MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 20


Intelligence 20 IOCs 1 YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7
SHA3-384 hash: 99ec1e7cabca9d2114786d1eb471729b09f0e8931d92b8479e73c07e17e2fa346ba9ef1d936b0cd3beaba86a04fbd5d4
SHA1 hash: b9aa7c426472f86a27e78a5b03dd71e7fcdc575f
MD5 hash: 3f3a9f60fc144db5711db0f5299854c0
humanhash: ink-triple-cup-beer
File name:soDD-noisrev3.1.exe
Download: download sample
Signature njrat
Create hunting rule
File size:288'256 bytes
First seen:2025-11-02 18:00:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'853 x AgentTesla, 19'780 x Formbook, 12'304 x SnakeKeylogger)
ssdeep 6144:F2wBWoxQniwPPt/uU9/UhcX7elbKTuq9bfF/H9d9n:F2joxQi6h3X3uO
Threatray 106 similar samples on MalwareBazaar
TLSH T16D54F16D1E95CD42EAD94C7504B3A37CD26C9DB36E0C4903D7687DA82B36E482E26333
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon b2b2b2bae8bab28c (19 x Formbook, 11 x AgentTesla, 10 x XWorm)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
147.185.221.212:4770

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
147.185.221.212:4770 https://threatfox.abuse.ch/ioc/1631291/

Intelligence

File Origin
# of uploads :
1
# of downloads :
295
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
soDD-noisrev3.1.exe
Verdict:
Malicious activity
Analysis date:
2025-11-02 17:25:36 UTC
Tags:
auto-reg auto-startup rat njrat bladabindi
Link:
https://app.any.run/tasks/48b3c68f-2c9c-4e24-96cc-a974ae914293

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35025/
Detection(s):
Win.Packed.Packy-10033570-0
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690794119942f1282ecb7a6e
Tags:
bladabindi njrat
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Creating a file in the %temp% directory
Launching a process
Creating a file
Creating a file in the %AppData% subdirectories
Searching for the window
Creating a window
Searching for synchronization primitives
DNS request
Connection attempt
Adding an access-denied ACE
Connection attempt to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Query of malicious DNS domain
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed vbnet
Link:
https://www.filescan.io/uploads/69079c76be20d933485b4e32/reports/da3a60d5-145e-41be-8566-ebfb2470bac7/overview
Verdict:
Malicious
Labled as:
MSIL.Cassiopeia.Generic
Link:
https://www.hybrid-analysis.com/sample/d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-11-02T14:29:00Z UTC
Last seen:
2025-11-02T18:32:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.TCP.C&C Trojan.Win32.Agent.sb Trojan.MSIL.Agent.sb HEUR:Exploit.MSIL.BypassUAC.gen Backdoor.MSIL.Bladabindi.sb Trojan.Agent.UDP.C&C HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Crypt.gen Trojan-Spy.MSIL.Keylogger.sb Trojan.MSIL.Crypt.sb HEUR:Trojan-Dropper.MSIL.Agent.gen HEUR:Trojan.MSIL.Bingoml.gen Backdoor.Bladabindi.TCP.C&C
Link:
https://opentip.kaspersky.com/d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7/results?tab=lookup
Malware family:
ModernLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/62ed7d74-3222-4fb7-b345-e40cf20647de
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806611
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Disables zone checking for all users
Drops PE files to the startup folder
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Yara detected Njrat
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806611 Sample: soDD-noisrev3.1.exe Startdate: 02/11/2025 Architecture: WINDOWS Score: 100 46 below-artificial.gl.at.ply.gg 2->46 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for dropped file 2->54 56 8 other signatures 2->56 9 soDD-noisrev3.1.exe 4 4 2->9         started        13 Microsoft Teams.exe 6 7 2->13         started        16 Microsoft Teams.exe 1 2->16         started        18 2 other processes 2->18 signatures3 process4 dnsIp5 38 C:\Users\user\AppData\Roaming\H-Output.exe, PE32 9->38 dropped 40 C:\Users\user\...\soDD-noisrev3.1.exe.log, CSV 9->40 dropped 62 Creates autostart registry keys with suspicious names 9->62 64 Creates multiple autostart registry keys 9->64 66 Bypasses PowerShell execution policy 9->66 68 Adds a directory exclusion to Windows Defender 9->68 20 H-Output.exe 2 9->20         started        24 powershell.exe 23 9->24         started        26 unarchiver.exe 4 9->26         started        48 below-artificial.gl.at.ply.gg 147.185.221.212, 4770 SALSGIVERUS United States 13->48 42 C:\Users\user\AppData\Roaming\...\Windows.exe, PE32 13->42 dropped 44 C:\Users\user\AppData\Roaming\...\Windows.exe, PE32 13->44 dropped 70 Disables zone checking for all users 13->70 file6 signatures7 process8 file9 36 C:\ProgramData\Microsoft Teams.exe, PE32 20->36 dropped 58 Antivirus detection for dropped file 20->58 60 Loading BitLocker PowerShell Module 24->60 28 WmiPrvSE.exe 24->28         started        30 conhost.exe 24->30         started        32 7za.exe 7 26->32         started        signatures10 process11 process12 34 conhost.exe 32->34         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable Managed .NET PE (Portable Executable) PE File Layout SOS: 0.20 Win 32 Exe x86
Link:
https://app.malva.re/file/3f3a9f60fc144db5711db0f5299854c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7/
Verdict:
Malicious
Threat:
Family.NJRAT
Link:
https://tip.neiki.dev/file/d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7
Threat name:
ByteCode-MSIL.Trojan.Cassiopeia
Create hunting rule
Status:
Malicious
First seen:
2025-11-02 17:25:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 23 (95.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fos5occmeqhzvy246wm5nktj7gc4uqomvsutwodr5vqel47mhtq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
unc_loader_063
Create hunting rule
Similar samples:
899f59db7e0fb9731002fb1922785bc217ebb1f8183f30e3a2d2945620e99902
njrat
a21ea3be11dab8ff00566411bca41ea6c635ac29ed71bca8274da560387701c9
njrat
b683ba948e1d61180ff6a08d72f354e3280c260e7f8ff2cf3c9ca40bc9c76c4b
njrat
d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7
njrat
error
njrat
+ 96 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked execution persistence trojan
Link:
https://tria.ge/reports/251102-wl3lvscv6g/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
below-artificial.gl.at.ply.gg:4770
Verdict:
Malicious
Tags:
Win.Packed.Packy-10033570-0
YARA:
n/a
Link:
https://app.threat.zone/submission/d46a2777-2084-4657-8cd7-e5270c501862
Unpacked files
SH256 hash:
d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7
MD5 hash:
3f3a9f60fc144db5711db0f5299854c0
SHA1 hash:
b9aa7c426472f86a27e78a5b03dd71e7fcdc575f
Link:
https://www.unpac.me/results/8ff75724-027a-47b0-a6ab-a73df0626787/
SH256 hash:
353dd9e059db6fbaae1b7a34b08e01da38eadbf53320986dfeb7a2b136c8780f
MD5 hash:
ac6713882a0c13ae8fc2a9938d5aec1d
SHA1 hash:
292c7862126139979e5487d237df05475733f70c
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/8ff75724-027a-47b0-a6ab-a73df0626787/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d15d2eb84261/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d15d2eb84261207cd71ae7acceb5534fcc2e520e656549d9c38f6b022f9f61e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/35025/

Comments