MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd
SHA3-384 hash: 228339ce0bbe135639fbed9e9969ef1a9fc0587f33584fed5d16cac0afb97289b808782ad7a646090297041a93e3b93f
SHA1 hash: 77333d3184b355bbd64eebc6b3eaac6d31507c4a
MD5 hash: 11f3b8c61c970028a0a34152b06e43f2
humanhash: nitrogen-ack-nevada-tennessee
File name:cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd
Download: download sample
Signature njrat
Create hunting rule
File size:815'616 bytes
First seen:2026-06-08 09:27:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'067 x AgentTesla, 20'020 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 12288:MYvFwID62wz/Nn3FBjPPWC5ZkKfOTZWIlYcCjvAX+aMQ6WWci0fMs:RdX62GjPL5ZBfOTfWAX+DjWQ0fp
Threatray 27 similar samples on MalwareBazaar
TLSH T11105121CAB02C903C9516BB85AB2F3B9223D9DD9A441D317DFDDBDEFB9279064D0408A
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/90f2cc36-2336-47b4-841a-30d82ea04a47/
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69775/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a268b593e9eff6a6b68ba05
Tags:
stration micro shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context agenttesla formbook krypt packed
Link:
https://www.filescan.io/uploads/6a268b551f652d68656db98f/reports/082a7b90-4ff1-4b9c-bd0c-cde7dae1af8d/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-11T04:34:00Z UTC
Last seen:
2026-06-08T08:43:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/99775069-a0cd-464f-b33e-5897d149565f
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2026-05-11 09:54:03 UTC
AV detection:
16 of 22 (72.73%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
xworm
Create hunting rule
unc_loader_031
Create hunting rule
Similar samples:
2c9b3c39034f94822de07d1a2d8c27a816b9d217f913d2551d3658f581738b8d
njrat
37583d1fa739505aa8918110340d06fa4cd5660be5e6b5e4c2999d8b57951209
njrat
9fcba21de2fba1e9eee5e341ae7da8601fd1e30ab3d2b3954586b96586c7cb0b
njrat
a312f9d970cce223d5ae325b879331f6c81b8449c8ce11e702d41f74a82e9f6a
njrat
f9b5586faacc3149e8cc0cbd920bdb8f58a6e8b57bd2acbe9215f61cdd2ea3a3
njrat
+ 17 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260608-le85ysbt4l/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Unpacked files
SH256 hash:
cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd
MD5 hash:
11f3b8c61c970028a0a34152b06e43f2
SHA1 hash:
77333d3184b355bbd64eebc6b3eaac6d31507c4a
Link:
https://www.unpac.me/results/1dbe3801-1b07-4fff-83cb-db2750517486/
SH256 hash:
a4b665156468ac54e6a352bf8002f7987c8e365919e2bc23372a1b2e619bf811
MD5 hash:
ef649abf532a985505ccd7151154c4d2
SHA1 hash:
314db11b738c59a05083dd4c2bab26a37e7cb679
Link:
https://www.unpac.me/results/1dbe3801-1b07-4fff-83cb-db2750517486/
SH256 hash:
cf5dafb0fd320378be54ed47d552dd872b7b343994ddba51e3a1cd2b30d176d3
MD5 hash:
d6e222077074b587ef0fb07636e43284
SHA1 hash:
ddcb6634e0e88f4b9ce66562d951e608a8d843cf
Link:
https://www.unpac.me/results/1dbe3801-1b07-4fff-83cb-db2750517486/
SH256 hash:
12f050eaa6648e1315a32a39cc55b86e2547890d306f1ee8dd5ce3d6d88c4d20
MD5 hash:
1f9ec5a51ced7af0f974838b3992b455
SHA1 hash:
fd335d4f6781337228131d4b5cd1aef966d167d5
Link:
https://www.unpac.me/results/1dbe3801-1b07-4fff-83cb-db2750517486/
SH256 hash:
cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd
MD5 hash:
11f3b8c61c970028a0a34152b06e43f2
SHA1 hash:
77333d3184b355bbd64eebc6b3eaac6d31507c4a
Link:
https://www.unpac.me/results/1dbe3801-1b07-4fff-83cb-db2750517486/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cafafa6e44ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cafafa6e44ae28fbbd219a8cd26d487d50c2910409c8d9854d937f137e458fdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69775/

Comments