MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a
SHA3-384 hash: 26c5d0cae1f44be12e34c8b15d8ad1666423fe219034e02663bf7d62dd30ddbaed4df4534c2486d6f9ce4aeef4aba7ba
SHA1 hash: cc140db5cd689d403cdc3f0ca5dca9da86375657
MD5 hash: bbee93a0ac50ba30615cce0c5bbccc73
humanhash: nebraska-mirror-september-twenty
File name:output1761640754.bat
Download: download sample
Signature njrat
Create hunting rule
File size:118'342 bytes
First seen:2025-10-28 09:10:09 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 3072:Y5s8/jTGu0Zp4wcU3ExeObIO9zVpT8AFHuG3qHhCqbu+Pl8bh:G3jTGu0Zp4wcU3ExeObIO9zVpgUqHhCb
Threatray 63 similar samples on MalwareBazaar
TLSH T11EC30869C767F89C02ED6CDC75E92A4D2E488E7BF52039188C2057F806F7D5C9B1AB48
Magika batch
Reporter abuse_ch
Tags:bat NjRAT RAT


Avatar
abuse_ch
njrat C2:
196.251.88.245:7805

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.88.245:7805 https://threatfox.abuse.ch/ioc/1628007/

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
output1761640754.bat
Verdict:
Malicious activity
Analysis date:
2025-10-28 09:15:03 UTC
Tags:
auto-startup susp-powershell rat njrat bladabindi remote backdoor api-base64
Link:
https://app.any.run/tasks/04e9a812-409e-4c79-8d66-b7e95df1c7e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34468/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690088a29942f1282ec99737
Tags:
obfuscate autorun xtreme shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Launching cmd.exe command interpreter
Creating a file
Delayed writing of the file
Launching a process
Сreating synchronization primitives
Creating a window
Connection attempt
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/690088aac85c5c5697389a0e/reports/83b57dbb-a82b-42ad-b692-93b474011e24/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a
Verdict:
Malicious
File Type:
unix shell
First seen:
2025-10-28T06:25:00Z UTC
Last seen:
2025-10-30T05:05:00Z UTC
Hits:
~100
Detections:
Trojan.BAT.Agent.sb HEUR:Trojan.PowerShell.Tesre.sb Backdoor.MSIL.Bladabindi.sb Trojan.PowerShell.AmsiBypass.sb PDM:Trojan.Win32.Generic HEUR:Trojan.BAT.Tesre.gen Backdoor.Bladabindi.TCP.C&C Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a/results?tab=lookup
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1803086
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Yara detected Njrat
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1803086 Sample: output1761640754.bat Startdate: 28/10/2025 Architecture: WINDOWS Score: 100 95 Suricata IDS alerts for network traffic 2->95 97 Found malware configuration 2->97 99 Malicious sample detected (through community Yara rule) 2->99 101 12 other signatures 2->101 8 cmd.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 10 other processes 2->15 process3 signatures4 105 Suspicious powershell command line found 8->105 17 cmd.exe 1 8->17         started        19 conhost.exe 8->19         started        21 cmd.exe 1 11->21         started        23 conhost.exe 11->23         started        25 cmd.exe 1 13->25         started        27 conhost.exe 13->27         started        29 cmd.exe 1 15->29         started        31 cmd.exe 1 15->31         started        33 18 other processes 15->33 process5 process6 35 cmd.exe 2 17->35         started        38 cmd.exe 1 21->38         started        40 cmd.exe 1 25->40         started        42 cmd.exe 1 29->42         started        44 cmd.exe 1 31->44         started        46 cmd.exe 33->46         started        48 cmd.exe 33->48         started        50 cmd.exe 33->50         started        52 5 other processes 33->52 signatures7 103 Suspicious powershell command line found 35->103 54 2 other processes 35->54 59 2 other processes 38->59 61 2 other processes 40->61 63 2 other processes 42->63 65 2 other processes 44->65 67 2 other processes 46->67 69 2 other processes 48->69 71 2 other processes 50->71 73 10 other processes 52->73 process8 dnsIp9 93 196.251.88.245, 49692, 7805 Web4AfricaZA Seychelles 54->93 75 C:\Users\user\AppData\Roaming\...\3f6d.bat, ASCII 54->75 dropped 107 Drops script or batch files to the startup folder 54->107 109 Found suspicious powershell code related to unpacking or dynamic code loading 54->109 111 Loading BitLocker PowerShell Module 54->111 77 C:\Users\user\AppData\Roaming\...\a47e.bat, ASCII 59->77 dropped 79 C:\Users\user\AppData\Roaming\...\5bfb.bat, ASCII 61->79 dropped 81 C:\Users\user\AppData\Roaming\...\0044.bat, ASCII 63->81 dropped 83 C:\Users\user\AppData\Roaming\...\a0c1.bat, ASCII 65->83 dropped 85 C:\Users\user\AppData\Roaming\...\711b.bat, ASCII 67->85 dropped 87 C:\Users\user\AppData\Roaming\...\2d3e.bat, ASCII 69->87 dropped 89 C:\Users\user\AppData\Roaming\...\8369.bat, ASCII 71->89 dropped 91 5 other malicious files 73->91 dropped file10 signatures11
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a/
Verdict:
Malicious
Threat:
Backdoor.MSIL.Bladabindi
Link:
https://tip.neiki.dev/file/bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-28 09:10:56 UTC
File Type:
Text (Batch)
AV detection:
5 of 23 (21.74%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=x7dhyw6jrxsgspur3wom7523ahxnp6auqna7oins5dohrwsurena._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
1258d87d3ab4fd25b34bcc44160aa1112bf2f5652078f3bb224313caa33ca4e0
njrat
1e1fbd670fe9bf85942895e60c487d9eeb247acffd4c890ab75c1a5a50512998
njrat
32d605dc2e89607318b9039a6511ca4c91d770f9dfc514d89fe5232c7b269008
njrat
54b32bcf49895b56cc5a2f15fbefd0ed30ee9aef1aafbcf4eaf2f288e8384617
njrat
750178918522765b83b32510dce10c8cf9614ae72b95539f93b8ba7088bb1779
njrat
9c7bccc9beab63a3ebf8995eb4ad568c15e7b65421e11fadbac663d4bc8ef792
njrat
bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a
njrat
cb989e4fdf9c4b22e13f3d308eed92711a441e8323d08f395f41a76e03a97dcf
njrat
ccd0bc3f23955382d4a81c446cd7cb6ad7eaf12d1c450928b1849c082c43c483
njrat
error
njrat
f75bc578269b2286c78a711a0cc932ba6b57e1e2642b883847400c44c8bb57f5
njrat
+ 53 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat discovery execution trojan
Link:
https://tria.ge/reports/251028-k5hv1stmdm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Command and Scripting Interpreter: PowerShell
Drops startup file
Badlisted process makes network request
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
196.251.88.245:7805
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bfc67c5bc98de4693e91dd9ccff75b01eed7f8148341f721b2e8dc78da54891a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34468/

Comments