MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa
SHA3-384 hash: c9028a4b5159fa91227264b5e8c15eb7fc394d8d2c57907b9975603ce060a0f7c37535d32ec71bbd6998304b985dd23f
SHA1 hash: 2dc57aacab86b90fa2c7b8bf40c723b62d0fd821
MD5 hash: cb4ef2a24ef3197958e33b2dcaa38e18
humanhash: charlie-lactose-cola-oxygen
File name:accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa
Download: download sample
Signature njrat
Create hunting rule
File size:805'888 bytes
First seen:2026-06-08 10:00:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'015 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:QAie8GDDnSbP971UulGeMcjaaGIl7X5EN1:niyDnSbPv17MoaNId58
Threatray 74 similar samples on MalwareBazaar
TLSH T1400512686E2AC642D4E207B54BB3F2B263B85D8DE211C2575FD8BDEB38757142849313
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
133
Origin country :
HU HU
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/965fed4c-757b-4de0-8c33-610caba42b6a/
Malware family:
n/a
ID:
1
File name:
accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa.exe
Verdict:
Malicious activity
Analysis date:
2026-06-08 10:13:16 UTC
Tags:
auto-reg auto-startup
Link:
https://app.any.run/tasks/3941d27e-30c9-43e2-acd8-641c6fa33d23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70021/
Detection(s):
SecuriteInfo.com.Trojan.Siggen32.43377.26652.22601.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a2693bfae2f98c00a68d012
Tags:
infosteal virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context crypt formbook infostealer krypt packed
Link:
https://www.filescan.io/uploads/6a2693631f652d68656dea56/reports/8bb02c60-1082-402f-93dd-b78f6c70b56b/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-20T10:44:00Z UTC
Last seen:
2026-06-09T23:45:00Z UTC
Hits:
~1000
Detections:
VHO:Backdoor.Win32.Agent.gen Trojan.Win32.Agent.sb Trojan.MSIL.Crypt.sb Backdoor.Win32.Androm.sb PDM:Trojan.Win32.Generic Backdoor.Agent.TCP.C&C Trojan.MSIL.Inject.sb Trojan.MSIL.Agent.sb Trojan-Dropper.Win32.Injector.sb HEUR:Backdoor.MSIL.XWorm.gen Backdoor.MSIL.XWorm.b
Link:
https://opentip.kaspersky.com/accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/916953a1-77ad-4d14-a64f-8ee00f660dd2
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa/
Verdict:
Malicious
Threat:
Family.NJRAT
Link:
https://tip.neiki.dev/file/accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa
Threat name:
ByteCode-MSIL.Backdoor.FormBook
Create hunting rule
Status:
Malicious
First seen:
2026-05-20 14:11:46 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
xworm
Create hunting rule
Similar samples:
101bd5c2dc4ecb68e017d163bf7b8c472e12a3942cee6c9eed6ec70928409b26
njrat
2c9b3c39034f94822de07d1a2d8c27a816b9d217f913d2551d3658f581738b8d
njrat
68af66991e125976da13a5f0ea7bb2c47c255ec742e848064a9486302bd9babe
njrat
e18128d6e9657ce06424fbdb8af5cc6b23bbeda33fdbc13762318d11b24a22f4
njrat
f7352bc1213a3464d7abb529acfdfb8a6e272e77a8e8f88236ca70192635d02d
njrat
+ 64 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260608-l3mlvscx4t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
SmartAssembly .NET packer
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Unpacked files
SH256 hash:
accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa
MD5 hash:
cb4ef2a24ef3197958e33b2dcaa38e18
SHA1 hash:
2dc57aacab86b90fa2c7b8bf40c723b62d0fd821
Link:
https://www.unpac.me/results/a8258be4-03a7-4f00-9eb7-669204c87ec8/
SH256 hash:
7e5e42651838afcb21918d7c4cec7d2a3352a51bd32f572a8a889e47cedb7c89
MD5 hash:
bc5c24037c01c45d357e78aae1457f88
SHA1 hash:
8b6115e53004c4330550467a4d67c509dc98452b
Link:
https://www.unpac.me/results/a8258be4-03a7-4f00-9eb7-669204c87ec8/
SH256 hash:
835cf9098d7662bf0c3329d4cda2ba313e7e3b2049ce58b6900ebfec8af90f92
MD5 hash:
d10916752179f26cf47360b6ebb98633
SHA1 hash:
cbf100c57efd2ab6cae8c391c34fe34088a685da
Link:
https://www.unpac.me/results/a8258be4-03a7-4f00-9eb7-669204c87ec8/
SH256 hash:
cf5dafb0fd320378be54ed47d552dd872b7b343994ddba51e3a1cd2b30d176d3
MD5 hash:
d6e222077074b587ef0fb07636e43284
SHA1 hash:
ddcb6634e0e88f4b9ce66562d951e608a8d843cf
Link:
https://www.unpac.me/results/a8258be4-03a7-4f00-9eb7-669204c87ec8/
SH256 hash:
accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa
MD5 hash:
cb4ef2a24ef3197958e33b2dcaa38e18
SHA1 hash:
2dc57aacab86b90fa2c7b8bf40c723b62d0fd821
Link:
https://www.unpac.me/results/a8258be4-03a7-4f00-9eb7-669204c87ec8/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/accadfe65231/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/accadfe65231c7dea9502fc93f84a57550d9d814ca99d5ebcc8822dfba5556aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70021/

Comments