MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d
SHA3-384 hash: 0b05d7eb60253ac98e77240ce57cf928fdc7fcc4e37be994fd65fc270b748cea3b40c4ca19b9aae8285fab92996c828f
SHA1 hash: cdffd7a713eb83a84256836db3ba9f5b1cfcabb2
MD5 hash: 4f18d52c3611d2784f333eff8ddbb0d8
humanhash: bacon-video-dakota-table
File name:Purchase Inquiry Pl- Electro 876.js
Download: download sample
Signature njrat
Create hunting rule
File size:171'406 bytes
First seen:2025-08-18 07:20:16 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 3072:1ASo0kemlN//xn+WACHr/KU5mpIOJy0gRw1JJGM+JZ:1ASXK/QWAG/KU5mpIOJy0gRw1JK
Threatray 259 similar samples on MalwareBazaar
TLSH T16BF3853CEDE8EFC8032A71E0256E3B07505C4BB3F5F89B8CB4D5487A596A1499BB614C
Magika javascript
Reporter abuse_ch
Tags:js NjRAT RAT


Avatar
abuse_ch
njrat C2:
196.251.114.106:5085

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.114.106:5085 https://threatfox.abuse.ch/ioc/1570645/

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BAT.Obfus-5.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a2d45e8fd55a79c528c5d1
Tags:
bladabindi autorun njrat
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 evasive fingerprint masquerade obfuscated powershell
Link:
https://www.filescan.io/uploads/68a2d456a4bdac9f5b9b5e3b/reports/b0174f4a-04e0-4521-aabd-d8bc24772d65/overview
Verdict:
Malicious
Labled as:
Trojan.Script.Dropper
Link:
https://www.hybrid-analysis.com/sample/4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d
Result
Threat name:
FormBook, Njrat, PureLog Stealer, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1759086
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Creates processes via WMI
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Wscript starts Powershell (via cmd or directly)
Yara detected FormBook
Yara detected Njrat
Yara detected Powershell decode and execute
Yara detected PureLog Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1759086 Sample: Purchase Inquiry  Pl- Elect... Startdate: 18/08/2025 Architecture: WINDOWS Score: 100 136 www.vp0p1j.top 2->136 138 www.lifequant.net 2->138 140 5 other IPs or domains 2->140 152 Suricata IDS alerts for network traffic 2->152 154 Found malware configuration 2->154 156 Malicious sample detected (through community Yara rule) 2->156 158 22 other signatures 2->158 15 cmd.exe 1 2->15         started        18 cmd.exe 2->18         started        20 cmd.exe 1 2->20         started        22 4 other processes 2->22 signatures3 process4 file5 182 Suspicious powershell command line found 15->182 184 Wscript starts Powershell (via cmd or directly) 15->184 186 Suspicious command line found 15->186 25 cmd.exe 1 15->25         started        27 conhost.exe 15->27         started        29 cmd.exe 18->29         started        32 conhost.exe 18->32         started        34 cmd.exe 1 20->34         started        36 conhost.exe 20->36         started        130 C:\Users\user\...\HolographicInterpreter.bat, ASCII 22->130 dropped 188 Windows Scripting host queries suspicious COM object (likely to drop second stage) 22->188 190 Creates processes via WMI 22->190 38 cmd.exe 1 22->38         started        40 cmd.exe 1 22->40         started        42 4 other processes 22->42 signatures6 process7 signatures8 44 cmd.exe 2 25->44         started        178 Wscript starts Powershell (via cmd or directly) 29->178 180 Suspicious command line found 29->180 47 powershell.exe 29->47         started        50 conhost.exe 29->50         started        52 cmd.exe 29->52         started        54 timeout.exe 29->54         started        56 cmd.exe 1 34->56         started        58 cmd.exe 1 38->58         started        60 cmd.exe 1 40->60         started        62 cmd.exe 42->62         started        process9 file10 174 Suspicious powershell command line found 44->174 176 Wscript starts Powershell (via cmd or directly) 44->176 64 powershell.exe 8 22 44->64         started        69 conhost.exe 44->69         started        132 \Device\ConDrv, ASCII 47->132 dropped 71 powershell.exe 47->71         started        73 powershell.exe 56->73         started        75 conhost.exe 56->75         started        77 powershell.exe 58->77         started        79 conhost.exe 58->79         started        81 2 other processes 60->81 83 2 other processes 62->83 signatures11 process12 dnsIp13 134 196.251.114.106, 49720, 5085 xneeloZA Seychelles 64->134 116 C:\Users\user\AppData\Roaming\...\a2c7.bat, ASCII 64->116 dropped 118 C:\Users\user\AppData\...\tmp7664.tmp.js, ASCII 64->118 dropped 146 Suspicious powershell command line found 64->146 148 Drops script or batch files to the startup folder 64->148 150 Found suspicious powershell code related to unpacking or dynamic code loading 64->150 85 wscript.exe 64->85         started        120 C:\Users\user\AppData\Roaming\...\de52.bat, ASCII 73->120 dropped 122 C:\Users\user\AppData\Roaming\...\e93b.bat, ASCII 77->122 dropped 124 C:\Users\user\AppData\Roaming\...\e1f8.bat, ASCII 81->124 dropped 126 C:\Users\user\AppData\Roaming\...\6de9.bat, ASCII 83->126 dropped file14 signatures15 process16 file17 128 C:\Users\user\AppData\...\StellarParser.bat, ASCII 85->128 dropped 160 Wscript starts Powershell (via cmd or directly) 85->160 162 Windows Scripting host queries suspicious COM object (likely to drop second stage) 85->162 164 Suspicious execution chain found 85->164 166 Creates processes via WMI 85->166 89 cmd.exe 85->89         started        signatures18 process19 process20 91 cmd.exe 89->91         started        94 conhost.exe 89->94         started        signatures21 170 Wscript starts Powershell (via cmd or directly) 91->170 172 Suspicious command line found 91->172 96 powershell.exe 91->96         started        100 conhost.exe 91->100         started        102 cmd.exe 91->102         started        104 timeout.exe 91->104         started        process22 file23 114 C:\Users\user\...\BackgroundTaskHost.cmd, ASCII 96->114 dropped 142 Suspicious powershell command line found 96->142 144 Maps a DLL or memory area into another process 96->144 106 mDt6oNLgqZWCAu.exe 96->106 injected 109 powershell.exe 96->109         started        signatures24 process25 signatures26 168 Maps a DLL or memory area into another process 106->168 111 fsutil.exe 106->111         started        process27 signatures28 192 Tries to steal Mail credentials (via file / registry access) 111->192 194 Tries to harvest and steal browser information (history, passwords, etc) 111->194 196 Modifies the context of a thread in another process (thread injection) 111->196 198 3 other signatures 111->198
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d/
Verdict:
Malicious
Threat:
Family.NJRAT
Link:
https://tip.neiki.dev/file/4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-18 07:20:59 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jrbsyrklg3rotnz7v3d4unae6wbcdbmdavo3eybnlotaty4u5ooq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
102c57004decd2173d86522467863123425f1ecccf37561fa34fca5c1de1c402
njrat
208ff1162ef1b1185d3e1b5f72244a6d2c6bc5b0b4c7d4b2e67e7fb6f27fd2a0
njrat
3c1b34a16bc34c149c8c2c3d516527ed6c4c913d9bf8ac47e35a79675075fe67
njrat
49784cd5f974b8266ed02105bc6be8d04b7c7f798726caf15e052ba83a2b4c40
njrat
55a4bd8ac4d1313862a55f59e587579e4b51c1fee403345c083cb4cdd8ecc2b1
njrat
8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9
njrat
8e13758a85fedcb0d0251395c4106c8e9cdf5503cfe47468e39767320c0acdec
njrat
cb1ee7fa3edcc9795877868ad56cf32b9d6c3d95ea59d348e55c2b5caf87a180
njrat
cdb8d74735fd803936cbb3f259418fa76aa5fa7ad03f8cba3b7d310006052e61
njrat
error
njrat
+ 249 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat defense_evasion discovery execution trojan
Link:
https://tria.ge/reports/250818-h6jsla1lt7/
Behaviour
Delays execution with timeout.exe
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Network Service Discovery
.NET Reactor proctector
Drops startup file
Blocklisted process makes network request
Modifies trusted root certificate store through registry
Njrat family
Process spawned unexpected child process
njRAT/Bladabindi
Malware Config
C2 Extraction:
196.251.114.106:5085
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_PS1_JAB_Pattern_Jun22_1
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects suspicious UTF16 and Base64 encoded PowerShell code that starts with a $ sign and a single char variable
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments