MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

njrat

Vendor detections: 21

Intelligence 21 IOCs 1 YARA 23 File information Comments

SHA256 hash:	c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a
SHA3-384 hash:	40a5b62425c5c577fcb11fe3dcef7635563d9ab898f26aa45002ca21a4a1f8d0bbc81614c8bb45f43256583a8939bf0b
SHA1 hash:	3757adac0698163f393344423c28052dfcf07fd6
MD5 hash:	9623fe63214549e540a3b44883b22299
humanhash:	video-whiskey-pizza-tango
File name:	0c6fedce36ff816688c229ee0436a1d17cd209ef8d808.exe
Download:	download sample
Signature	njrat Create hunting rule
File size:	290'816 bytes
First seen:	2025-08-17 16:40:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	9222d372923baed7aa9dfa28449a94ea (11 x AsyncRAT, 10 x RedLineStealer, 9 x NanoCore)
ssdeep	6144:jSncRQyCEsE3KvMILp44j3eO1aYtYY5mFTK7n:W4FCEsSzIXaYKTy
Threatray	70 similar samples on MalwareBazaar
TLSH	T160545C06B6A940BAD17F9A7889A24901E776BC539771D3CF079039BB1F32BC08E39751
TrID	36.8% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 15.7% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 13.6% (.EXE) UPX compressed Win32 Executable (27066/9/6) 13.4% (.EXE) Win32 EXE Yoda's Crypter (26569/9/4) 5.3% (.EXE) Win64 Executable (generic) (10522/11/4)
Magika	pebin
Reporter	abuse_ch
Tags:	exe NjRAT RAT

abuse_ch

njrat C2:
154.194.35.243:6677

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOC	ThreatFox Reference
154.194.35.243:6677	https://threatfox.abuse.ch/ioc/1570486/

Intelligence

File Origin

# of uploads :

# of downloads :

125

Origin country :

Vendor Threat Intelligence

Malware family:

njrat

ID:

File name:

0c6fedce36ff816688c229ee0436a1d17cd209ef8d808.exe

Verdict:

Malicious activity

Analysis date:

2025-08-17 16:43:11 UTC

Tags:

njrat rat bladabindi

Link:

https://app.any.run/tasks/98083a2a-a339-4a4d-9851-2f34c07e6a1e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Njrat

Link:

https://www.capesandbox.com/analysis/21838/

Detection(s):

Sanesecurity.Malware.28946.BadP.UNOFFICIAL

SecuriteInfo.com.Malware.PDB-1846.UNOFFICIAL

PUA.Win.Packer.AcprotectUltraprotect-1

Win.Dropper.njRAT-10015886-0

Win.Dropper.Nanocore-10030076-0

Win.Trojan.Generic-6417450-0

Win.Trojan.Generic-6454614-0

Win.Trojan.Generic-6454615-0

Win.Trojan.Bladabindi-6192388-0

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a2061d8fd55a79c5287fbf

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a process from a recently created file

Launching a process

Searching for synchronization primitives

Creating a window

Unauthorized injection to a recently created process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm base64 cmd dllhost dotnet explorer hacktool lolbin lolbin microsoft_visual_cc njrat njrat overlay packed packed rat reconnaissance rundll32 schtasks windows winnti

Link:

https://www.filescan.io/uploads/68a20616abfbaec3182449c0/reports/255506b8-7af6-4435-a1c2-176a1625e5e6/overview

Verdict:

Malicious

Labled as:

HackTool/Vbinder

Link:

https://www.hybrid-analysis.com/sample/c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a

Malware family:

njRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/72fbf210-2218-49ab-8e8f-15802010b4dd

Result

Threat name:

Binder HackTool, Njrat

Detection:

malicious

Classification:

phis.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1758850

Signature

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Contains functionality to log keystrokes (.Net Source)

Disables zone checking for all users

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Binder HackTool

Yara detected Njrat

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a

Verdict:

njRat

YARA:

9 match(es)

Tags:

.Net Executable Managed .NET njRat PDB Path PE (Portable Executable) PE File Layout RAT SOS: 0.29 Win 32 Exe x86

Malware Config

C2 Extraction:

CNC: yohlkdt3m.localto.net
PORT: 6677

Link:

https://app.malva.re/file/9623fe63214549e540a3b44883b22299

Detection:

njrat

Link:

https://mwdb.cert.pl/sample/c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a/

Threat name:

Win32.Ransomware.DarkyLock

Status:

Malicious

First seen:

2025-08-17 15:58:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y37nzy3p7algrdbct3qeg2q5c7gsbhxy3aemekpjlnbygfxvgj5a._file

Verdict:

malicious

Label(s):

njrat

5c7b2bc74dbb2d43630626b607a27c4019237a47c4d81235369559e9273b420e

njrat

9861d8828259e579724fc67bc8d79b8182ef637b8ad2e7a3f87a66a5b3704493

njrat

a7deeabed9261564ba79c04d3909539ec31bada0b1c4e16755d759f742fb9818

njrat

a98abe1af289f9c8f8fef5ca90d889296f22a5f417fd7688185fc9ae5f5e88fc

njrat

c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a

njrat

d4c27c364fcabbe316eb39b8f9dbcd6fdc089a0a70277eeeade5a5173b49c4c5

njrat

error

njrat

+ 60 additional samples on MalwareBazaar

Result

Malware family:

njrat

Score:

10/10

Tags:

family:njrat discovery trojan upx

Link:

https://tria.ge/reports/250817-t6y33awpx3/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

UPX packed file

Checks computer location settings

Executes dropped EXE

Njrat family

njRAT/Bladabindi

Verdict:

Malicious

Tags:

keylogger rat njrat revenge Win.Dropper.njRAT-10015886-0

YARA:

Malware_QA_update malware_Njrat_strings Windows_Trojan_Njrat_30f3c220 MAL_Njrat MALWARE_Win_NjRAT JPCERTCC_Njrat RevengeRAT_Sep17

Link:

https://app.threat.zone/submission/8efe0552-2e0a-49d3-806e-57fcdef289a4

Unpacked files

SH256 hash:

c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a

MD5 hash:

9623fe63214549e540a3b44883b22299

SHA1 hash:

3757adac0698163f393344423c28052dfcf07fd6

Detections:

win_njrat_w1

NjRat

Link:

https://www.unpac.me/results/75bd539c-95c8-4238-9ced-a703c2f61ac3/

SH256 hash:

82360abdcc1261ad9690add4b2d2ffec869abfc23be859444b10c92fbdb58714

MD5 hash:

68667234dfeb3ccb8d9366b186dc1163

SHA1 hash:

797598e878a8952d42d1e1d2b0d3e14e4bb63433

Link:

https://www.unpac.me/results/75bd539c-95c8-4238-9ced-a703c2f61ac3/

SH256 hash:

585f182fccf58a52584664fd66c58c080951f9deef4bed4fd772226e8f524ec8

MD5 hash:

83b3e47f5dab95b828610a96917e2c9f

SHA1 hash:

74dd7a20b6aecbf9df11c2d6fe9f13b5bd57f429

Detections:

win_njrat_w1

NjRat

MAL_Winnti_Sample_May18_1

CN_disclosed_20180208_c

Unknown_Malware_Sample_Jul17_2

Njrat

INDICATOR_SUSPICIOUS_EXE_RawPaste_URL

MALWARE_Win_NjRAT

Link:

https://www.unpac.me/results/75bd539c-95c8-4238-9ced-a703c2f61ac3/

Parent samples :

c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a
585f182fccf58a52584664fd66c58c080951f9deef4bed4fd772226e8f524ec8
071085dd2b88ccbad112b380f7e51fbd34589c8e3a9266ff19f069b38e6175f6

Malware family:

RevengeRAT

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c6fedce36ff8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c6fedce36ff816688c229ee0436a1d17cd209ef8d808c229e95b438316f5327a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	INDICATOR_SUSPICIOUS_EXE_RawPaste_URL Create hunting rule
Author:	ditekSHen
Description:	Detects executables (downlaoders) containing URLs to raw contents of a paste

Rule name:	malware_Njrat_strings Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	Malware_QA_update Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	Malware_QA_update_RID2DAD Create hunting rule
Author:	Florian Roth
Description:	VT Research QA uploaded malware - file update.exe
Reference:	VT Research QA

Rule name:	MALWARE_Win_CelestyBinderLoader Create hunting rule
Author:	ditekSHen
Description:	Detects Celesty Binder loader

Rule name:	MALWARE_Win_NjRAT Create hunting rule
Author:	ditekSHen
Description:	Detects NjRAT / Bladabindi / NjRAT Golden

Rule name:	MAL_njrat Create hunting rule
Author:	SECUINFRA Falcon Team

Rule name:	Mal_WIN_NjRAT_RAT_PE Create hunting rule
Author:	Phatcharadol Thangplub
Description:	Use to detect NjRAT implant.

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	Njrat Create hunting rule
Author:	botherder https://github.com/botherder
Description:	Njrat

Rule name:	Njrat Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect njRAT in memory

Rule name:	njrat_ Create hunting rule
Author:	Michelle Khalil
Description:	This rule detects unpacked njrat malware samples.

Rule name:	Sus_CMD_Powershell_Usage Create hunting rule
Author:	XiAnzheng
Description:	May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

Rule name:	UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser Create hunting rule
Author:	malware-lu

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule

Rule name:	Windows_Trojan_Njrat_30f3c220 Create hunting rule
Author:	Elastic Security

Rule name:	win_njrat_w1 Create hunting rule
Author:	Brian Wallace @botnet_hunter <bwall@ballastsecurity.net>
Description:	Identify njRat

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/21838/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteA
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.DLL::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.DLL::TerminateProcess KERNEL32.DLL::LoadLibraryA KERNEL32.DLL::LoadLibraryW KERNEL32.DLL::GetStartupInfoW KERNEL32.DLL::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.DLL::CreateFileA KERNEL32.DLL::GetWindowsDirectoryA KERNEL32.DLL::GetTempPathA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample