MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7
SHA3-384 hash: b33ca7386dae9892ee328c96c0e8a51eec1dc7ad44b2c65ec2950bfad3cdef7649ba778f0d920138e60d6e433f1298c4
SHA1 hash: c4962129ce6428103d4b14889c5d6aa5c8ed1df3
MD5 hash: 165f714d9fb5354c9e14a1c8786d705e
humanhash: foxtrot-johnny-early-tango
File name:d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7
Download: download sample
Signature njrat
Create hunting rule
File size:842'752 bytes
First seen:2026-06-08 08:29:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'010 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:91YhwZtMPqFpZNBjdmLtdCnl3nRWkhgKPMG:9ywDNBjQdO3kkWIM
Threatray 24 similar samples on MalwareBazaar
TLSH T188050118621DC91AC0568FB55C62E1F427B45E98E821D2839FEA3EFFF8773504A09787
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:exe NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/17db0912-2892-41df-a789-e9db12bdeb77/
Malware family:
n/a
ID:
1
File name:
d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7
Verdict:
Malicious activity
Analysis date:
2026-05-22 06:34:12 UTC
Tags:
netreactor xworm remote
Link:
https://app.any.run/tasks/f3484d2c-d1c9-47ac-b3da-0614595f5c7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
XWorm
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69520/
Detection(s):
SecuriteInfo.com.Trojan.Inject6.55096.31856754.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a267e03ae2f98c00a68ba42
Tags:
autorun virus shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Setting a global event handler for the keyboard
Connection attempt to an infection source
Adding an exclusion to Microsoft Defender
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context crypt krypt obfuscated packed xworm
Link:
https://www.filescan.io/uploads/6a267d801f652d68656d90c6/reports/a65c9089-d4fd-46b9-ac7e-390c3896f14a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-21T14:21:00Z UTC
Last seen:
2026-06-08T03:20:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8e153163-8840-4c51-a387-c6d16ef0717e
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2026-05-21 17:52:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 36 (69.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2m54kvro7vlladyrhm5ljzr2dtnj4z22rolkv6gv62cfpgctiwtq._file
Verdict:
malicious
Label(s):
xworm
Create hunting rule
zgrat
Create hunting rule
Similar samples:
301aacc4bac5acd89177dfa0ed6fbafc8460f58a7e9a1b546187372ca6883e2c
njrat
59264e23039aa0aa0c5c376715c0d353cef4e52e055bd0da423dc8d2abef127f
njrat
797a4574316768c9e35bca960303066617e47069c78ea1f1d949cfa3535eb2de
njrat
a312f9d970cce223d5ae325b879331f6c81b8449c8ce11e702d41f74a82e9f6a
njrat
f9b5586faacc3149e8cc0cbd920bdb8f58a6e8b57bd2acbe9215f61cdd2ea3a3
njrat
+ 14 additional samples on MalwareBazaar
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:xworm collection discovery execution persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/260608-kd1lraav4n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Detect Xworm Payload
Family: Xworm
Unpacked files
SH256 hash:
d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7
MD5 hash:
165f714d9fb5354c9e14a1c8786d705e
SHA1 hash:
c4962129ce6428103d4b14889c5d6aa5c8ed1df3
Link:
https://www.unpac.me/results/eb262855-3268-4ab9-830c-a6332c81e898/
SH256 hash:
30b8da6a6c14adb7188e67f556e4e4abdc4e0a47db4008b7a2930c21dbdf59c2
MD5 hash:
c25420b73d0fe1dd63cf91b94c810225
SHA1 hash:
8d54643580d5d5952e74ec53ebf93b91e398e9de
Link:
https://www.unpac.me/results/eb262855-3268-4ab9-830c-a6332c81e898/
SH256 hash:
68bdf7b90d605624562fc983b56ba384e5925d9776f3a3148418b604241546d5
MD5 hash:
11c337dba9369c44bc0fa7f79bb022f8
SHA1 hash:
a2317bc2342cfa73fb7e15dddc6d68c25c1c00f8
Link:
https://www.unpac.me/results/eb262855-3268-4ab9-830c-a6332c81e898/
SH256 hash:
cf5dafb0fd320378be54ed47d552dd872b7b343994ddba51e3a1cd2b30d176d3
MD5 hash:
d6e222077074b587ef0fb07636e43284
SHA1 hash:
ddcb6634e0e88f4b9ce66562d951e608a8d843cf
Link:
https://www.unpac.me/results/eb262855-3268-4ab9-830c-a6332c81e898/
SH256 hash:
d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7
MD5 hash:
165f714d9fb5354c9e14a1c8786d705e
SHA1 hash:
c4962129ce6428103d4b14889c5d6aa5c8ed1df3
Link:
https://www.unpac.me/results/eb262855-3268-4ab9-830c-a6332c81e898/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d33bc5562efd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d33bc5562efd56b00f113b3ab4e63a1cda9e675a8b96aaf8d5f68457985345a7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69520/

Comments