MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 20

Intelligence 20 IOCs 1 YARA 5 File information Comments

SHA256 hash:	071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6
SHA3-384 hash:	142fc186c6d2ff1cde407780fd8db2636037ca33fa2ca64f2e73365334b2bdc320974074afe9cb31ae602b0cb5c75269
SHA1 hash:	921b0cce9f878cd8af8256e6f5b84c6620357ae6
MD5 hash:	0467650c72da1dfc80b08adae4ae7203
humanhash:	nevada-equal-freddie-hotel
File name:	Xeno.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	110'592 bytes
First seen:	2025-08-17 18:30:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8fa3bfbee376a470d7a9d5794558993e (1 x DarkComet, 1 x Mercurial, 1 x AveMariaRAT)
ssdeep	1536:jhl5yjdKZSYdELb3LuUZB30Dv/qvcE0YqaiDrESnAOSJI/cTbCFpzapX17s1xR:dXjbqLb3KUH30bqvPqabve/VpOVs1n
TLSH	T1CDB312CB993BAEDAC3B0807A1AEBCF3160EF3149D7F10596D892B61EDE210251F57251
TrID	30.6% (.EXE) UPX compressed Win32 Executable (27066/9/6) 30.0% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 11.9% (.EXE) Win64 Executable (generic) (10522/11/4) 7.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 5.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
154.194.35.243:6677

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
154.194.35.243:6677	https://threatfox.abuse.ch/ioc/1570486/

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

Xeno.exe

Verdict:

Malicious activity

Analysis date:

2025-08-17 15:58:01 UTC

Tags:

njrat rat bladabindi

Link:

https://app.any.run/tasks/ceb144a1-4032-45dd-9b00-b87e368d4177

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/21862/

Detection(s):

Win.Tool.Binder-6750589-0

Sanesecurity.Malware.28946.BadP.UNOFFICIAL

SecuriteInfo.com.Malware.PDB-1846.UNOFFICIAL

Win.Dropper.njRAT-10015886-0

Win.Dropper.Nanocore-10030076-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Trojan.Bladabindi-6192388-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a1fc088fd55a79c5287b2d

Tags:

bladabindi njrat

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a process from a recently created file

Launching a process

Searching for synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm cmd dllhost dotnet explorer hacktool lolbin microsoft_visual_cc njrat njrat overlay overlay packed packed packed rat rundll32 schtasks upx windows zero

Link:

https://www.filescan.io/uploads/68a21fe4419c816a6e899d07/reports/1eca6494-c4ec-4965-b30f-1191540b9a7b/overview

Verdict:

Malicious

Labled as:

Ransom.DarkyLock.Generic

Link:

https://www.hybrid-analysis.com/sample/071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6

Malware family:

njRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6cc0dc21-f7ae-4994-8b67-7545fe3b235e

Result

Threat name:

Binder HackTool, Njrat

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1758892

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to log keystrokes (.Net Source)

Disables zone checking for all users

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Binder HackTool

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Score:

93%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/0467650c72da1dfc80b08adae4ae7203

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6/

Verdict:

Malicious

Threat:

Family.NJRAT

Link:

https://tip.neiki.dev/file/071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6

Threat name:

Win32.Ransomware.DarkyLock

Status:

Malicious

First seen:

2025-08-17 15:58:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=a4iilxjlrdglvuiswoappzi7xu2frheohkjgn7yz6bu3hdtbox3a._file

Verdict:

malicious

Label(s):

njrat

Similar samples:

error

njrat

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat discovery trojan upx

Link:

https://tria.ge/reports/250817-w5zz3sgq9s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

UPX packed file

Checks computer location settings

Executes dropped EXE

Njrat family

njRAT/Bladabindi

Verdict:

Malicious

Tags:

Win.Tool.Binder-6750589-0

YARA:

n/a

Link:

https://app.threat.zone/submission/877e2104-1668-4765-bceb-578b94401efc

Unpacked files

SH256 hash:

071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6

MD5 hash:

0467650c72da1dfc80b08adae4ae7203

SHA1 hash:

921b0cce9f878cd8af8256e6f5b84c6620357ae6

Link:

https://www.unpac.me/results/ffb375b4-ee23-4d20-a953-8b6e8a2f32e1/

SH256 hash:

82360abdcc1261ad9690add4b2d2ffec869abfc23be859444b10c92fbdb58714

MD5 hash:

68667234dfeb3ccb8d9366b186dc1163

SHA1 hash:

797598e878a8952d42d1e1d2b0d3e14e4bb63433

Link:

https://www.unpac.me/results/ffb375b4-ee23-4d20-a953-8b6e8a2f32e1/

SH256 hash:

b51fb7d1e141e383f12343610d354398658c78b23c7deb26e36a6bd2921275e6

MD5 hash:

39084819e084fba2908c1084aa172a7b

SHA1 hash:

046080d2aca4fe21db4b247621af5222f22790d1

Detections:

win_njrat_w1

NjRat

Malware_QA_update

Njrat

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

MALWARE_Win_NjRAT

MALWARE_Win_CelestyBinderLoader

Link:

https://www.unpac.me/results/ffb375b4-ee23-4d20-a953-8b6e8a2f32e1/

SH256 hash:

585f182fccf58a52584664fd66c58c080951f9deef4bed4fd772226e8f524ec8

MD5 hash:

83b3e47f5dab95b828610a96917e2c9f

SHA1 hash:

74dd7a20b6aecbf9df11c2d6fe9f13b5bd57f429

Detections:

win_njrat_w1

NjRat

MAL_Winnti_Sample_May18_1

CN_disclosed_20180208_c

Unknown_Malware_Sample_Jul17_2

Njrat

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/ffb375b4-ee23-4d20-a953-8b6e8a2f32e1/

Parent samples :

c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a
585f182fccf58a52584664fd66c58c080951f9deef4bed4fd772226e8f524ec8
071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6

Malware family:

RevengeRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/071085dd2b88/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	UPX290LZMAMarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	upx_3 Create hunting rule
Author:	Kevin Falcoz
Description:	UPX 3.X

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21862/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample