MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea94990dab9af3f6a489f7bd47dc05b4acdb39fbc1f6c48512a59b7f4d42c300. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs 1 YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea94990dab9af3f6a489f7bd47dc05b4acdb39fbc1f6c48512a59b7f4d42c300
SHA3-384 hash: 9b4e617083370b74f48efd19e97f6a17f64518ff3b7ed59eed5409ae8efaeb0606404a22d9ec504ad6435c9298148f38
SHA1 hash: a6732680a617d9990e79b4ab37cf9d65386f2458
MD5 hash: efbab939355e13871fff64eb82a49577
humanhash: thirteen-fourteen-seventeen-november
File name:efbab939355e13871fff64eb82a49577.exe
Download: download sample
Signature njrat
Create hunting rule
File size:2'715'152 bytes
First seen:2025-07-03 01:50:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5cc20dc54b18fd8798eb9bed650113e1 (1 x Amadey, 1 x njrat)
ssdeep 49152:yGPg5VO+prZnbngZM+lxqgjNDVBcKQyaB227fJ9jaZXDQWqOo3E:ywg5V/rbPiUgtcsQ1BpaZXD75
TLSH T10DC533298890CD19C74F12B5A2CEC68744388A974BDD039A786F82B7E27D5CD8F71F91
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe NjRAT RAT


Avatar
abuse_ch
njrat C2:
82.147.84.124:1987

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
82.147.84.124:1987 https://threatfox.abuse.ch/ioc/1552720/

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
efbab939355e13871fff64eb82a49577.exe
Verdict:
Malicious activity
Analysis date:
2025-07-03 01:56:01 UTC
Tags:
amadey botnet stealer loader themida rdp auto-startup auto arkeistealer stealc telegram vidar rat njrat bladabindi lumma evasion susp-powershell auto-reg gcleaner attachments attc-unc netreactor purehvnc
Link:
https://app.any.run/tasks/06badd7a-d4f5-41ce-9cf2-a22713164875

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12087/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6865e210900df8e7f865dd76
Tags:
bladabindi vmdetect autorun spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file
Creating a window
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Sending a custom TCP request
Connection attempt to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated packed packed themidawinlicense zero zusy
Link:
https://www.filescan.io/uploads/6865e210ee5b1c8f3d258192/reports/2b38bd69-dd99-4754-8185-8d4ee59d1a92/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/ea94990dab9af3f6a489f7bd47dc05b4acdb39fbc1f6c48512a59b7f4d42c300
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/df2759d2-c7ed-4707-be01-6c7bf749aac4
Result
Threat name:
Amadey, Destiny Stealer, LummaC Stealer,
Create hunting rule
Detection:
malicious
Classification:
phis.troj.adwa.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1727695
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Connects to many IPs within the same subnet mask (likely port scanning)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to start a terminal service
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables zone checking for all users
Drops PE files to the startup folder
Drops script or batch files to the startup folder
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Performs DNS queries to domains with low reputation
Protects its processes via BreakOnTermination flag
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Drops script at startup location
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Malicious Base64 Encoded PowerShell Keywords in Command Lines
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded IEX Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Silenttrinity Stager Msbuild Activity
Sigma detected: Suspicious Eventlog Clear or Configuration Change
Sigma detected: Suspicious PowerShell Parameter Substring
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected AntiVM3
Yara detected Destiny Stealer
Yara detected LummaC Stealer
Yara detected Njrat
Yara detected Powershell decode and execute
Yara detected Stealc v2
Yara detected UAC Bypass using CMSTP
Yara detected Vidar stealer
Yara detected VioletWorm
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1727695 Sample: Ym9HkOMgBz.exe Startdate: 03/07/2025 Architecture: WINDOWS Score: 100 128 unurew.xyz 2->128 130 trsuv.xyz 2->130 132 12 other IPs or domains 2->132 142 Suricata IDS alerts for network traffic 2->142 144 Found malware configuration 2->144 146 Malicious sample detected (through community Yara rule) 2->146 150 38 other signatures 2->150 11 dumer.exe 3 62 2->11         started        15 Ym9HkOMgBz.exe 5 2->15         started        17 cmd.exe 2->17         started        19 4 other processes 2->19 signatures3 148 Performs DNS queries to domains with low reputation 130->148 process4 file5 108 C:\Users\user\AppData\...\ca78cb42a5.exe, PE32 11->108 dropped 110 C:\Users\user\AppData\...\b6be824a63.exe, PE32+ 11->110 dropped 112 C:\Users\user\AppData\...\8e9a777f25.exe, PE32 11->112 dropped 118 25 other malicious files 11->118 dropped 210 Query firmware table information (likely to detect VMs) 11->210 212 Contains functionality to start a terminal service 11->212 214 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->214 21 Fv6kVbJ.exe 11->21         started        24 6NmFpD5.exe 11->24         started        27 cmd.exe 1 11->27         started        37 6 other processes 11->37 114 C:\Users\user\AppData\Local\...\dumer.exe, PE32 15->114 dropped 116 C:\Users\user\...\dumer.exe:Zone.Identifier, ASCII 15->116 dropped 29 dumer.exe 15->29         started        216 Suspicious powershell command line found 17->216 31 cmd.exe 17->31         started        33 conhost.exe 17->33         started        218 Multi AV Scanner detection for dropped file 19->218 35 conhost.exe 19->35         started        40 2 other processes 19->40 signatures6 process7 dnsIp8 158 Multi AV Scanner detection for dropped file 21->158 160 Hijacks the control flow in another process 21->160 178 3 other signatures 21->178 42 Fv6kVbJ.exe 21->42         started        106 C:\Users\user\AppData\Local\...\Dllhost.exe, MS-DOS 24->106 dropped 162 Antivirus detection for dropped file 24->162 45 Dllhost.exe 24->45         started        164 Suspicious powershell command line found 27->164 166 Bypasses PowerShell execution policy 27->166 48 cmd.exe 2 27->48         started        50 conhost.exe 27->50         started        168 Query firmware table information (likely to detect VMs) 29->168 170 Contains functionality to start a terminal service 29->170 180 2 other signatures 29->180 52 powershell.exe 31->52         started        54 conhost.exe 31->54         started        134 179.43.159.186 PLI-ASCH Panama 37->134 136 clients2.googleusercontent.com 37->136 138 99 other IPs or domains 37->138 172 Detected unpacking (changes PE section rights) 37->172 174 Detected unpacking (overwrites its own PE header) 37->174 176 Tries to detect sandboxes and other dynamic analysis tools (window names) 37->176 182 5 other signatures 37->182 56 MSBuild.exe 37->56         started        58 MSBuild.exe 37->58         started        61 3 other processes 37->61 file9 signatures10 process11 dnsIp12 184 Early bird code injection technique detected 42->184 186 Found many strings related to Crypto-Wallets (likely being stolen) 42->186 188 Tries to harvest and steal browser information (history, passwords, etc) 42->188 208 4 other signatures 42->208 63 chrome.exe 42->63         started        120 C:\Users\user\AppData\...\Java update.exe, MS-DOS 45->120 dropped 122 C:\Users\user\AppData\Local\Temp\Server.exe, MS-DOS 45->122 dropped 190 System process connects to network (likely due to code injection or exploit) 45->190 192 Multi AV Scanner detection for dropped file 45->192 194 Protects its processes via BreakOnTermination flag 45->194 196 Disables zone checking for all users 45->196 65 schtasks.exe 45->65         started        198 Suspicious powershell command line found 48->198 67 powershell.exe 40 48->67         started        71 conhost.exe 48->71         started        200 Loading BitLocker PowerShell Module 52->200 73 csc.exe 52->73         started        124 C:\Users\user\AppData\Roaming\...\MSBuild.exe, PE32 56->124 dropped 126 C:\Users\user\AppData\Roaming\MSBuild.exe, PE32 56->126 dropped 202 Drops PE files to the startup folder 56->202 204 Uses schtasks.exe or at.exe to add and modify task schedules 56->204 75 schtasks.exe 56->75         started        140 ds.exifit.eu.org 116.203.167.110 HETZNER-ASDE Germany 58->140 206 Tries to detect sandboxes / dynamic malware analysis system (Installed program check) 58->206 77 conhost.exe 61->77         started        79 powershell.exe 61->79         started        file13 signatures14 process15 file16 81 conhost.exe 65->81         started        98 C:\Users\user\AppData\Roaming\...\33d6.bat, Apple 67->98 dropped 100 C:\Users\user\AppData\...\zrkz4uo5.cmdline, Unicode 67->100 dropped 152 Drops script or batch files to the startup folder 67->152 154 Found many strings related to Crypto-Wallets (likely being stolen) 67->154 156 Loading BitLocker PowerShell Module 67->156 83 csc.exe 3 67->83         started        86 wevtutil.exe 67->86         started        88 wevtutil.exe 67->88         started        94 4 other processes 67->94 102 C:\Users\user\AppData\Local\...\tmi3oxwa.dll, PE32 73->102 dropped 90 cvtres.exe 73->90         started        92 conhost.exe 75->92         started        signatures17 process18 file19 104 C:\Users\user\AppData\Local\...\zrkz4uo5.dll, PE32 83->104 dropped 96 cvtres.exe 83->96         started        process20
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ea94990dab9af3f6a489f7bd47dc05b4acdb39fbc1f6c48512a59b7f4d42c300
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/efbab939355e13871fff64eb82a49577
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea94990dab9af3f6a489f7bd47dc05b4acdb39fbc1f6c48512a59b7f4d42c300/
Threat name:
Win32.Trojan.Leonem
Create hunting rule
Status:
Malicious
First seen:
2025-06-28 02:03:35 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5kkjsdnltlz7njej666upxafwswnwop3yh3mjbisuwnx6tkcymaa._file
Result
Malware family:
xworm
Create hunting rule
Score:
  10/10
Tags:
family:amadey family:destiny_stealer family:lumma family:njrat family:quasar family:vidar family:xworm botnet:0563f7b7ace99077cac73375f6f7cbf9 botnet:30b25e botnet:google chrome botnet:hacked botnet:test3 bootkit collection credential_access defense_evasion discovery execution persistence ransomware rat spyware stealer themida trojan
Link:
https://tria.ge/reports/250703-b9xqassygz/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Modifies registry key
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
AutoIT Executable
Drops file in System32 directory
Enumerates processes with tasklist
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Looks up external IP address via web service
Obfuscated Files or Information: Command Obfuscation
Writes to the Master Boot Record (MBR)
Checks BIOS information in registry
Checks computer location settings
Drops startup file
Executes dropped EXE
Identifies Wine through registry keys
Loads dropped DLL
Reads WinSCP keys stored on the system
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Contacts a large (1339) amount of remote hosts
Downloads MZ/PE file
Sets service image path in registry
Stops running service(s)
Uses browser remote debugging
Clears Windows event logs
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Amadey
Amadey family
Destiny Stealer
Destiny_stealer family
Detect Vidar Stealer
Detect Xworm Payload
Lumma Stealer, LummaC
Lumma family
Njrat family
Quasar RAT
Quasar family
Quasar payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Vidar family
Xworm
Xworm family
njRAT/Bladabindi
Malware Config
C2 Extraction:
http://31.43.185.30
204.77.232.110
https://rbmlh.xyz/lakd
https://ycvduc.xyz/trie
https://nbcsfar.xyz/tpxz
https://unurew.xyz/anhd
https://trsuv.xyz/gait
https://sqgzl.xyz/taoa
https://cexpxg.xyz/airq
https://urarfx.xyz/twox
https://liaxn.xyz/nbzh
https://comkxjs.xyz/taox
https://pacwpw.xyz/qwpr
kardan35.zapto.org:1987
https://t.me/l07tp
https://steamcommunity.com/profiles/76561199869630181
66.63.187.164:8594
66.63.187.164:8596
66.63.187.164:8595
Dropper Extraction:
http://176.46.157.32/testmine/random.exe
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e52b8df1-87fc-484f-b3e4-892eb73500c4
Unpacked files
SH256 hash:
ea94990dab9af3f6a489f7bd47dc05b4acdb39fbc1f6c48512a59b7f4d42c300
MD5 hash:
efbab939355e13871fff64eb82a49577
SHA1 hash:
a6732680a617d9990e79b4ab37cf9d65386f2458
Link:
https://www.unpac.me/results/de690123-a794-4113-bab4-0441c5c8e079/
SH256 hash:
704c116d81c98fc66a641d45b60c0247ebe56761e913b05e33bb82c7e7df55c6
MD5 hash:
225307d5703d6c2ea2af339531f7fa71
SHA1 hash:
ab51ea90e0750cd169508e652765c1945e56a8c7
Detections:
Amadey
Create hunting rule
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/de690123-a794-4113-bab4-0441c5c8e079/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea94990dab9af3f6a489f7bd47dc05b4acdb39fbc1f6c48512a59b7f4d42c300

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:win_amadey_062025
Create hunting rule
Author:0x0d4y
Description:This rule detects intrinsic patterns of Amadey version 5.34.
Reference:https://0x0d4y.blog/amadey-targeted-analysis/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12087/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::RevertToSelf
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup

Comments