MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c
SHA3-384 hash: d5a0bdffc88c1688a3c7fb56087236a312651197cfbb7f2e9b00a2ec86174c6021a6e2d74339ac6c4963a6cbcc6d0659
SHA1 hash: c55d0860598fcb41cbe46431b431713c58b7608e
MD5 hash: 113461458c920597c8529c301de52645
humanhash: seven-berlin-gee-comet
File name:random.exe
Download: download sample
Signature njrat
Create hunting rule
File size:6'352'896 bytes
First seen:2025-02-07 15:45:02 UTC
Last seen:2025-02-07 16:29:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 196608:4Vrk/RaXt4S0LHYaTSxyVrk/RaXt4S0LHYaTSxM:4BC8a0hcBC8a0hK
TLSH T19656331F3BEAC632C08D6871D3EA995B834EC58361939B0BEE1617491D0CBFAC6D0759
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:AsyncRAT exe NjRAT StormKitty


Avatar
iamaachum
http://185.215.113.97/files/none1/random.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
485
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
071151edb1af2b9b5eef400274460b3b.exe
Verdict:
Malicious activity
Analysis date:
2025-02-06 11:20:48 UTC
Tags:
lumma stealer loader themida stealc amadey
Link:
https://app.any.run/tasks/a8c2ae2d-f806-496c-95dd-f541a4efb58c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Sanesecurity.Malware.30425.UnRegNetReactor.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a62ba2ab8a2d1c6bcd8e00
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Restart of the analyzed sample
Searching for synchronization primitives
Сreating synchronization primitives
Creating a file
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process from a recently created file
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Setting a global event handler for the keyboard
Connection attempt to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/05d9413d-0c59-4a74-b9f7-d194b121d232
Result
Threat name:
KeyLogger, PureLog Stealer, StormKitty,
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1609493
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected BrowserPasswordDump
Yara detected Keylogger Generic
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected StormKitty Stealer
Yara detected VenomRAT
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1609493 Sample: random.exe Startdate: 07/02/2025 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 15 other signatures 2->65 9 random.exe 2->9         started        12 Wihnup.exe 2->12         started        process3 signatures4 67 Found many strings related to Crypto-Wallets (likely being stolen) 9->67 69 Contains functionality to inject code into remote processes 9->69 71 Queries memory information (via WMI often done to detect virtual machines) 9->71 14 random.exe 8 9->14         started        18 WerFault.exe 19 16 9->18         started        73 Multi AV Scanner detection for dropped file 12->73 75 Machine Learning detection for dropped file 12->75 77 Injects a PE file into a foreign processes 12->77 20 Wihnup.exe 12->20         started        22 Wihnup.exe 12->22         started        24 WerFault.exe 12->24         started        process5 file6 51 C:\Users\user\AppData\Roaming\Wihnup.exe, PE32 14->51 dropped 53 C:\Users\user\AppData\...\random.exe.log, ASCII 14->53 dropped 81 Found many strings related to Crypto-Wallets (likely being stolen) 14->81 83 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->83 26 cmd.exe 1 14->26         started        28 cmd.exe 1 14->28         started        55 C:\ProgramData\Microsoft\...\Report.wer, Unicode 18->55 dropped signatures7 process8 signatures9 31 Wihnup.exe 26->31         started        34 conhost.exe 26->34         started        36 timeout.exe 1 26->36         started        79 Uses schtasks.exe or at.exe to add and modify task schedules 28->79 38 conhost.exe 28->38         started        40 schtasks.exe 1 28->40         started        process10 signatures11 85 Injects a PE file into a foreign processes 31->85 42 Wihnup.exe 2 31->42         started        45 WerFault.exe 19 16 31->45         started        47 Wihnup.exe 31->47         started        49 2 other processes 31->49 process12 dnsIp13 57 85.209.128.208, 4449, 49719, 49730 VELIANET-ASvelianetInternetdiensteGmbHDE Netherlands 42->57
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c/
Threat name:
ByteCode-MSIL.Trojan.LummaC
Create hunting rule
Status:
Malicious
First seen:
2025-02-06 10:25:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojtknxa56yivmf45xzd6xxv65rmkcascjmwycdc52smgupve2yoa._file
Verdict:
malicious
Label(s):
asyncrat
Create hunting rule
stormkitty
Create hunting rule
Similar samples:
error
njrat
Result
Malware family:
stormkitty
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:stormkitty discovery rat stealer
Link:
https://tria.ge/reports/250207-s67jrsyjhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
.NET Reactor proctector
Stormkitty family
AsyncRat
Asyncrat family
StormKitty
StormKitty payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ca47d713-89bf-4d2c-914f-fb39660b4b08
Unpacked files
SH256 hash:
7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c
MD5 hash:
113461458c920597c8529c301de52645
SHA1 hash:
c55d0860598fcb41cbe46431b431713c58b7608e
Link:
https://www.unpac.me/results/7e62bde1-7bd7-46e1-8c07-bd811e55d883/
SH256 hash:
fccf3b132efc09076c343eb3c910564c8abde1d7d1ddee844e8087cb094d416d
MD5 hash:
ae1c9c1a17126d0ccf673eb73a045ed9
SHA1 hash:
1a6861d54bf3b699cb8372fe0bbe0856f717753c
Detections:
AsyncRAT
Create hunting rule
DiscordRatWebcamGrabber
Create hunting rule
StormKitty
Create hunting rule
cn_utf8_windows_terminal
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
INDICATOR_SUSPICIOUS_References_SecTools
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_B64_Artifacts
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_DiscordURL
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_CC_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_References_VPN
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID
Create hunting rule
INDICATOR_SUSPICIOUS_EXE_WirelessNetReccon
Create hunting rule
INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
Create hunting rule
MALWARE_Win_StormKitty
Create hunting rule
MALWARE_Win_AsyncRAT
Create hunting rule
MALWARE_Win_DLAgent10
Create hunting rule
MALWARE_Win_UnamedStealer
Create hunting rule
MALWARE_Win_Multi_Family_InfoStealer
Create hunting rule
MALWARE_Win_CyberStealer
Create hunting rule
MALWARE_Win_ArrowRAT
Create hunting rule
MALWARE_Win_VenomRAT
Create hunting rule
Link:
https://www.unpac.me/results/7e62bde1-7bd7-46e1-8c07-bd811e55d883/
SH256 hash:
70f5cf985d8ffc9f6469c5686799e3ed42db418b98ac63dbf203e0a6124a67e2
MD5 hash:
97221cc78207c44a8b62e574df862472
SHA1 hash:
d8156222b9f7576135f113c54e486abcfe4b395e
Detections:
MALWARE_Win_DLAgent10
Create hunting rule
Link:
https://www.unpac.me/results/7e62bde1-7bd7-46e1-8c07-bd811e55d883/
Parent samples :
7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c
230b143294c018f8fc6c36581be214e2d3725546bba0a241da12854052806005
7b77cc567a3c5e8a31e8abe7404bc2b39198e51d4b3adae736caf5fbe484e2a6
Malware family:
AsyncRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7266a6dc1df6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AsyncRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DotNet_Reactor
Create hunting rule
Author:@bartblaze
Description:Identifies .NET Reactor, which offers .NET code protection such as obfuscation, encryption and so on.
Rule name:INDICATOR_EXE_Packed_DotNetReactor
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with unregistered version of .NET Reactor
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:PureCrypter
Create hunting rule
Author:@bartblaze
Description:Identifies PureCrypter, .NET loader and obfuscator.
Reference:https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe 7266a6dc1df61156179dbe47ebdebeec58a102424b2d810c5dd4986a3ea4d61c

(this sample)

  
Link
https://tria.ge/250207-sk4kzsxkcp/
  
Dropped by
Amadey
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments