MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea
SHA3-384 hash: 3106d4d9571c78b9ea8434509958c746cafa7e31bf46294e4ff5398b4b9685c4cfdf4f01ec4e1bfbbccdb948810169fd
SHA1 hash: c7afddd53c2b35eb905e8e197a9b6dcf3e4c43fc
MD5 hash: 754e5826ad8389170fe886a16d876244
humanhash: green-ink-gee-indigo
File name:MSTeams_370.msi
Download: download sample
Signature njrat
Create hunting rule
File size:20'445'184 bytes
First seen:2026-03-31 14:30:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:tEc1YrJGnkEqYcCEKr11VS+EekWbZPKR+0G0MHpdlkiIWRlY3gHHXIiTSiKjYs:tEW0JGkEqfCxhb1EVCR4I1Hp8infY0VW
TLSH T17927331284DECF3AF307C9FF684227AE51D536325F29A2709262F68594CF62954E13CB
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:bb-kgdhjc-com CHN Gh0stRAT msi


Avatar
iamaachum
https://teams-app.com.cn/ => https://lek3jjdne.x98665.com/Teams12.5.zip

C2: bb.kgdhjc.com (154.218.3.136:22)

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
ES ES
Vendor Threat Intelligence
Gathering data
Gathering data
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cbda956363ca5d27f0352d
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint lolbin packed update wix
Link:
https://www.filescan.io/uploads/69cbda90e2df9aa488c00498/reports/e4b411a9-5010-4b97-92d3-c870aaad8e0e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea
Verdict:
Clean
File Type:
msi
First seen:
2026-03-31T22:35:00Z UTC
Last seen:
2026-04-01T08:18:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1891515
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Contain functionality to detect virtual machines
Creates an undocumented autostart registry key
Creates files in the system32 config directory
Drops PE files to the document folder of the user
Hijacks the control flow in another process
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
PE file contains section with special chars
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1891515 Sample: MSTeams_370.msi Startdate: 31/03/2026 Architecture: WINDOWS Score: 100 111 Multi AV Scanner detection for dropped file 2->111 113 PE file contains section with special chars 2->113 115 Uses schtasks.exe or at.exe to add and modify task schedules 2->115 117 3 other signatures 2->117 11 msiexec.exe 78 36 2->11         started        14 svchost.exe 2->14         started        17 svchost.exe 1 1 2->17         started        20 9 other processes 2->20 process3 dnsIp4 89 C:\Users\user\AppData\...\nzCVHfbF.exe, PE32 11->89 dropped 91 C:\Users\user\AppData\...\VhVGfIdJOQ.exe, PE32 11->91 dropped 22 VhVGfIdJOQ.exe 2 11->22         started        26 nzCVHfbF.exe 11->26         started        135 Changes security center settings (notifications, updates, antivirus, firewall) 14->135 28 MpCmdRun.exe 14->28         started        95 23.9.183.29 AKAMAI-ASUS United States 17->95 97 127.0.0.1 unknown unknown 17->97 137 Unusual module load detection (module proxying) 17->137 93 C:\Users\user\AppData\Local\...\Update.exe, PE32 20->93 dropped 30 Update.exe 17 6 20->30         started        file5 signatures6 process7 dnsIp8 87 C:\Users\user\AppData\...\VhVGfIdJOQ.tmp, PE32 22->87 dropped 121 Multi AV Scanner detection for dropped file 22->121 33 VhVGfIdJOQ.tmp 11 22->33         started        123 Contain functionality to detect virtual machines 26->123 37 conhost.exe 28->37         started        105 23.221.242.10 TISCALI-IT United States 30->105 107 13.89.179.10 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->107 109 4 other IPs or domains 30->109 file9 signatures10 process11 file12 79 C:\Users\user\Documents\...\wi.Gh (copy), PE32+ 33->79 dropped 81 C:\Users\user\Documents\...\is-TJSN3.tmp, PE32+ 33->81 dropped 83 C:\Users\user\Documents\...\is-4AP67.tmp, PE32+ 33->83 dropped 85 2 other files (1 malicious) 33->85 dropped 119 Drops PE files to the document folder of the user 33->119 39 PMlRF.exe 33->39         started        42 powershell.exe 33->42         started        44 powershell.exe 33->44         started        signatures13 process14 signatures15 125 Adds a directory exclusion to Windows Defender 39->125 127 Maps a DLL or memory area into another process 39->127 46 elevation_service.exe 39->46         started        49 powershell.exe 39->49         started        129 Loading BitLocker PowerShell Module 42->129 51 conhost.exe 42->51         started        53 conhost.exe 44->53         started        process16 signatures17 139 Creates an undocumented autostart registry key 46->139 141 Hijacks the control flow in another process 46->141 143 Writes to foreign memory regions 46->143 147 2 other signatures 46->147 55 sihost.exe 46->55 injected 59 netsh.exe 46->59         started        61 cmd.exe 46->61         started        65 4 other processes 46->65 145 Loading BitLocker PowerShell Module 49->145 63 conhost.exe 49->63         started        process18 dnsIp19 99 154.218.3.133 BILLY-AS-APAntboxNetworkCN Seychelles 55->99 131 Unusual module load detection (module proxying) 55->131 133 Creates files in the system32 config directory 59->133 67 conhost.exe 59->67         started        69 conhost.exe 61->69         started        71 icacls.exe 61->71         started        73 icacls.exe 61->73         started        101 192.168.2.1 unknown unknown 65->101 103 192.168.2.16 unknown unknown 65->103 75 conhost.exe 65->75         started        77 conhost.exe 65->77         started        signatures20 process21
Score:
74%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea
Gathering data
Gathering data
Verdict:
Malicious
Threat:
Family.NJRAT
Link:
https://tip.neiki.dev/file/0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bs73mv36bapgyefi3i5xhxzjxhwsjawkp63ite72sg2kbbhkt7va._file
Verdict:
malicious
Label(s):
shellcode_loader_008
Create hunting rule
Similar samples:
error
njrat
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery execution installer persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260331-rvgzasbs7n/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Inno Setup is an open-source installation builder for Windows applications.
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Microsoft Software Installer (MSI) msi 0cbfb6577e081e6c10a8da3b73df29b9ed2482ca7fb68993fa91b4a084ea9fea

(this sample)

Gh0stRAT

Executable exe b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443

  
Link
https://tria.ge/260331-rm44vsa16p/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/59913/
  
Dropping
SHA256 b93836a658760e497c5add97c8a8b4675af5b35ffe56ef95b56e6aa109d32443
  
Dropping
MD5 5ff577c8e34c2a061f7e2345b9269eea

Comments