MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 16

Intelligence 16 IOCs YARA 7 File information Comments

SHA256 hash:	6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9
SHA3-384 hash:	6ea93b62ab2247f2fda593ca9e3949606a1c3061b0196fcff619feb4f15216b12e505eddc212e3bc6f83138a1e9fec4d
SHA1 hash:	488fedc0b2771a700433d85ea4e8b79f1a9d741e
MD5 hash:	22716ba644a066de7318dd077cc2deec
humanhash:	nine-saturn-pluto-cup
File name:	lu7.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	95'744 bytes
First seen:	2026-02-27 13:38:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'818 x AgentTesla, 19'742 x Formbook, 12'286 x SnakeKeylogger)
ssdeep	1536:4GGFBZXg0+ggFCpBNPA5K8ZuduShbBNIIb2OAJ7ebS3vsUJy:4BgxCLKKdhXG423IbS3vW
Threatray	195 similar samples on MalwareBazaar
TLSH	T1AE936C0DBB006488C6BD0EBB89A3914C89FDC497B667F77625C81EF68D2399C854F6C1
TrID	70.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.2% (.EXE) Win64 Executable (generic) (6522/11/2) 4.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	James_inthe_box
Tags:	exe NjRAT

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

XWorm

Details

XWorm

a version, a filepath, a mutex, a c2 socket address or a dead-drop resolver URL, and possibly cryptocurrency wallets and a Telegram URL

Link:

https://research.acce.ciphertechsolutions.com/results/e2f9f72c-3a14-4510-8274-c60426b10fd9/

Malware family:

n/a

ID:

File name:

lu7.exe

Verdict:

Malicious activity

Analysis date:

2026-02-27 13:40:49 UTC

Tags:

auto-startup xworm remote stealer

Link:

https://app.any.run/tasks/724e1e82-e696-4361-a6a8-9d9a4f4ba598

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

XWorm

Link:

https://www.capesandbox.com/analysis/54863/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69a19e49c950ab5d9ab21bf6

Tags:

autorun micro sage remo

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm base64 bladabindi crypt fingerprint njrat obfuscated obfuscated reconnaissance vbnet

Link:

https://www.filescan.io/uploads/69a19e4597feb4afd65f5976/reports/7ab7f27b-034c-4eee-b872-e5984f7e9cba/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9

Verdict:

Malicious

File Type:

exe x32

Detections:

Trojan.MSIL.Agent.sb Backdoor.MSIL.XWorm.c Backdoor.MSIL.XWorm.b PDM:Trojan.Win32.Generic HEUR:Backdoor.MSIL.XWorm.gen Backdoor.Agent.TCP.C&C Trojan-PSW.Win32.Stealer.sb

Link:

https://opentip.kaspersky.com/6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9/results?tab=lookup

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/953d4e46-753e-4f97-904f-402689ade4ff

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9/

Verdict:

Malicious

Threat:

Family.XWORM

Link:

https://tip.neiki.dev/file/6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9

Threat name:

ByteCode-MSIL.Backdoor.XWorm

Status:

Malicious

First seen:

2026-02-27 13:38:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

29 of 38 (76.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nli3dw3ppsl44ueqb3sprgafr5pnjs4zxn7whtu3d4kqti65ehuq._file

Verdict:

malicious

Label(s):

xworm

njrat

0c04480d6f7b79530bad8c128795fe332cecbe146d2c0d83e475489ed9c9fd29

njrat

67e7b0bf057c8c7ef117be16a168833235920d0af16921ff59d0866f0d05e050

njrat

6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9

njrat

729fcf83579426cac37711a41684e00b76fd901f57ea743a34c72c181acb6e07

njrat

9b7023ed9d783bf33aa0178b91f82c2e6e7d69cd5db878845171fde65481bb4b

njrat

a79144ac2441047775ba349433a8b27aed0c8087aae033e68fa21692412abef9

njrat

ecdaa31802b6a8ef94fbc3f16da5068c6f126876af0b9c964a915a556194a1f9

njrat

error

njrat

+ 185 additional samples on MalwareBazaar

Result

Malware family:

xworm

Score:

10/10

Tags:

family:xworm rat spyware stealer trojan

Link:

https://tria.ge/reports/260227-qxg7eaaw7a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops startup file

Reads user/profile data of web browsers

Detect Xworm Payload

Xworm

Xworm family

Unpacked files

SH256 hash:

6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9

MD5 hash:

22716ba644a066de7318dd077cc2deec

SHA1 hash:

488fedc0b2771a700433d85ea4e8b79f1a9d741e

Link:

https://www.unpac.me/results/ea27c049-a878-4fda-aff7-28eed84c29c4/

Malware family:

XWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/6ad1b1db6f7c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6ad1b1db6f7c97ce50900ee4f898058f5ed4cb99bb7f63ce9b1f1509a3dd21e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Windows_Trojan_XWorm_b7d6eaa8 Create hunting rule
Author:	Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/54863/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample