MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec1821b4b58057f765fba0c43293211bac3adef584aa0080838a05c496bb9886. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec1821b4b58057f765fba0c43293211bac3adef584aa0080838a05c496bb9886
SHA3-384 hash: e84399259d786b8033bb35ab7be5e01d909afd316a7fc1e0c46760608363a0e1fd15a4cc53a19fabcc86e9b34bb92253
SHA1 hash: 39eea611fc82ef143a1ef282a9dc32b9607cc80b
MD5 hash: 91e8a963ba28561adffbcea2293b3c8b
humanhash: white-idaho-beer-xray
File name:dwm.bat
Download: download sample
Signature njrat
Create hunting rule
File size:88'055 bytes
First seen:2025-05-21 20:47:03 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:KLJACmJZYWZtN4isT2luzc1sEO5hrkbmEKFfM9xb2rXkF5yA1OWR+h1FiO:K9buHeis6luzCOAX2rXkvLMWkF1
Threatray 959 similar samples on MalwareBazaar
TLSH T156833FBFCAA2BEC4039EB4E15D9E3B46148A0BE3EF755F2CB9D1059114446DABE3610C
Magika vba
Reporter BastianHein
Tags:bat NjRAT

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
CL CL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dwm.bat
Verdict:
No threats detected
Analysis date:
2025-05-21 20:47:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a12bc8d-02c1-468e-8470-3dee7fcd0714

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.BAT.Obfus-3.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682e3c9a2f280a98fb42fa5c
Tags:
autorun xtreme shell virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 evasive obfuscated powershell
Link:
https://www.filescan.io/uploads/682e3bdb171e01f959299cc5/reports/189f5460-c65f-41a6-ab6c-cb785a2bbc1e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ec1821b4b58057f765fba0c43293211bac3adef584aa0080838a05c496bb9886
Result
Threat name:
Batch Injector, Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1696295
Signature
.NET source code contains a sample name check
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Yara detected Batch Injector
Yara detected Njrat
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1696295 Sample: dwm.bat Startdate: 21/05/2025 Architecture: WINDOWS Score: 100 80 greataggy2.linkpc.net 2->80 86 Found malware configuration 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 Multi AV Scanner detection for submitted file 2->90 92 13 other signatures 2->92 8 cmd.exe 1 2->8         started        11 cmd.exe 1 2->11         started        13 cmd.exe 1 2->13         started        15 16 other processes 2->15 signatures3 process4 signatures5 98 Suspicious powershell command line found 8->98 100 Bypasses PowerShell execution policy 8->100 17 cmd.exe 3 8->17         started        21 conhost.exe 8->21         started        23 cmd.exe 2 11->23         started        25 conhost.exe 11->25         started        27 cmd.exe 2 13->27         started        29 conhost.exe 13->29         started        31 cmd.exe 2 15->31         started        33 cmd.exe 2 15->33         started        35 30 other processes 15->35 process6 file7 58 C:\Users\user\dwm.bat:Zone.Identifier, ASCII 17->58 dropped 60 C:\Users\user\dwm.bat, ASCII 17->60 dropped 84 Suspicious powershell command line found 17->84 37 powershell.exe 2 20 17->37         started        42 conhost.exe 17->42         started        44 powershell.exe 23->44         started        46 conhost.exe 23->46         started        48 powershell.exe 27->48         started        50 conhost.exe 27->50         started        52 2 other processes 31->52 54 2 other processes 33->54 56 28 other processes 35->56 signatures8 process9 dnsIp10 82 greataggy2.linkpc.net 196.251.88.201, 1008 Web4AfricaZA Seychelles 37->82 62 C:\Users\user\AppData\Roaming\...\c673.bat, ASCII 37->62 dropped 94 Drops script or batch files to the startup folder 37->94 96 Found suspicious powershell code related to unpacking or dynamic code loading 37->96 64 C:\Users\user\AppData\Roaming\...\cb51.bat, ASCII 44->64 dropped 66 C:\Users\user\AppData\Roaming\...\ccd6.bat, ASCII 48->66 dropped 68 C:\Users\user\AppData\Roaming\...\a2b9.bat, ASCII 52->68 dropped 70 C:\Users\user\AppData\Roaming\...\604a.bat, ASCII 54->70 dropped 72 C:\Users\user\AppData\Roaming\...\c866.bat, ASCII 56->72 dropped 74 C:\Users\user\AppData\Roaming\...\b79a.bat, ASCII 56->74 dropped 76 C:\Users\user\AppData\Roaming\...\9a74.bat, ASCII 56->76 dropped 78 11 other malicious files 56->78 dropped file11 signatures12
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/ec1821b4b58057f765fba0c43293211bac3adef584aa0080838a05c496bb9886
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec1821b4b58057f765fba0c43293211bac3adef584aa0080838a05c496bb9886/
Threat name:
Script-BAT.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-05-14 15:35:40 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5qmcdnfvqbl7ozp3udcdfezbdowdvxxvqsvabaedric4jfv3tcda._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
3f24a0243264894973daaddd665b311850024f99a47f935ca6ecba0d95f5f283
njrat
53e7894d66feb041ed109fd8b440c9feb1a5c9caab514528fc53cc905e048c75
njrat
5ece27b3e65f784b3248f7209ba4c43cdbfbece692bfdd683cb4a0ae672ec701
njrat
8d6616972a50eab040c2a0722115578bbe912f0fce295392b4d864fdbb680359
njrat
ca912d6c76152192dd0e1ce436ff328ae29973b912919cbb398dc7efd412ecfe
njrat
error
njrat
+ 949 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat discovery execution trojan
Link:
https://tria.ge/reports/250521-zk187acl8w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops startup file
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
greataggy2.linkpc.net:1008
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec1821b4b58057f765fba0c43293211bac3adef584aa0080838a05c496bb9886

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments