MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 16

Intelligence 16 IOCs YARA 17 File information Comments

SHA256 hash:	c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0
SHA3-384 hash:	2d179c25eac33e53f373cfc21a321f8c79ec464bfa817fc5d719dcfffc548155df4a1d991849bbbd5a5acfe2eb81f3d7
SHA1 hash:	0cd853afa596176416839edd4b739af98aa6f7ad
MD5 hash:	509e24b5c3cf7e8309e9a3ede717ebcf
humanhash:	georgia-apart-foxtrot-mango
File name:	svchost.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	458'752 bytes
First seen:	2025-11-23 09:30:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	77eb68348ee30e01ec09fce3582c5f76 (19 x Simda, 2 x njrat, 2 x LummaStealer)
ssdeep	6144:hD8okEvTyoZVOgd2QZiw5NLclL5orfQHCigulUqa1M+9klvLcWUiYdiGs/ROvwX/:psjCF2QZiOU+4zX7wM45QygROD2t
Threatray	46 similar samples on MalwareBazaar
TLSH	T144A4F146FB039174D8590A3308AAB7762730AD064B01DFDBE580F75D7C777C2BA2A968
TrID	52.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 22.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 7.5% (.EXE) Win64 Executable (generic) (10522/11/4) 4.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	Hexastrike
Tags:	exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/40852/

Detection(s):

Win.Packed.Generic-9795615-0

Win.Packed.Generic-9795616-0

Win.Dropper.njRAT-10015886-0

Win.Dropper.Nanocore-10030076-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Trojan.B-468

Win.Trojan.Bladabindi-6192388-0

Win.Packed.Bladabindi-6917466-0

TwinWave.EvilDoc.PKILLDropboxMacroDirectDownload.20220331.UNOFFICIAL

MiscreantPunch.EvilMacro.PVDISABLE.170819.UNOFFICIAL

TwinWave.EvilDoc.PolicyKillOnlyHappyWhenItRains.20210704.UNOFFICIAL

TwinWave.EvilDoc.HanciInterruptMyDayHandler.20210721.UNOFFICIAL

Win.Trojan.Ratenjay-1

Win.Trojan.Shiz-2273

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for synchronization primitives

Creating a file in the Windows subdirectories

Creating a process from a recently created file

DNS request

Connection attempt

Moving of the original file

Enabling autorun

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

base64 cmd config-extracted fingerprint installer-heuristic keylogger lolbin netsh njrat njrat overlay overlay packed packed rat reconnaissance

Link:

https://www.filescan.io/uploads/6922e04df96b58f0dc80b773/reports/602086fb-e00a-440d-b5d0-5e17f8c62594/overview

Verdict:

Malicious

Labled as:

Trojan.Shiz

Link:

https://www.hybrid-analysis.com/sample/c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0

Result

Gathering data

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0

Verdict:

Lumma Stealer

YARA:

9 match(es)

Tags:

.Net Executable Lumma Stealer PE (Portable Executable) PE File Layout Stealer Win 32 Exe x86

Link:

https://app.malva.re/file/509e24b5c3cf7e8309e9a3ede717ebcf

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0/

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-11-21 08:02:45 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

32 of 36 (88.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y6k4mpqw7umaumgzaq4g3rfzyozbbvuzirfavj4pjn4v5frin6ya._file

Verdict:

malicious

Label(s):

simda

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat discovery persistence

Link:

https://tria.ge/reports/251123-mebecseq6t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Drops file in Windows directory

Modifies WinLogon

Executes dropped EXE

Modifies WinLogon for persistence

Verdict:

Malicious

Tags:

rat njrat Win.Packed.Generic-9795615-0

YARA:

malware_Njrat_strings Windows_Trojan_Njrat_30f3c220 MAL_Njrat MALWARE_Win_NjRAT JPCERTCC_Njrat

Link:

https://app.threat.zone/submission/f0b66655-db68-4b6b-8af2-a2149ac2a972

Unpacked files

SH256 hash:

c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0

MD5 hash:

509e24b5c3cf7e8309e9a3ede717ebcf

SHA1 hash:

0cd853afa596176416839edd4b739af98aa6f7ad

Detections:

win_njrat_g1

win_njrat_w1

win_lumma_auto

NjRat

Link:

https://www.unpac.me/results/10bb621b-4e48-48a7-9e80-ecfaa976a89e/

SH256 hash:

5ae0be1705c13442a3c6c7147b29c510ba0bc8700efbe7f4cdc16a92f55353a1

MD5 hash:

4d08b3bd3f85cd71c54d69cefed0bed6

SHA1 hash:

a93dc58b7c40a3b2701f91d5daff7146277fc894

Detections:

win_njrat_g1

win_njrat_w1

NjRat

CN_disclosed_20180208_c

Njrat

win_njrat_bytecodes_oct_2023

win_njrat_strings_oct_2023

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/10bb621b-4e48-48a7-9e80-ecfaa976a89e/

Parent samples :

06f4279804935c916eeb2599cdae6feab8d58551cfeda1dc912d9a2b9f9ba9a1
5ae0be1705c13442a3c6c7147b29c510ba0bc8700efbe7f4cdc16a92f55353a1
0bd574d0e076982665e2e0f1de667d8e2c42d5aa00f03ef106eaef5a807b298c
0ff2942601a42220b5dc6efd49f1cb98f51fd5028e73574eb76ceba501092536
525a2f6a266dcf0dd08ef95cbbeb062bb3d04ea07ebd0da0edf17b7be4ba95c0
c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0

Malware family:

Shifu

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c795c63e16fd/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c795c63e16fd180a30d904386dc4b9c3b210d699444a0aa78f4b795e96286fb0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	INDICATOR_SUSPICIOUS_EXE_Enable_OfficeMacro Create hunting rule
Author:	ditekSHen
Description:	Detects Windows executables referencing Office macro registry keys. Observed modifying Office configurations via the registy to enable macros

Rule name:	malware_Njrat_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi / NjRAT Golden

Rule name:	MAL_njrat Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Skystars_LightDefender_Njrat_Rule Create hunting rule
Author:	Skystars LightDefender
Description:	Detects Njrat

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	Windows_Trojan_Lumma_4ad749b0 Create hunting rule
Author:	Elastic Security

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule
Author:	Elastic Security

Rule name:	win_lumma_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	Detects win.lumma.

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/40852/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample