MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

XRed

Vendor detections: 19

Intelligence 19 IOCs YARA 26 File information Comments

SHA256 hash:	924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363
SHA3-384 hash:	f8161ed6461f535ae5f4711e5a396a975ae72aea628acb8126be92799dbebafb82557df5383b0ef2abdee00f84160ba7
SHA1 hash:	e5949c9c74afa4ca115daed2964949af52ac3744
MD5 hash:	8e6fbdd7fc0717702501f87adaeb51a7
humanhash:	sixteen-winter-nebraska-whiskey
File name:	newmoonlightgui.exe
Download:	download sample
Signature	XRed Create hunting rule
File size:	12'293'632 bytes
First seen:	2025-08-10 23:17:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	332f7ce65ead0adfb3d35147033aabe9 (81 x XRed, 18 x SnakeKeylogger, 7 x DarkComet)
ssdeep	196608:VLlpNcv2I+mCOtSj9fZwQRCgjmpXHIEGn7jdfPjRMsqeXL2yrjAnDkyHL:VxpM+mLtew8ERIEgfPjSDNWCkyH
Threatray	431 similar samples on MalwareBazaar
TLSH	T159C62222B2D14477D1721A3D8C57D279983ABE512F24A54B3BF83E4F7F3B6812825293
TrID	93.3% (.EXE) Win32 Executable Borland Delphi 7 (664796/42/58) 1.9% (.EXE) Win32 Executable Delphi generic (14182/79/4) 1.4% (.EXE) Win64 Executable (generic) (10522/11/4) 1.4% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2) 0.6% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
dhash icon	c68333318143078e (1 x XRed)
Reporter	AntiSkidding
Tags:	exe xred

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

newmoonlightgui.exe

Verdict:

Malicious activity

Analysis date:

2025-08-10 23:08:36 UTC

Tags:

delphi njrat xred backdoor dyndns pyinstaller

Link:

https://app.any.run/tasks/ee8a34f5-33f8-4d0d-8f30-8abd6961aafb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/20006/

Detection(s):

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68992674c633abe3908da8e4

Tags:

bladabindi darkkomet delphi njrat

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a window

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug base64 borland_delphi cmd expand expired-cert fingerprint keylogger lolbin njrat njrat overlay packed rat reconnaissance threat windows

Link:

https://www.filescan.io/uploads/68992887397fd3ce6fa3d756/reports/3daebfe1-7a55-4cb9-90af-778502032348/overview

Verdict:

Malicious

Labled as:

Trojan.DarkKomet

Link:

https://www.hybrid-analysis.com/sample/924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363

Malware family:

XRed

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/4d47dc50-cf05-4cfd-bbc0-8fd5830f6145

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363/

Verdict:

Malicious

Threat:

Family.NJRAT

Link:

https://tip.neiki.dev/file/924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363

Threat name:

Win32.Virus.Napwhich

Status:

Malicious

First seen:

2025-08-10 23:08:48 UTC

File Type:

PE (Exe)

Extracted files:

978

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=sjfb7awzcgn57zolw2r6xbbvs2djz5pyg5ammmpu6nzsamkwunrq._file

Verdict:

malicious

Label(s):

xredbackdoor

XRed

3bc49481b663efe411b453cafe3b2f72fcb0e979a0823f73f6902bc6de90df02

XRed

6fe7c33b420058cd0260da2bf84c953fb4470395bdcc79aa29e1e359bfedbaac

XRed

807791fd5f44f0b96c2c3afac1477bf3ded4fe40c2479d84f22b0c40df0fec3e

XRed

924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363

XRed

df8d2aa31a1e622f675b28f46e5eb8d50e61606c5e182969b0376d0d1915062b

XRed

e2822abbdcd990bd187506aba7f44d2b5f0c28e526f12baa1fddfdcdeecf19b4

XRed

error

XRed

+ 421 additional samples on MalwareBazaar

Result

Malware family:

xred

Score:

10/10

Tags:

family:blankgrabber family:njrat family:xred backdoor discovery stealer trojan

Link:

https://tria.ge/reports/250810-29wq4scp8s/

Behaviour

Program crash

System Location Discovery: System Language Discovery

A stealer written in Python and packaged with Pyinstaller

Blankgrabber family

Njrat family

Xred

Xred family

blankgrabber

njRAT/Bladabindi

Malware Config

C2 Extraction:

xred.mooo.com

Verdict:

Malicious

Tags:

backdoor xred_backdoor rat njrat Win.Packed.Bladabindi-7994427-0

YARA:

mal_xred_backdoor Windows_Trojan_Njrat_30f3c220 MALWARE_Win_NjRAT ByteCode_MSIL_Backdoor_NjRAT

Link:

https://app.threat.zone/submission/c32b414f-9bc2-4c74-892f-1fcf70e8747b

Unpacked files

SH256 hash:

924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363

MD5 hash:

8e6fbdd7fc0717702501f87adaeb51a7

SHA1 hash:

e5949c9c74afa4ca115daed2964949af52ac3744

Detections:

win_njrat_w1

NjRat

Link:

https://www.unpac.me/results/c7d9d5b2-07b9-4dbe-b5c3-e118657577e1/

SH256 hash:

41ca3c2c7a51d75336e053983d5174e50119ef1ea8b4d2ad3b73616b9e5fce11

MD5 hash:

77fd461671e836a6ff77f991cfcb394a

SHA1 hash:

9f8b7682428bab8773e20d63a62ff2be03bc97ec

Detections:

win_njrat_g1

win_njrat_w1

NjRat

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/c7d9d5b2-07b9-4dbe-b5c3-e118657577e1/

Parent samples :

924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363
41ca3c2c7a51d75336e053983d5174e50119ef1ea8b4d2ad3b73616b9e5fce11

SH256 hash:

b9eae90f8e942cc4586d31dc484f29079651ad64c49f90d99f86932630c66af2

MD5 hash:

c0ef4d6237d106bf51c8884d57953f92

SHA1 hash:

f1da7ecbbee32878c19e53c7528c8a7a775418eb

Link:

https://www.unpac.me/results/c7d9d5b2-07b9-4dbe-b5c3-e118657577e1/

SH256 hash:

12ce229f34d54b2dd7eb28ac47460ea8090d725ad435f832b0ed3e51d5b67f6f

MD5 hash:

b699327b32c5692d72f5469b3ab82bc2

SHA1 hash:

9431db403591b61384ecb2616d3137ddfae5c476

Link:

https://www.unpac.me/results/c7d9d5b2-07b9-4dbe-b5c3-e118657577e1/

Malware family:

njRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/924a1f82d911/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/924a1f82d9119bdfe5cbb6a3eb843596869cf5f83740c631f4f373203156a363

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BobSoftMiniDelphiBoBBobSoft Create hunting rule
Author:	malware-lu

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	botnet_plaintext_c2 Create hunting rule
Author:	cip
Description:	Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.

Rule name:	ByteCode_MSIL_Backdoor_NjRAT Create hunting rule
Author:	ReversingLabs
Description:	Yara rule that detects NjRAT backdoor.

Rule name:	D1S1Gv11betaD1N Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	dependsonpythonailib Create hunting rule
Author:	Tim Brown
Description:	Hunts for dependencies on Python AI libraries

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	Detect_PyInstaller Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects PyInstaller compiled executables across platforms

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi / NjRAT Golden

Rule name:	Mal_WIN_NjRAT_RAT_PE Create hunting rule
Author:	Phatcharadol Thangplub
Description:	Use to detect NjRAT implant.

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	njrat_ Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked njrat malware samples.

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	vbaproject_bin Create hunting rule
Author:	CD_R0M_
Description:	{76 62 61 50 72 6f 6a 65 63 74 2e 62 69 6e} is hex for vbaproject.bin. Macros are often used by threat actors. Work in progress - Ran out of time

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule
Author:	Elastic Security

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/20006/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance
SECURITY_BASE_API	Uses Security Base API	advapi32.dll::AdjustTokenPrivileges
SHELL_API	Manipulates System Shell	shell32.dll::ShellExecuteExA
WIN32_PROCESS_API	Can Create Process and Threads	kernel32.dll::CreateProcessA advapi32.dll::OpenProcessToken kernel32.dll::OpenProcess kernel32.dll::CloseHandle wininet.dll::InternetCloseHandle kernel32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	kernel32.dll::TerminateProcess kernel32.dll::LoadLibraryExA kernel32.dll::LoadLibraryA kernel32.dll::GetDriveTypeA kernel32.dll::GetSystemInfo kernel32.dll::GetStartupInfoA
WIN_BASE_IO_API	Can Create Files	kernel32.dll::CopyFileA kernel32.dll::CreateDirectoryA kernel32.dll::CreateFileA kernel32.dll::CreateFileMappingA kernel32.dll::DeleteFileA kernel32.dll::MoveFileA
WIN_BASE_USER_API	Retrieves Account Information	kernel32.dll::GetComputerNameA advapi32.dll::GetUserNameA advapi32.dll::LookupPrivilegeValueA
WIN_REG_API	Can Manipulate Windows Registry	advapi32.dll::RegCreateKeyExA advapi32.dll::RegNotifyChangeKeyValue advapi32.dll::RegOpenKeyExA advapi32.dll::RegQueryValueExA advapi32.dll::RegSetValueExA
WIN_SVC_API	Can Manipulate Windows Services	advapi32.dll::OpenSCManagerA
WIN_USER_API	Performs GUI Actions	user32.dll::ActivateKeyboardLayout user32.dll::CreateMenu user32.dll::FindWindowA user32.dll::PeekMessageA user32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample