:vOC39Uv7V4WnROD22cqK
TLSH	T1CDC4D04AFB4381B0E8090837146AA77B1630AE174729CEC7E7C0FB58B977BD2757A605
TrID	52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.5% (.EXE) Win64 Executable (generic) (10522/11/4) 4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	Hexastrike
Tags:	exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/40108/

Detection(s):

Win.Packed.Generic-9795615-0

Win.Packed.Generic-9795616-0

Win.Dropper.njRAT-10015886-0

Win.Dropper.Nanocore-10030076-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Trojan.B-468

Win.Trojan.Bladabindi-6192388-0

Win.Packed.Bladabindi-6917466-0

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL

Win.Trojan.Ratenjay-1

Win.Trojan.Shiz-2273

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6922d2a2140de26f6c2c8762

Tags:

bladabindi emotet njrat shiz

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Sending a custom TCP request

Moving of the original file

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 cmd config-extracted fingerprint installer-heuristic keylogger lolbin netsh njrat njrat overlay overlay packed packed rat reconnaissance

Link:

https://www.filescan.io/uploads/6922d202f96b58f0dc80aebc/reports/e20b6c8c-b7a8-4e34-832e-9bf6a8d00ab4/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c

Verdict:

Lumma Stealer

YARA:

9 match(es)

Tags:

.Net Executable Lumma Stealer PE (Portable Executable) PE File Layout Stealer Win 32 Exe x86

Link:

https://app.malva.re/file/b24e5c03d3ee5aa07a4356b188ca08b5

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c/

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-11-23 08:08:51 UTC

AV detection:

34 of 38 (89.47%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=bpkxjuhao2mcmzpc4dy54zt5rywefvnkadyd54ig5lxvvad3fgga._file

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat discovery persistence trojan

Link:

https://tria.ge/reports/251123-lbbqaaxqcp/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Modifies WinLogon for persistence

Njrat family

njRAT/Bladabindi

Verdict:

Malicious

Tags:

rat njrat Win.Packed.Generic-9795615-0

YARA:

malware_Njrat_strings Windows_Trojan_Njrat_30f3c220 MAL_Njrat MALWARE_Win_NjRAT JPCERTCC_Njrat

Link:

https://app.threat.zone/submission/888d7ec1-0142-4c98-abea-74136944d6cf

Unpacked files

SH256 hash:

5ae0be1705c13442a3c6c7147b29c510ba0bc8700efbe7f4cdc16a92f55353a1

MD5 hash:

4d08b3bd3f85cd71c54d69cefed0bed6

SHA1 hash:

a93dc58b7c40a3b2701f91d5daff7146277fc894

Detections:

win_njrat_g1

win_njrat_w1

NjRat

CN_disclosed_20180208_c

Njrat

win_njrat_bytecodes_oct_2023

win_njrat_strings_oct_2023

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/5d600032-c591-439b-b484-f9e1148d3e44/

Parent samples :

06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1
5ae0be1705c13442a3c6c7147b29c510ba0bc8700efbe7f4cdc16a92f55353a1
0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c
0ff2942601a42220b5dc6efd49f1cb98f51fd5028e73574eb76ceba501092536
525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0
c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0

SH256 hash:

0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c

MD5 hash:

b24e5c03d3ee5aa07a4356b188ca08b5

SHA1 hash:

bd0d5af1ce9397bfd45fb70f6a7d22766ce8fde1

Detections:

win_njrat_g1

win_njrat_w1

win_lumma_auto

NjRat

Link:

https://www.unpac.me/results/5d600032-c591-439b-b484-f9e1148d3e44/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_Enable_OfficeMacro Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing Office macro registry keys. Observed modifying Office configurations via the registy to enable macros

Rule name:	Lumma Create hunting rule
Author:	kevoreilly
Description:	Lumma Payload

Rule name:	malware_Njrat_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi / NjRAT Golden

Rule name:	MAL_njrat Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	Skystars_LightDefender_Njrat_Rule Create hunting rule
Author:	Skystars LightDefender
Description:	Detects Njrat

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	Windows_Trojan_Lumma_4ad749b0 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule
Author:	Elastic Security

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40108/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample