MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb
SHA3-384 hash: fbab50a3c17bb4f949f938e5625303474c01219d28c495d5d1c17f4acbaa52139a82df7a8ba1b4327085f1985dc47417
SHA1 hash: 669895c07ab05aa911b14bcd272ddad74638820d
MD5 hash: 52736c301d03e7424ee01157cfbcf1cc
humanhash: cola-seven-cup-jersey
File name:scan.exe
Download: download sample
Signature njrat
Create hunting rule
File size:518'384 bytes
First seen:2025-11-26 05:31:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0293eec0b5432ad092f24065016203b2 (21 x GuLoader, 9 x RemcosRAT, 6 x Formbook)
ssdeep 12288:G9p+7k5Degx+5UEebuVD2K+z75E1d67+x/:G/+9gk5s35Ed67s/
Threatray 2'310 similar samples on MalwareBazaar
TLSH T157B42377636895F3D93907B035B3B73E4EBBAE6A9E0893479390575C3D2B6C08027642
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter threatcat_ch
Tags:exe NjRAT signed

Code Signing Certificate

Organisation:Beefy
Issuer:Beefy
Algorithm:sha256WithRSAEncryption
Valid from:2025-10-05T23:26:18Z
Valid to:2026-10-05T23:26:18Z
Serial number: 0abb626882cea96b266c98e854d5732073de7db5
Thumbprint Algorithm:SHA256
Thumbprint: b7a2dcaa7e4dbe7523c41af8244b0bd5429bfdfb4b24df683c77ef8064fef1b2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
163
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
scan.exe
Verdict:
Malicious activity
Analysis date:
2025-11-26 05:32:45 UTC
Tags:
rat remcos auto-reg remote
Link:
https://app.any.run/tasks/af0d0363-eabb-4a07-a85c-022f17a655ab

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/41515/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=692690de587b4206e7f2fecb
Tags:
injection virus blic
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Searching for the window
Creating a file in the %AppData% subdirectories
Creating a file
Delayed reading of the file
DNS request
Connection attempt
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole installer installer installer-heuristic microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/692690dbf5b8bc600152bdcf/reports/f02b3cef-e1c7-4d99-aba7-8c369997bbb7/overview
Verdict:
Malicious
Labled as:
Trojan/GuLoader
Link:
https://www.hybrid-analysis.com/sample/269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-25T21:49:00Z UTC
Last seen:
2025-11-28T03:23:00Z UTC
Hits:
~1000
Detections:
VHO:Backdoor.Win32.Remcos.gen Trojan.Win32.GuLoader.sb HEUR:Trojan.Win32.Makoob.gen Trojan-Downloader.Win32.Minix.sb Trojan.NSIS.Makoob.sbb Trojan.NSIS.Makoob.sba HEUR:Backdoor.Win32.Remcos.gen
Link:
https://opentip.kaspersky.com/269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0a83982c-1742-494d-bdd4-64bc9d5677f3
Result
Threat name:
Remcos, GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1820959
Signature
AI detected suspicious PE digital signature
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious names
Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Unusual module load detection (module proxying)
Yara detected GuLoader
Yara detected Remcos RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1820959 Sample: scan.exe Startdate: 26/11/2025 Architecture: WINDOWS Score: 100 55 drive.usercontent.google.com 2->55 57 drive.google.com 2->57 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 5 other signatures 2->79 10 scan.exe 4 69 2->10         started        14 remcos.exe 2->14         started        16 remcos.exe 2->16         started        18 remcos.exe 2->18         started        signatures3 process4 file5 49 C:\Users\user\AppData\Local\...\System.dll, PE32 10->49 dropped 87 Tries to detect virtualization through RDTSC time measurements 10->87 89 Unusual module load detection (module proxying) 10->89 91 Switches to a custom stack to bypass stack traces 10->91 20 scan.exe 2 10 10->20         started        25 scan.exe 10->25         started        51 C:\Users\user\AppData\Local\...\System.dll, PE32 14->51 dropped 27 remcos.exe 14->27         started        29 remcos.exe 14->29         started        signatures6 process7 dnsIp8 59 drive.google.com 142.251.15.113, 443, 49721, 49723 GOOGLEUS United States 20->59 61 drive.usercontent.google.com 64.233.177.132, 443, 49722, 49724 GOOGLEUS United States 20->61 45 C:\ProgramData\Remcos\remcos.exe, PE32 20->45 dropped 47 C:\ProgramData\...\remcos.exe:Zone.Identifier, ASCII 20->47 dropped 81 Detected Remcos RAT 20->81 83 Creates autostart registry keys with suspicious names 20->83 31 remcos.exe 36 20->31         started        35 scan.exe 20->35         started        file9 signatures10 process11 file12 53 C:\Users\user\AppData\Local\...\System.dll, PE32 31->53 dropped 65 Multi AV Scanner detection for dropped file 31->65 67 Tries to detect virtualization through RDTSC time measurements 31->67 69 Unusual module load detection (module proxying) 31->69 71 Switches to a custom stack to bypass stack traces 31->71 37 remcos.exe 4 7 31->37         started        41 remcos.exe 31->41         started        signatures13 process14 dnsIp15 63 91.231.222.182, 2404, 49725 VODANETInternationalIP-BackboneofVodafoneDE Russian Federation 37->63 85 Detected Remcos RAT 37->85 43 remcos.exe 37->43         started        signatures16 process17
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/52736c301d03e7424ee01157cfbcf1cc
Detection:
remcos
Create hunting rule
Link:
https://mwdb.cert.pl/sample/269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb/
Verdict:
Malicious
Threat:
Family.REMCOS
Link:
https://tip.neiki.dev/file/269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-26 01:05:15 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e2oaimr4xvue3zfq5w5yls5gfccejmsdjbdwe4xptufrm6355pvq._file
Verdict:
malicious
Label(s):
cloudeye
Create hunting rule
Similar samples:
5c6dabfd88cc55ca9697acf98987e8d267670be9f970ce4a445c90a450c32051
njrat
83bd9f07e37c9fd55414bc9c0ded6fc63888ba912216d41a50811a819649ac7a
njrat
88147aad7aa96d552ff975e54a28a013be2a82510226daf9e5bba144912e8ac3
njrat
8d126dd8b90ef12045e9576a5b28d796c9edbe522789333572210397519ef521
njrat
a193b9010ae51ca97aaeb7a82ec5433ce8f79549cd3c1d48e4b6308fea98f449
njrat
ad34ad3229e87f609a8584bebe6a3f70721c03a575f6b5d8eb2997a23bed04de
njrat
e4b394710171888c98115ff1cc8639992a746c3313363565ca8f54b237fc4ec2
njrat
e69fd545558a7dcfa322d010a159ecbcdf6930b5e991325367aca2667949db69
njrat
error
njrat
f207a6b7ffd3ebfa17aa3fcc222ca05c96bfedee29bae160d382d903be3f9e0a
njrat
+ 2'300 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost discovery installer persistence rat
Link:
https://tria.ge/reports/251126-f8dcgsem9y/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Remcos
Remcos family
Malware Config
C2 Extraction:
91.231.222.182:2404
Verdict:
Suspicious
Tags:
loader guloader
YARA:
NSIS_GuLoader_July_2024
Link:
https://app.threat.zone/submission/f3c5829b-1d5b-47fc-befc-231c3ec413b8
Unpacked files
SH256 hash:
269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb
MD5 hash:
52736c301d03e7424ee01157cfbcf1cc
SHA1 hash:
669895c07ab05aa911b14bcd272ddad74638820d
Link:
https://www.unpac.me/results/71a3f0c9-22d5-43db-8e0c-99c30dce191c/
SH256 hash:
014f1dfeb842cf7265a3644bc6903c592abe9049bfc7396829172d3d72c4d042
MD5 hash:
12b140583e3273ee1f65016becea58c4
SHA1 hash:
92df24d11797fefd2e1f8d29be9dfd67c56c1ada
Link:
https://www.unpac.me/results/71a3f0c9-22d5-43db-8e0c-99c30dce191c/
Malware family:
GuLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/269c04323cbd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ins_NSIS_Buer_Nov_2020_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect NSIS installer used for Buer loader
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

njrat

Executable exe 269c04323cbd684de4b0edbb85cba6288444b24348476272ef9d0b167b7debeb

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/41515/

Comments