MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6351577adc7052cc74c414372305602d829c52dcacce43562021248606272c59. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6351577adc7052cc74c414372305602d829c52dcacce43562021248606272c59
SHA3-384 hash: f72e58c9bea6a123d8d33ff0dc6a9adbca2d56d88e55fc74ee10afdac9b216cd808aa1b8803c9ea9f02d3b992c74c541
SHA1 hash: 52fcce86db1678d0ddce99749af8533b61366d15
MD5 hash: 4cc1d10588816b3c331878e79d55d694
humanhash: crazy-wisconsin-uniform-winter
File name:4cc1d10588816b3c331878e79d55d694.exe
Download: download sample
Signature njrat
Create hunting rule
File size:501'090 bytes
First seen:2025-08-05 03:35:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 12288:yRZ+IoG/n9IQxW3OBseDT+tG8btuLvr1rzG:82G/nvxW3WdmtuLr1rzG
TLSH T12AB4E002F9C199B2C52109321669AB61257C7D201F15CEEFE3E86E2DD9341E0FB35BA7
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
3.127.253.86:16995

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
3.127.253.86:16995 https://threatfox.abuse.ch/ioc/1563323/

Intelligence

File Origin
# of uploads :
1
# of downloads :
128
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
4cc1d10588816b3c331878e79d55d694.exe
Verdict:
Malicious activity
Analysis date:
2025-08-05 03:36:54 UTC
Tags:
rat njrat bladabindi remote backdoor
Link:
https://app.any.run/tasks/c81bd7ea-9ad9-4717-ac9e-f2d6a0b558e0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18926/
Detection(s):
Win.Trojan.DarkKomet-10027799-0
Create hunting rule

SecuriteInfo.com.Trojan.Rasftuby.Gen.14.10239.27368.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68917c09af3050dc8d346dfc
Tags:
bladabindi crimsonrat njrat proxy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file
Running batch commands
Creating a process from a recently created file
Launching a process
Unauthorized injection to a recently created process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
darkkomet fingerprint installer microsoft_visual_cc overlay overlay sfx
Link:
https://www.filescan.io/uploads/68917c06dc44c87d077c2ac0/reports/e2236dde-cdb8-4471-8fca-b807e86f4743/overview
Verdict:
Malicious
Labled as:
Trojan.Rasftuby.Generic
Link:
https://www.hybrid-analysis.com/sample/6351577adc7052cc74c414372305602d829c52dcacce43562021248606272c59
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/158c839d-1332-415d-b5db-b80f74417b26
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1750240
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1750240 Sample: Zfkzm59k7A.exe Startdate: 05/08/2025 Architecture: WINDOWS Score: 100 34 4.tcp.eu.ngrok.io 2->34 42 Suricata IDS alerts for network traffic 2->42 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 6 other signatures 2->48 11 Zfkzm59k7A.exe 7 2->11         started        signatures3 process4 file5 32 C:\Users\user\Desktop\main.exe, PE32 11->32 dropped 14 cmd.exe 1 11->14         started        process6 process7 16 main.exe 6 14->16         started        20 conhost.exe 14->20         started        file8 30 C:\Users\user\Desktop\Server.exe, PE32 16->30 dropped 40 Multi AV Scanner detection for dropped file 16->40 22 Server.exe 1 4 16->22         started        signatures9 process10 dnsIp11 36 18.198.77.177, 16995, 49890, 49891 AMAZON-02US United States 22->36 38 4.tcp.eu.ngrok.io 3.127.253.86, 16995, 49718, 49719 AMAZON-02US United States 22->38 50 Antivirus detection for dropped file 22->50 52 Multi AV Scanner detection for dropped file 22->52 54 Uses netsh to modify the Windows network and firewall settings 22->54 56 Modifies the windows firewall 22->56 26 netsh.exe 2 22->26         started        signatures12 process13 process14 28 conhost.exe 26->28         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6351577adc7052cc74c414372305602d829c52dcacce43562021248606272c59
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/4cc1d10588816b3c331878e79d55d694
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6351577adc7052cc74c414372305602d829c52dcacce43562021248606272c59/
Verdict:
Malicious
Threat:
Family.NJRAT
Link:
https://tip.neiki.dev/file/6351577adc7052cc74c414372305602d829c52dcacce43562021248606272c59
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2022-11-20 11:53:43 UTC
AV detection:
13 of 23 (56.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mnivo6w4objmy5gecq3sgblafwbjyuw4vthegvraeesimbrhfrmq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
unc_loader_051
Create hunting rule
Similar samples:
error
njrat
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked defense_evasion discovery persistence privilege_escalation trojan
Link:
https://tria.ge/reports/250805-d5lhksej8v/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Modifies Windows Firewall
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
4.tcp.eu.ngrok.io:16995
Verdict:
Malicious
Tags:
Win.Trojan.DarkKomet-10027799-0
YARA:
n/a
Link:
https://app.threat.zone/submission/61dbddc0-718d-48f2-8aca-78f81f46a53f
Unpacked files
SH256 hash:
6351577adc7052cc74c414372305602d829c52dcacce43562021248606272c59
MD5 hash:
4cc1d10588816b3c331878e79d55d694
SHA1 hash:
52fcce86db1678d0ddce99749af8533b61366d15
Detections:
win_xorist_auto
Create hunting rule
Link:
https://www.unpac.me/results/fcf73119-2bf0-4550-aef8-56a30e4075cb/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6351577adc70/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6351577adc7052cc74c414372305602d829c52dcacce43562021248606272c59

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:win_xorist_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.xorist.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18926/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments