MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 18


Intelligence 18 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116
SHA3-384 hash: 535eb6f9e257533be7496d5c35d9abfb7c4c0b136ad79f99e650fb856db2fc73028de272e34a5ff19450ec07f5920833
SHA1 hash: 65cd1c1f530c35e90f6623d399241c8d2fc4bcc6
MD5 hash: 7f110c32c70fbed51d84a636223b6a9a
humanhash: echo-william-iowa-oven
File name:d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be.exe
Download: download sample
Signature njrat
Create hunting rule
File size:12'481'262 bytes
First seen:2025-08-14 18:30:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 027ea80e8125c6dda271246922d4c3b0 (10 x njrat, 7 x DCRat, 5 x DarkComet)
ssdeep 196608:huApgkkuisXptEQ3dcCfUn3+nWOZe9FRm5raMVAYZsW7JZ33SKywt5g45uygvLri:hVptvXplUnOWB9/m5ZGCf33SdKorpwf1
TLSH T1DDC63332B98F4470C463A832B520A101A53ABCB9157D4A67DBF9695EFBB34D17237B03
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 823a34b48de9e5f8 (1 x njrat)
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
193.161.193.99:33942

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
193.161.193.99:33942 https://threatfox.abuse.ch/ioc/1568638/

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
njrat
Create hunting rule
ID:
1
File name:
d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116.exe
Verdict:
Malicious activity
Analysis date:
2025-08-14 18:17:46 UTC
Tags:
python rat njrat bladabindi auto-reg pyinstaller
Link:
https://app.any.run/tasks/d8ce730a-2ebf-488c-809b-f25d51f8d7eb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21437/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689e2b8b48c64d68735c6afe
Tags:
bladabindi njrat
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc obfuscated packed packer_detected sfx
Link:
https://www.filescan.io/uploads/689e2b799ef4d2ff7cfd95d0/reports/3167b68f-5a3b-45ed-af55-413422847501/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c1f413d2-7e8e-4a99-8ef4-eebec8479218
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1757344
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Disables zone checking for all users
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Yara detected Python Keylogger
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1757344 Sample: d7324ca700e51ac896e6506c339... Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 56 mortaza1-33942.portmap.host 2->56 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 7 other signatures 2->72 12 d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be.exe 1 10 2->12         started        15 sergfhjhgfdver.exe 3 2->15         started        17 sergfhjhgfdver.exe 2 2->17         started        19 sergfhjhgfdver.exe 2 2->19         started        signatures3 process4 file5 50 C:\Users\user\AppData\...\protected_final.exe, PE32+ 12->50 dropped 21 protected_final.exe 86 12->21         started        process6 file7 40 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->40 dropped 42 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->42 dropped 44 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 21->44 dropped 46 61 other malicious files 21->46 dropped 74 Multi AV Scanner detection for dropped file 21->74 25 protected_final.exe 2 21->25         started        signatures8 process9 file10 48 C:\Users\user\AppData\...\tmpyvh97i_f.exe, PE32 25->48 dropped 28 tmpyvh97i_f.exe 1 5 25->28         started        process11 file12 52 C:\Users\user\AppData\...\sergfhjhgfdver.exe, PE32 28->52 dropped 76 Multi AV Scanner detection for dropped file 28->76 32 sergfhjhgfdver.exe 4 4 28->32         started        signatures13 process14 dnsIp15 54 mortaza1-33942.portmap.host 193.161.193.99, 33942, 49690, 49693 BITREE-ASRU Russian Federation 32->54 58 Multi AV Scanner detection for dropped file 32->58 60 Protects its processes via BreakOnTermination flag 32->60 62 Disables zone checking for all users 32->62 64 3 other signatures 32->64 36 netsh.exe 2 32->36         started        signatures16 process17 process18 38 conhost.exe 36->38         started       
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/7f110c32c70fbed51d84a636223b6a9a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116/
Verdict:
Malicious
Threat:
Backdoor.MSIL.Bladabindi
Link:
https://tip.neiki.dev/file/d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-14 17:04:00 UTC
File Type:
PE (Exe)
Extracted files:
990
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=24zezjya4unmrfxgkbwdhe4urw7r2p62vwn6h5b3a3h37qjccela._file
Verdict:
malicious
Label(s):
unc_loader_051
Create hunting rule
Similar samples:
error
njrat
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hackedjhf defense_evasion discovery persistence privilege_escalation pyinstaller trojan
Link:
https://tria.ge/reports/250814-w52tnszsdz/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
mortaza1-33942.portmap.host:33942
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/768ced23-816a-49ac-a142-464a1bdf3b1f
Unpacked files
SH256 hash:
d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116
MD5 hash:
7f110c32c70fbed51d84a636223b6a9a
SHA1 hash:
65cd1c1f530c35e90f6623d399241c8d2fc4bcc6
Link:
https://www.unpac.me/results/bdfe6178-9e27-4434-8023-3472807cecdd/
SH256 hash:
e8cdd375c48f3021f3d9fdfcc67cb71b2f855eb65f0a1cfb9eb2714cf6341cff
MD5 hash:
b87c6c9d7c4eed12cab01763eef98fab
SHA1 hash:
02ef96508edad129fa27e9499ceb1cd6ada62819
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/bdfe6178-9e27-4434-8023-3472807cecdd/
Parent samples :
e8cdd375c48f3021f3d9fdfcc67cb71b2f855eb65f0a1cfb9eb2714cf6341cff
d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d7324ca700e5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d7324ca700e51ac896e6506c3393948dbf1d3fdaad9be3f43b06cfbfc1221116

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:dcrat_
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked dcrat malware samples.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21437/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW

Comments