MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7
SHA3-384 hash: 7886bd7d9c846ae17aa343caaac4d67567c9101ca0903afc7f4e2897bea8a1fc858c52b6e2f1bf94f57da95dcda02216
SHA1 hash: 3ad73514c72f5ca9a21df59402e68bf144c42594
MD5 hash: 8d1d4103bd038fe2cd8e33505a5d5682
humanhash: kentucky-sweet-michigan-fruit
File name:Teams_Version_Installer2025.msi
Download: download sample
Signature njrat
Create hunting rule
File size:77'484'544 bytes
First seen:2025-08-12 03:36:48 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:bwUhgbdA09z/3vOISo+IAAiCQW5CJplxIIKV92xxxRe3u:bN0A09D+o+IAApQuaK3+xRg
TLSH T13B083321B17739A8D61FA3BFE0B85FC884346DE17317E96B23787BB146B164261B1843
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:CHN jx20250731-com msi NjRAT


Avatar
iamaachum
https://qwe1.wsourt.top/Teams/ and https://qwe1.gxdsjkj.top/Teams/ => https://pan.seeoss.com/f/Ejd4sw/Teams_Version_Installer2025.zip

C2: jx20250731.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689ab70bc633abe3908e1a9d
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug base64 cmd expired-cert fingerprint lolbin wix
Link:
https://www.filescan.io/uploads/689ab701397fd3ce6fa58c1c/reports/0a5ec469-55f3-4ba8-8011-111ea1e0e31e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1755022
Signature
Contain functionality to detect virtual machines
Creates an undocumented autostart registry key
Drops password protected ZIP file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1755022 Sample: Teams_Version_Installer2025.msi Startdate: 12/08/2025 Architecture: WINDOWS Score: 88 108 Malicious sample detected (through community Yara rule) 2->108 110 Contain functionality to detect virtual machines 2->110 112 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->112 114 2 other signatures 2->114 9 msiexec.exe 17 94 2->9         started        12 MSTeamsSetup.exe 5 2->12         started        14 msiexec.exe 12 2->14         started        process3 file4 62 C:\Program Files (x86)\...\MSTeamsSetup.exe, PE32 9->62 dropped 64 C:\Windows\Installer\MSIFBC0.tmp, PE32 9->64 dropped 66 C:\Windows\Installer\MSIF8B2.tmp, PE32 9->66 dropped 76 5 other files (none is malicious) 9->76 dropped 16 msiexec.exe 8 23 9->16         started        20 msiexec.exe 9->20         started        22 msiexec.exe 9->22         started        68 C:\Users\user\AppData\Local\...\Update.exe, PE32 12->68 dropped 24 Update.exe 18 19 12->24         started        70 C:\Users\user\AppData\Local\...\MSIB66E.tmp, PE32 14->70 dropped 72 C:\Users\user\AppData\Local\...\MSIB63E.tmp, PE32 14->72 dropped 74 C:\Users\user\AppData\Local\...\MSIB553.tmp, PE32 14->74 dropped 78 4 other files (none is malicious) 14->78 dropped process5 dnsIp6 88 103.235.46.102 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd Hong Kong 16->88 54 C:\Users\user\zndiouasnd14480312\749ju.exe, PE32+ 16->54 dropped 56 C:\Users\user\...\vstdlib.dll, PE32+ 16->56 dropped 58 C:\Users\user\...\vcruntime140_1.dll, PE32+ 16->58 dropped 60 3 other files (none is malicious) 16->60 dropped 26 749ju.exe 3 12 16->26         started        90 13.89.179.10 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->90 92 20.42.65.85 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->92 94 4 other IPs or domains 24->94 30 ms-teams.exe 24->30         started        file7 process8 dnsIp9 80 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 26->80 dropped 82 C:\Users\user\AppData\...\pleurotonus.exe, PE32+ 26->82 dropped 84 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32+ 26->84 dropped 86 2 other files (none is malicious) 26->86 dropped 122 Creates an undocumented autostart registry key 26->122 124 Modifies the context of a thread in another process (thread injection) 26->124 126 Maps a DLL or memory area into another process 26->126 33 explorer.exe 3 26->33         started        102 13.69.116.108 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->102 104 13.89.179.8 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->104 106 52.123.129.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->106 37 msedgewebview2.exe 30->37         started        39 ms-teamsupdate.exe 30->39         started        41 ms-teamsupdate.exe 30->41         started        43 9 other processes 30->43 file10 signatures11 process12 dnsIp13 96 168.76.70.194 ULTRANETSERVICOSEMINTERNETLTDABR South Africa 33->96 116 System process connects to network (likely due to code injection or exploit) 33->116 118 Tries to detect sandboxes / dynamic malware analysis system (QueryWinSAT) 33->118 120 Maps a DLL or memory area into another process 37->120 45 msedgewebview2.exe 37->45         started        48 msedgewebview2.exe 37->48         started        50 msedgewebview2.exe 37->50         started        52 2 other processes 37->52 signatures14 process15 dnsIp16 98 150.171.22.17 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 45->98 100 1.1.1.1 CLOUDFLARENETUS Australia 45->100
Score:
11%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7
Gathering data
Verdict:
Malicious
Threat:
Win32.Trojan.Generic
Link:
https://tip.neiki.dev/file/7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7
Threat name:
Win64.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-08-12 03:42:42 UTC
File Type:
Binary (Archive)
Extracted files:
5507
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250812-d6rqzsdn3z/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Loads dropped DLL
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a088702e-09d6-40f7-91a5-45512d64cc2e
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7c2769b905c5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Microsoft Software Installer (MSI) msi 7c2769b905c5142f6236c48b071aef3ed4ec9895e7c132a868c725bb43a064e7

(this sample)

  
Link
https://tria.ge/250812-dzgx7svlz5/behavioral2
  
Delivery method
Distributed via web download

Comments