MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03a4caccc4cfc4dc5e3b37cdcd2f9bf61779a8ab79c38be7269d88bbdea1b212. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 12

Intelligence 12 IOCs YARA 1 File information Comments

SHA256 hash:	03a4caccc4cfc4dc5e3b37cdcd2f9bf61779a8ab79c38be7269d88bbdea1b212
SHA3-384 hash:	e36140a88d44d94700fb7ef3952c8daa5cf01d0aca9be240439a7f926905b0be8a43c4c288ac4da9f4b6b299a8ef7c4b
SHA1 hash:	916ea20e0329b1a49d189a0763ff20d5578dca2a
MD5 hash:	a401f00b0379d40422af15b96bdd8d04
humanhash:	potato-bacon-robin-grey
File name:	q_generated_script.bat
Download:	download sample
File size:	10'600 bytes
First seen:	2025-10-23 21:27:51 UTC
Last seen:	Never
File type:	bat
MIME type:	text/x-msdos-batch
ssdeep	192:aASWIB+tWXbbVT5bH/BnIprUKhySceh8pzSV4Pc4xmKgiJ5Th0vpvqAWCnBdCFkz:BLIB+tET57p6RhSpGoc4sKgiJ5Th0BCu
Threatray	951 similar samples on MalwareBazaar
TLSH	T1E02242BDC5E0FCC0874B32E4BA89EAD1219B9703ADAF5A58F58814F50B54255EBBD08C
Magika	batch
Reporter	01Xyris
Tags:	bat exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

q_generated_script.bat

Verdict:

Malicious activity

Analysis date:

2025-10-23 21:39:39 UTC

Tags:

github payload loader reverseloader ta558 apt stegocampaign rat njrat bladabindi susp-powershell

Link:

https://app.any.run/tasks/eea55f75-d6d7-43ba-920c-8ab743cbf1a7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/33966/

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68fa9e163bdc93eb0563a0d1

Tags:

obfuscate xtreme shell

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Сreating synchronization primitives

DNS request

Connection attempt

Sending a custom TCP request

Creating a window

Setting a single autorun event

Launching the process to change the firewall settings

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

similar-threat

Link:

https://www.filescan.io/uploads/68fa9e4f11ff3db29f675ad5/reports/39f54073-59d8-4468-a04c-032f03b78fc0/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/03a4caccc4cfc4dc5e3b37cdcd2f9bf61779a8ab79c38be7269d88bbdea1b212

Verdict:

Malicious

File Type:

unix shell

First seen:

2025-10-23T19:52:00Z UTC

Last seen:

2025-10-23T21:13:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/03a4caccc4cfc4dc5e3b37cdcd2f9bf61779a8ab79c38be7269d88bbdea1b212/results?tab=lookup

Score:

97%

Verdict:

Malware

File Type:

SCRIPT

Link:

https://malprob.io/report/03a4caccc4cfc4dc5e3b37cdcd2f9bf61779a8ab79c38be7269d88bbdea1b212

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03a4caccc4cfc4dc5e3b37cdcd2f9bf61779a8ab79c38be7269d88bbdea1b212/

Threat name:

Win32.Trojan.Generic

Status:

Suspicious

First seen:

2025-10-23 21:29:34 UTC

File Type:

Text (Batch)

AV detection:

4 of 24 (16.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=aosmvtgez7cnyxr3g7g42l436ylxtkflphbyxzzgtwelxxvbwija._file

Verdict:

malicious

Label(s):

njrat

073f19c57b7df3868b83c3648938b52b94878bc4e00d9eaf0c0074a338cd510a

6385ba95a2f179fac688bc5524caebdd20de2fdd3ddbbc531351f8db1965660c

6963136965cd4a8cab567d7dc4435484e5a390946d3bb811878ce91f78ddc15c

6e031bc082fb7a6b0a975f835d040d9f0ca918fd0d79c0c899369315e6824599

7f0f163959167b201b99ebe9695944e5b9c3ac7536fc84023aac565b0c21d3d4

ab9cfb220debabf3b0789611d45cd86104f9b0b8d941fca0689b6c11ae26fc45

ee9f38c9868efd78d92285557e33e7fc10af0d062a7c3595e9d60056daca40b2

error

f340b73cc89e25e6726a019b3e79c0b491b69b0c54ae3f02ba062879c48253df

+ 941 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

defense_evasion discovery execution persistence privilege_escalation

Link:

https://tria.ge/reports/251023-1b3lbsbj9s/

Behaviour

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Badlisted process makes network request

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/03a4caccc4cfc4dc5e3b37cdcd2f9bf61779a8ab79c38be7269d88bbdea1b212

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/33966/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample