MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40e390fb6d5e2cf463668. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 17


Intelligence 17 IOCs 1 YARA 26 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40e390fb6d5e2cf463668
SHA3-384 hash: c8b7b01b0af65563382fac6bc880477c7c1abb4353eccb5ee45df8b3b548d3d412a969b10a62b36589f300b3bfb5b251
SHA1 hash: 7f61a46436ec219bcd733d92c228d73be004478d
MD5 hash: 4f9d64127526b26134cad2586391d11f
humanhash: alaska-east-golf-happy
File name:d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40.exe
Download: download sample
Signature njrat
Create hunting rule
File size:29'226'798 bytes
First seen:2025-03-06 15:30:22 UTC
Last seen:2025-03-06 16:17:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e0a0e8f80bbd1a9c0078e57256f1c3d (5 x GCleaner, 4 x LummaStealer, 3 x CoinMiner)
ssdeep 393216:WAXQhBnCp1hTgYsd42jeUWz9IzroVCNUaf0oy7tjbRvUSLPVWl2zEXdjxvq24M4g:mLWwmiUVCO+x+tjbljCfNA24Md
TLSH T16C57335DEBA809F4FCF392BC98A04011E2767C9A5B70D30B1BD695A42F1B750DE2EB50
TrID 76.9% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
16.7% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
3.0% (.EXE) Win64 Executable (generic) (10522/11/4)
1.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.5% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 706969d0cccccccc (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
104.210.41.108:1177

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
104.210.41.108:1177 https://threatfox.abuse.ch/ioc/1442654/

Intelligence

File Origin
# of uploads :
2
# of downloads :
815
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40.exe
Verdict:
Malicious activity
Analysis date:
2025-03-06 15:31:49 UTC
Tags:
screenshot discord evasion blankgrabber stealer rat njrat bladabindi remote backdoor cheatengine tool github arch-exec winring0x64-sys vuln-driver loader
Link:
https://app.any.run/tasks/8ccb1ee1-1505-4fab-ace7-3cb2bdd87bf5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c9c21dc668b65489bf7962
Tags:
bladabindi njrat mint
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Running batch commands
Creating a process with a hidden window
DNS request
Connection attempt
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Creating a file
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm bladabindi cmd coinminer config-extracted crypt crypto evasive expand fingerprint fingerprint installer krypt lolbin microsoft_visual_cc netsh njrat njrat overlay packed packer_detected rat sfx windows
Link:
https://www.filescan.io/uploads/67c9bfc73c5f644bd9466c8d/reports/f8fd829e-4854-40c4-b44b-6de27f139e60/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40e390fb6d5e2cf463668
Result
Verdict:
MALICIOUS
Result
Threat name:
Python Stealer, Blank Grabber, Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1631097
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Encrypted powershell cmdline option found
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies Windows Defender protection settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Script Execution From Temp Folder
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Writes or reads registry keys via WMI
Yara detected Blank Grabber
Yara detected Generic Python Stealer
Yara detected Njrat
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1631097 Sample: d1e371d754658620e3ea7abf8c4... Startdate: 06/03/2025 Architecture: WINDOWS Score: 100 80 ip-api.com 2->80 82 discord.com 2->82 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 Antivirus detection for dropped file 2->106 108 18 other signatures 2->108 12 d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40.exe 13 2->12         started        signatures3 process4 file5 72 C:\Users\user\AppData\Local\...\build.exe, PE32+ 12->72 dropped 74 C:\Users\user\AppData\Local\...\Setup.exe, PE32 12->74 dropped 76 C:\Users\user\...\Rename_Z60IHLDjO6.exe, PE32+ 12->76 dropped 78 2 other malicious files 12->78 dropped 130 Found many strings related to Crypto-Wallets (likely being stolen) 12->130 16 Built.exe 22 12->16         started        signatures6 process7 file8 58 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 16->58 dropped 60 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 16->60 dropped 62 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 16->62 dropped 64 16 other malicious files 16->64 dropped 88 Multi AV Scanner detection for dropped file 16->88 90 Modifies Windows Defender protection settings 16->90 92 Adds a directory exclusion to Windows Defender 16->92 94 Removes signatures from Windows Defender 16->94 20 Built.exe 1 23 16->20         started        signatures9 process10 dnsIp11 84 ip-api.com 208.95.112.1, 49747, 80 TUT-ASUS United States 20->84 86 discord.com 162.159.136.232, 443, 49748, 49755 CLOUDFLARENETUS United States 20->86 110 Found many strings related to Crypto-Wallets (likely being stolen) 20->110 112 Tries to harvest and steal browser information (history, passwords, etc) 20->112 114 Modifies Windows Defender protection settings 20->114 116 2 other signatures 20->116 24 cmd.exe 1 20->24         started        27 cmd.exe 1 20->27         started        29 cmd.exe 20->29         started        31 20 other processes 20->31 signatures12 process13 signatures14 118 Suspicious powershell command line found 24->118 120 Encrypted powershell cmdline option found 24->120 122 Bypasses PowerShell execution policy 24->122 124 Adds a directory exclusion to Windows Defender 24->124 33 powershell.exe 23 24->33         started        36 conhost.exe 24->36         started        126 Modifies Windows Defender protection settings 27->126 128 Removes signatures from Windows Defender 27->128 38 powershell.exe 23 27->38         started        49 2 other processes 27->49 40 powershell.exe 29->40         started        43 conhost.exe 29->43         started        45 getmac.exe 31->45         started        47 systeminfo.exe 31->47         started        51 38 other processes 31->51 process15 file16 96 Loading BitLocker PowerShell Module 38->96 68 C:\Users\user\AppData\...\zv0fkii4.cmdline, Unicode 40->68 dropped 53 csc.exe 40->53         started        98 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 45->98 100 Writes or reads registry keys via WMI 45->100 70 C:\Users\user\AppData\Local\Temp\OWhcj.zip, RAR 51->70 dropped signatures17 process18 file19 66 C:\Users\user\AppData\Local\...\zv0fkii4.dll, PE32 53->66 dropped 56 cvtres.exe 53->56         started        process20
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40e390fb6d5e2cf463668
Gathering data
Threat name:
Win64.Trojan.Hydra
Create hunting rule
Status:
Malicious
First seen:
2025-03-04 13:34:00 UTC
File Type:
PE+ (Exe)
Extracted files:
624
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2hrxdv2umwdcby7kpk7yysop7zgnij6rvcsa4oipw3k6ft2ggzua._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
error
njrat
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:njrat family:xmrig bootkit collection defense_evasion discovery execution miner persistence privilege_escalation spyware stealer trojan upx
Link:
https://tria.ge/reports/250306-sxsz1s1zby/
Behaviour
Checks processor information in registry
Detects videocard installed
Gathers system information
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
NSIS installer
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
UPX packed file
Adds Run key to start application
Checks for any installed AV software in registry
Checks installed software on the system
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Writes to the Master Boot Record (MBR)
Checks computer location settings
Clipboard Data
Drops startup file
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Boot or Logon Autostart Execution: Active Setup
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Downloads MZ/PE file
Event Triggered Execution: Image File Execution Options Injection
Modifies Windows Firewall
Stops running service(s)
XMRig Miner payload
Njrat family
Xmrig family
njRAT/Bladabindi
xmrig
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4acf22c4-a3ec-4c02-aa99-6db8841673e3
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d1e371d75465/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d1e371d754658620e3ea7abf8c49cffe4cd427d1a8a40e390fb6d5e2cf463668

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:ldpreload
Create hunting rule
Author:xorseed
Reference:https://stuff.rop.io/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments