MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2acb08478abe768457f22b505029f0d8fd79204543dc30b0bc7bd635c6a7dce7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 14

Intelligence 14 IOCs YARA 31 File information Comments

SHA256 hash:	2acb08478abe768457f22b505029f0d8fd79204543dc30b0bc7bd635c6a7dce7
SHA3-384 hash:	301b5001bbe0d89b4e110dd251d8a5d30bce8535f051b649f5b642f3bc08c5112962a0ede340164607aeecda10f5f327
SHA1 hash:	99c457514fe70836fee2c1734a61acb6c579baff
MD5 hash:	65aeb7eaa825e0bd836cece1d1edfae2
humanhash:	item-mobile-zebra-low
File name:	payload1dec.bin
Download:	download sample
Signature	njrat Create hunting rule
File size:	6'905'344 bytes
First seen:	2025-03-06 12:07:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
ssdeep	98304:VQVF6AKScoB0qMU1jPwQXUOLLM9nGgaYAYH03wpzb9nRCYz:VQZTcGzMAIN3DaY70CzJR3
TLSH	T1CC66CF14BAE01B75CB4B467F9073112742E3818BA3D7A7168AE8E9BD6DD2B050F063D7
TrID	55.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19) 15.9% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 10.1% (.EXE) Win64 Executable (generic) (10522/11/4) 5.3% (.FON) Windows Font (5545/9/1) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika	pebin
Reporter	marsomx
Tags:	80-76-49-2 exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

520

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

payload1dec.bin

Verdict:

No threats detected

Analysis date:

2025-03-06 12:09:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fe4b60a5-1a1a-4eb4-a109-7675f1d3aee6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Win64.CrypterX-gen.8686.12025.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67c99297c668b65489bf7270

Tags:

vmdetect emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Searching for synchronization primitives

Searching for the window

Setting browser functions hooks

Unauthorized injection to a system process

Unauthorized injection to a browser process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

agenttesla crypt explorer fingerprint lolbin masquerade njrat obfuscated obfuscated packed rat reconnaissance

Link:

https://www.filescan.io/uploads/67c990333c5f644bd9461cef/reports/e7064c50-fc1f-4eee-b906-bcd94eb9b465/overview

Verdict:

Malicious

Labled as:

IL:Trojan.MSILZilla

Link:

https://www.hybrid-analysis.com/sample/2acb08478abe768457f22b505029f0d8fd79204543dc30b0bc7bd635c6a7dce7

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6fc42b7f-6140-4999-964c-1685a2f6ec29

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1630935

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Creates a thread in another existing process (thread injection)

Creates files in the system32 config directory

Found direct / indirect Syscall (likely to bypass EDR)

Hooks files or directories query functions (used to hide files and directories)

Hooks processes query functions (used to hide processes)

Hooks registry keys query functions (used to hide registry keys)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Installs new ROOT certificates

Joe Sandbox ML detected suspicious sample

Modifies the prolog of user mode functions (user mode inline hooks)

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Score:

99%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/2acb08478abe768457f22b505029f0d8fd79204543dc30b0bc7bd635c6a7dce7

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2acb08478abe768457f22b505029f0d8fd79204543dc30b0bc7bd635c6a7dce7/

Threat name:

ByteCode-MSIL.Trojan.Zilla

Status:

Malicious

First seen:

2025-02-23 02:49:50 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=flfqqr4kxz3iiv7sfnifakpq3d6xsicfipodbmf4ppldlrvh3ttq._file

Verdict:

malicious

Label(s):

r77

Similar samples:

error

njrat

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion

Link:

https://tria.ge/reports/250306-pazx9sxyfs/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Drops file in Windows directory

Drops file in System32 directory

Indicator Removal: Clear Windows Event Logs

Modifies security service

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/1dafabb6-447f-41dd-9d57-8a49989ee3e0

Unpacked files

SH256 hash:

2acb08478abe768457f22b505029f0d8fd79204543dc30b0bc7bd635c6a7dce7

MD5 hash:

65aeb7eaa825e0bd836cece1d1edfae2

SHA1 hash:

99c457514fe70836fee2c1734a61acb6c579baff

Detections:

ps1_powerbrace_w0

Link:

https://www.unpac.me/results/40d3240f-0c91-41db-8b88-f6146a8275f7/

SH256 hash:

0d68afef508ba95553833b47ae4f3f24f4bc0492e4479664ff7c6c29004569a4

MD5 hash:

b10c7da413f2489beec67f305a23fd42

SHA1 hash:

86bd15c44b385cb5ef3dfe01e246188492c66386

Link:

https://www.unpac.me/results/40d3240f-0c91-41db-8b88-f6146a8275f7/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2acb08478abe/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2acb08478abe768457f22b505029f0d8fd79204543dc30b0bc7bd635c6a7dce7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AutoIT_Compiled Create hunting rule
Author:	@bartblaze
Description:	Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.

Rule name:	CAS_Malware_Hunting Create hunting rule
Author:	Michael Reinprecht
Description:	DEMO CAS YARA Rules for sample2.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__MemoryWorkingSet Create hunting rule
Author:	Fernando Mercês
Description:	Anti-debug process memory working set size check
Reference:	http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Active Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerHiding__Thread Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Lumma_Stealer_Detection Create hunting rule
Author:	ashizZz
Description:	Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:	https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/

Rule name:	MALWARE_Win_R77 Create hunting rule
Author:	ditekSHen
Description:	Detects r77 rootkit

Rule name:	meth_peb_parsing Create hunting rule
Author:	Willi Ballenthin

Rule name:	MSIL_SUSP_OBFUSC_XorStringsNet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it
Reference:	https://github.com/dr4k0nia/yara-rules

Rule name:	msil_susp_obf_xorstringsnet Create hunting rule
Author:	dr4k0nia
Description:	Detects XorStringsNET string encryption, and other obfuscators derived from it

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	pe_no_import_table Create hunting rule
Description:	Detect pe file that no import table

Rule name:	ps1_powerbrace_w0 Create hunting rule
Author:	NTT Security
Description:	Detect PowerBrace PowerShell backdoor

Rule name:	RANSOMWARE Create hunting rule
Author:	ToroGuitar

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

Rule name:	Windows_Rootkit_R77_d0367e28 Create hunting rule
Author:	Elastic Security
Reference:	https://www.elastic.co/security-labs/elastic-security-labs-steps-through-the-r77-rootkit

File information

The table below shows additional information about this malware sample such as delivery method and external references.

njrat

bat da3bab528f4f82ec90aac791a60962b6cca60d172939821874c78b0cf71d7d09

njrat

exe 2acb08478abe768457f22b505029f0d8fd79204543dc30b0bc7bd635c6a7dce7

(this sample)

Dropped by

SHA256 da3bab528f4f82ec90aac791a60962b6cca60d172939821874c78b0cf71d7d09

Dropped by

MD5 19872ade63829c8bb3ab4113d7626ed1

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample