MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 402c40bfac55e78f3f04b4a4c8dabd0c3ec576da95e2d932e051a0781ab7032f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
njrat
Vendor detections: 17
| SHA256 hash: | 402c40bfac55e78f3f04b4a4c8dabd0c3ec576da95e2d932e051a0781ab7032f |
|---|---|
| SHA3-384 hash: | 13fba66e972767952f46ffd9101753c112d8b67d3e525e8278d0c61e93425f9dd0cfcc8056e64bddafd28e2a2be58ec3 |
| SHA1 hash: | 09f02af0565b94989a6dc1efb07ffd93999cef46 |
| MD5 hash: | d5c251d02b576dce61e1cae5fdb26036 |
| humanhash: | alanine-mexico-snake-uranus |
| File name: | IMG-Orden de compra-20260616-WA0001.xlsx(89KB).scr |
| Download: | download sample |
| Signature | njrat |
| File size: | 1'047'040 bytes |
| First seen: | 2026-06-17 06:09:06 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (49'074 x AgentTesla, 20'032 x Formbook, 12'352 x SnakeKeylogger) |
| ssdeep | 12288:ruUb4v5qxGuXhw24BiTTFccl2+wONWfhzDORIUD1SE4AvmL27lvCZHZ1TNXaqC:iUUzuX3ZTb2+w2WfNEpZJvCZHTBK |
| Threatray | 540 similar samples on MalwareBazaar |
| TLSH | T13525691C370EBDB5F484AE7C2AA1DB3406E76E5514D2C02229CDE98BF52EE4059F1B1B |
| TrID | 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.6% (.EXE) Win64 Executable (generic) (6522/11/2) 4.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9) |
| Magika | pebin |
| dhash icon | 74f4eccacaccc0dc (2 x njrat, 1 x AveMariaRAT) |
| Reporter |  lowmal3 |
| Tags: | exe NjRAT |
Intelligence
File Origin
# of uploads :
1
# of downloads :
160
Origin country :
DEVendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Malware family:
n/a
ID:
1
File name:
_402c40bfac55e78f3f04b4a4c8dabd0c3ec576da95e2d932e051a0781ab7032f.exe
Verdict:
Suspicious activity
Analysis date:
2026-06-17 06:10:44 UTC
Tags:
auto-startup
Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Verdict:
Malicious
Score:
99.1%
Tags:
autorun virus micro msil
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Сreating synchronization primitives
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Connection attempt to an infection source
Using the Windows Management Instrumentation requests
Setting a global event handler for the keyboard
Creating a file in the mass storage device
Query of malicious DNS domain
Enabling autorun by creating a file
Enabling threat expansion on mass storage devices
Verdict:
Malicious
Threat level:
10/10
Confidence:
100%
Tags:
masquerade masquerade obfuscated packed
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-06-16T12:18:00Z UTC
Last seen:
2026-06-17T03:07:00Z UTC
Hits:
~100
Verdict:
Suspicious
Result
Threat name:
XWorm
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Behaviour
Behavior Graph:
Score:
100%
Verdict:
Malware
File Type:
PE
Gathering data
Verdict:
Malicious
Threat:
Family.XWORM
Threat name:
Win32.Backdoor.FormBook
Status:
Malicious
First seen:
2026-06-16 16:35:12 UTC
File Type:
PE (.Net Exe)
Extracted files:
51
AV detection:
22 of 36 (61.11%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Label(s):
xworm
unc_loader_031
Similar samples:
+ 530 additional samples on MalwareBazaar
Result
Malware family:
xworm
Score:
10/10
Tags:
family:xworm discovery rat trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Drops startup file
Executes dropped EXE
Detect Xworm Payload
Family: Xworm
Unpacked files
SH256 hash:
402c40bfac55e78f3f04b4a4c8dabd0c3ec576da95e2d932e051a0781ab7032f
MD5 hash:
d5c251d02b576dce61e1cae5fdb26036
SHA1 hash:
09f02af0565b94989a6dc1efb07ffd93999cef46
SH256 hash:
36e6e085c86dd2f549b136c0ea9d97b755a2b254aa39f44524fca92417baccf6
MD5 hash:
85a7d07787ffdff80765753f8215e023
SHA1 hash:
305c0ba5003e7a02dc373898263da6a8dbecb328
SH256 hash:
e6e419981b4ea3acb7ef2c90cee1fd41885aeca3926abc0bcf14927a6c6099ee
MD5 hash:
1f966fb5eb9e1d22ff5c68ea20caa445
SHA1 hash:
4b5c3578edc482666fddbb62f152447b955e261e
SH256 hash:
f08e62ca8a4259dd3b4a0e6d0e58cf5382c2d2e2bd4db58887cf460ba62c9195
MD5 hash:
2cde0c6038877f86af2c04eb299a2a3f
SHA1 hash:
fd43b28bf5c85eabfcfe2dd6bcb2973ee63660f5
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| Rule name: | NETexecutableMicrosoft |
|---|---|
| Author: | malware-lu |
| Rule name: | Njrat |
|---|---|
| Author: | botherder https://github.com/botherder |
| Description: | Njrat |
| Rule name: | pe_imphash |
|---|
| Rule name: | Skystars_Malware_Imphash |
|---|---|
| Author: | Skystars LightDefender |
| Description: | imphash |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| Rule name: | VECT_Ransomware |
|---|---|
| Author: | Mustafa Bakhit |
| Description: | Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments. |
| Rule name: | Windows_Trojan_XWorm_b7d6eaa8 |
|---|---|
| Author: | Elastic Security |
| Rule name: | win_dotnet_vb_stealer_rat |
|---|---|
| Author: | Arrbat |
| Description: | Detects .NET/VB executables with stealer/RAT capabilities (sockets, HTTP, processes, registry, etc). |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.