MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 20

Intelligence 20 IOCs 1 YARA 5 File information Comments

SHA256 hash:	14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab
SHA3-384 hash:	76424bb16cbf2639784676a3a85aea46faef8e308481a219232c71c9f01d1f41162bbb83b3309779d93bc90c8085c051
SHA1 hash:	9fcd97a8cd128ef24b7aa34f1ae1a373d36f7d91
MD5 hash:	19a52d1da3f6de7ad3b3fa45e3821322
humanhash:	single-bluebird-two-potato
File name:	Miydmtsceamiauw.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	1'695'232 bytes
First seen:	2025-10-14 05:10:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1592b57a4a7b48e16d50f0c0457d8659 (5 x RemcosRAT, 2 x DBatLoader, 2 x a310Logger)
ssdeep	24576:jyZjz/z+PGdYprdp+eQPZNtA4vAOMgbIPZNtA4vAOMgbIEL:j6agpVPDCIAOnIPDCIAOnI
TLSH	T11975D022B2D6453ED02B1A7D4C6BDBCE246D7E241E14644E7AEDBA083F3D6C23497076
TrID	64.2% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 16.2% (.EXE) Win64 Executable (generic) (10522/11/4) 6.9% (.EXE) Win32 Executable (generic) (4504/4/1) 3.2% (.EXE) Win16/32 Executable Delphi generic (2072/23) 3.1% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
196.251.88.235:50084

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
196.251.88.235:50084	https://threatfox.abuse.ch/ioc/1613365/

Intelligence

File Origin

# of uploads :

# of downloads :

185

Origin country :

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

Miydmtsceamiauw.exe

Verdict:

Malicious activity

Analysis date:

2025-10-14 05:11:52 UTC

Tags:

delphi auto-sch rat njrat bladabindi

Link:

https://app.any.run/tasks/6c9f89b2-9260-45d7-b05a-34c229820a13

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32611/

Detection(s):

no reply from clamd

Verdict:

Malicious

Score:

97.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68eddb6904e22ce9acd9c1ad

Tags:

delphi emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Creating a file

Launching a process

Creating a process with a hidden window

Searching for synchronization primitives

Moving of the original file

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-debug borland_delphi fingerprint keylogger overlay overlay packed redcap zero

Link:

https://www.filescan.io/uploads/68eddb5f71883144ef3598b6/reports/2821aaf7-9f53-41a6-95e8-0a3055ff8f4d/overview

Verdict:

Malicious

Labled as:

TrojanDownloader.ModiLoader_AGen

Link:

https://www.hybrid-analysis.com/sample/14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-10-13T04:34:00Z UTC

Last seen:

2025-10-15T14:44:00Z UTC

Hits:

~100

Detections:

Backdoor.Bladabindi.TCP.C&C Backdoor.Agent.TCP.C&C Trojan.Win32.Shellcode.sb HEUR:Trojan.Win32.DelfInject.gen PDM:Trojan.Win32.Generic

Link:

https://opentip.kaspersky.com/14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab/results?tab=lookup

Malware family:

ModiLoader

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/56632045-b4d6-42c4-98af-5f127aa450a7

Result

Threat name:

DBatLoader, Njrat

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1794461

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates many large memory junks

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to log keystrokes (.Net Source)

Early bird code injection technique detected

Found malware configuration

Joe Sandbox ML detected suspicious sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queues an APC in another process (thread injection)

Sigma detected: Execution from Suspicious Folder

Sigma detected: Suspicious Creation with Colorcpl

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected DBatLoader

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/19a52d1da3f6de7ad3b3fa45e3821322

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab/

Verdict:

Malicious

Threat:

Family.NJRAT

Link:

https://tip.neiki.dev/file/14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab

Threat name:

Win32.Trojan.DBatLoader

Status:

Malicious

First seen:

2025-10-14 03:57:53 UTC

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=crauezczhz42wde4gezzr6qv7tvxmnqw427kbiod5po7fiixvcvq._file

Verdict:

malicious

Label(s):

dbatloader

Similar samples:

error

njrat

Result

Malware family:

modiloader

Score:

10/10

Tags:

family:modiloader discovery execution persistence trojan

Link:

https://tria.ge/reports/251014-ft5hesel7x/

Behaviour

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

ModiLoader Second Stage

ModiLoader, DBatLoader

Modiloader family

Verdict:

Malicious

Tags:

njrat Bladabindi

YARA:

n/a

Link:

https://app.threat.zone/submission/4f385ffe-aee4-4315-a51e-71ed19549497

Unpacked files

SH256 hash:

14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab

MD5 hash:

19a52d1da3f6de7ad3b3fa45e3821322

SHA1 hash:

9fcd97a8cd128ef24b7aa34f1ae1a373d36f7d91

Link:

https://www.unpac.me/results/b0850af6-81b4-4665-a140-56ad3a1bce88/

SH256 hash:

7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

MD5 hash:

c116d3604ceafe7057d77ff27552c215

SHA1 hash:

452b14432fb5758b46f2897aeccd89f7c82a727d

Link:

https://www.unpac.me/results/b0850af6-81b4-4665-a140-56ad3a1bce88/

SH256 hash:

3e9fedb9328eb488c37b1c4e80a7fe38e93ceb26a345a22c3f0bdd33dab658ff

MD5 hash:

8be2550629388c6ff99b18e2ca6a4c40

SHA1 hash:

f558f5dbb846720fb32376453739670e8498f099

Detections:

Typical_Malware_String_Transforms

Link:

https://www.unpac.me/results/b0850af6-81b4-4665-a140-56ad3a1bce88/

Parent samples :

f8d8e8cefdddc14bd1efd94853b1259109f35811f51082dfd33cb275f87ddb23
14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab
a09e35a027bd67de817db93775499f961dce2cb86775a633d8c37c36f08318a9
24797e25716cbf6769a7437f693e9570e8cabfad8fcbe1c54b46b3c638cc6fd6
abe5a2957e1f2b45fbb5a6ab326e7c5b736014537eeab13a436ed033fa5ca532
a56471a8ae7e25b0114659b58771838d0f1dbeb4e1f0e562cc50202372fd3273

Malware family:

DonutLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/14414264593e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/14414264593e79ab0c9c313398fa15fceb763616e6bea0a1c3ebddf2a117a8ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32611/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample