MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6
SHA3-384 hash: 7d23c417c688f4312f0f5d508af1627f981784bd27053e37766188dc5f96dd239d9e6f18f310ca8aade5cd0e88cbe513
SHA1 hash: d96fb94173bb26d2a1f68cc0fbfca12dffac6dae
MD5 hash: 69a0b737c1fd43912a9230a86dc05855
humanhash: hot-network-asparagus-mirror
File name:7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6
Download: download sample
Signature njrat
Create hunting rule
File size:814'592 bytes
First seen:2026-06-08 09:57:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'011 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 12288:LATAvbQsx6ANML4YF49u2zPc7XZU/0XLotRuNuJznXfVZDTaqAmZloQqjld4:E1ANML18NoXZA0XUtQNu/tTRAcO
Threatray 54 similar samples on MalwareBazaar
TLSH T15405126AAE58C823E98917706BB2F2B663649FCDF614C1179FECFEEF34255109808341
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 71d0b26d4da9d22c (5 x Formbook, 2 x SnakeKeylogger, 2 x MassLogger)
Reporter adrian__luca
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
111
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/8247ecc0-3e40-4381-bfa7-34172d9abaa7/
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69995/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.3559.37992361.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a269277ae2f98c00a68cee1
Tags:
infosteal virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context crypt packed vbnet
Link:
https://www.filescan.io/uploads/6a26921dbf16337e43bb4056/reports/d6aa01b6-9653-4650-8690-24786dfa7e71/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-19T23:15:00Z UTC
Last seen:
2026-06-08T05:58:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f3ccea95-c4c8-4203-b67a-04a9e57971dc
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2026-05-20 02:14:32 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
26 of 36 (72.22%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
101bd5c2dc4ecb68e017d163bf7b8c472e12a3942cee6c9eed6ec70928409b26
njrat
22e20c87b8a58256ba2d789c04fa52c109cd991dd82f270e4c4da5b72f057b77
njrat
301aacc4bac5acd89177dfa0ed6fbafc8460f58a7e9a1b546187372ca6883e2c
njrat
68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
njrat
e18128d6e9657ce06424fbdb8af5cc6b23bbeda33fdbc13762318d11b24a22f4
njrat
+ 44 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260608-lzfn5scw6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Unpacked files
SH256 hash:
7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6
MD5 hash:
69a0b737c1fd43912a9230a86dc05855
SHA1 hash:
d96fb94173bb26d2a1f68cc0fbfca12dffac6dae
Link:
https://www.unpac.me/results/d75a9192-8a38-402e-95ee-a07786ab4250/
SH256 hash:
7e5e42651838afcb21918d7c4cec7d2a3352a51bd32f572a8a889e47cedb7c89
MD5 hash:
bc5c24037c01c45d357e78aae1457f88
SHA1 hash:
8b6115e53004c4330550467a4d67c509dc98452b
Link:
https://www.unpac.me/results/d75a9192-8a38-402e-95ee-a07786ab4250/
SH256 hash:
cf5dafb0fd320378be54ed47d552dd872b7b343994ddba51e3a1cd2b30d176d3
MD5 hash:
d6e222077074b587ef0fb07636e43284
SHA1 hash:
ddcb6634e0e88f4b9ce66562d951e608a8d843cf
Link:
https://www.unpac.me/results/d75a9192-8a38-402e-95ee-a07786ab4250/
SH256 hash:
3fc7197dc2039b0a06ca85de4b76de9fd9cb5c413a771cec98a103029774c8d7
MD5 hash:
80397f5a59830972c68d129df0e600fd
SHA1 hash:
f4ae716a9fd66bd245ffcf5c05d56846d79182c8
Link:
https://www.unpac.me/results/d75a9192-8a38-402e-95ee-a07786ab4250/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7344ca2be06c797df34455ad4b35bb13278be54ee1ef969487bbd2ed79cdcdf6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69995/

Comments