MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Sazoora


Vendor detections: 21


Intelligence 21 IOCs 1 YARA 15 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf
SHA3-384 hash: 07c3df4a28f5125564a3c053a27aac84f2ecdee3e30a4f048783ad941ed4ad050e8acc08d717adf5c770bf4162a99bee
SHA1 hash: 67314caa0d581df0f8f01f6213d604eec1695d83
MD5 hash: 176bcd107f362818222aae3b88eb4418
humanhash: island-mobile-alabama-michigan
File name:176BCD107F362818222AAE3B88EB4418.exe
Download: download sample
Signature Sazoora
Create hunting rule
File size:6'199'100 bytes
First seen:2026-02-03 19:00:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4070734502a100c8f90bbd445995533 (11 x CryptOne, 5 x DCRat, 2 x njrat)
ssdeep 98304:kuWJXcGT5HMPWuPoGuAejO9i7B/csB5oQLu/Y1LMN3mHkbF:kSG9HCryO96B/NnioLM7p
TLSH T1C156336179C788B2C6B727779A4ABF13D438B4251B018DDF574482AD7CA05E2EE307A3
TrID 91.0% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.5% (.EXE) Win32 Executable (generic) (4504/4/1)
0.6% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe Sazoora


Avatar
abuse_ch
Sazoora C2:
41.40.113.25:3737

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
41.40.113.25:3737 https://threatfox.abuse.ch/ioc/1740852/

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
NL NL
Vendor Threat Intelligence
Malware configuration found for:
Archives AutoIt PyInstaller
Details
Archives
SFX commands and extracted archive contents
AutoIt
extracted scripts and files
PyInstaller
a compiled assembly and a Python version
Link:
https://research.acce.ciphertechsolutions.com/results/d306108e-8495-4a15-860e-eaf8bf659787/
Malware family:
njrat
Create hunting rule
ID:
1
File name:
176BCD107F362818222AAE3B88EB4418.exe
Verdict:
Malicious activity
Analysis date:
2026-02-03 19:03:30 UTC
Tags:
auto-startup auto-reg python anti-evasion rat njrat bladabindi remote backdoor xworm
Link:
https://app.any.run/tasks/5504ac56-5d33-4443-abae-9b0b22d05b12

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Njrat
Create hunting rule
Link:
https://www.capesandbox.com/analysis/51559/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILMamut.499.423.467.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698245d26b1af47db72c843b
Tags:
bladabindi vmdetect autorun njrat
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file in the %temp% subdirectories
Creating a file
Creating a file in the %AppData% subdirectories
Running batch commands
Creating a process with a hidden window
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt expand fingerprint installer installer lolbin microsoft_visual_cc overlay packed packed packed python sfx
Link:
https://www.filescan.io/uploads/698245cfc9bfb60ece1b0d85/reports/7b696792-4ba9-4b99-b7b7-8bcb49d80f9c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf
Result
Gathering data
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-01-30T22:42:00Z UTC
Last seen:
2026-01-30T23:51:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf/results?tab=lookup
Malware family:
Mimikatz
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/26f94f9b-950d-4fec-b210-e65fb2ac55c0
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1862751
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Binary is likely a compiled AutoIt script file
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Drops PE files with benign system names
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Unusual module load detection (module proxying)
Uses netsh to modify the Windows network and firewall settings
Yara detected Njrat
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1862751 Sample: 3ayPMsIv38.exe Startdate: 03/02/2026 Architecture: WINDOWS Score: 100 97 dl3.sytes.net 2->97 101 Suricata IDS alerts for network traffic 2->101 103 Found malware configuration 2->103 105 Malicious sample detected (through community Yara rule) 2->105 107 10 other signatures 2->107 13 3ayPMsIv38.exe 8 2->13         started        17 win_update.exe 12 2->17         started        19 svchost.exe 2->19         started        21 7 other processes 2->21 signatures3 process4 file5 79 C:\Users\user\AppData\Roaming\svchost.exe, PE32 13->79 dropped 81 C:\Users\user\AppData\...\idm_trial_reset.exe, PE32 13->81 dropped 131 Drops PE files with benign system names 13->131 23 svchost.exe 12 13->23         started        27 idm_trial_reset.exe 10 13->27         started        83 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 17->83 dropped 85 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 17->85 dropped 93 7 other files (none is malicious) 17->93 dropped 133 Multi AV Scanner detection for dropped file 17->133 29 win_update.exe 1 17->29         started        135 Changes security center settings (notifications, updates, antivirus, firewall) 19->135 31 MpCmdRun.exe 19->31         started        87 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->87 dropped 89 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->89 dropped 91 C:\Users\user\AppData\Local\...\python38.dll, PE32+ 21->91 dropped 95 15 other files (none is malicious) 21->95 dropped 33 win_update.exe 1 21->33         started        35 win_logon.exe 21->35         started        signatures6 process7 file8 67 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 23->67 dropped 69 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 23->69 dropped 71 C:\Users\user\AppData\Local\...\python38.dll, PE32+ 23->71 dropped 77 6 other files (none is malicious) 23->77 dropped 119 Multi AV Scanner detection for dropped file 23->119 121 Drops PE files to the startup folder 23->121 123 Uses netsh to modify the Windows network and firewall settings 23->123 127 2 other signatures 23->127 37 svchost.exe 1 5 23->37         started        73 C:\Users\user\AppData\Local\...\SetACLx64.exe, PE32+ 27->73 dropped 75 C:\Users\user\AppData\Local\...\SetACLx32.exe, PE32 27->75 dropped 125 Binary is likely a compiled AutoIt script file 27->125 41 conhost.exe 31->41         started        signatures9 process10 file11 61 C:\Users\user\AppData\...\win_update.exe, PE32+ 37->61 dropped 63 C:\Users\user\AppData\...\win_logon.exe, PE32+ 37->63 dropped 65 C:\Users\user\AppData\...\svchost_task.exe, PE32 37->65 dropped 117 Creates multiple autostart registry keys 37->117 43 cmd.exe 1 37->43         started        signatures12 process13 process14 45 svchost_task.exe 1 5 43->45         started        48 conhost.exe 43->48         started        signatures15 129 Multi AV Scanner detection for dropped file 45->129 50 svchost.exe 2 5 45->50         started        process16 dnsIp17 99 dl3.sytes.net 41.40.113.25, 3737, 49724 TE-ASTE-ASEG Egypt 50->99 59 C:\...\1fbfd3a69fbd5fffd0825bf36dbd2721.exe, PE32 50->59 dropped 109 System process connects to network (likely due to code injection or exploit) 50->109 111 Protects its processes via BreakOnTermination flag 50->111 113 Creates autostart registry keys with suspicious names 50->113 115 Creates multiple autostart registry keys 50->115 55 netsh.exe 50->55         started        file18 signatures19 process20 process21 57 conhost.exe 55->57         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf/
Verdict:
Malicious
Threat:
Family.NJRAT
Link:
https://tip.neiki.dev/file/ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2026-01-06 17:35:50 UTC
File Type:
PE (Exe)
Extracted files:
494
AV detection:
21 of 36 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rfx3loqlvd5v7bsovr6glaurqpfrf5npjugoccjc6vgiiceyk7q._file
Verdict:
malicious
Label(s):
autoit
Create hunting rule
unc_loader_051
Create hunting rule
njrat
Create hunting rule
Similar samples:
error
Sazoora
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:hacked defense_evasion discovery persistence privilege_escalation pyinstaller trojan upx
Link:
https://tria.ge/reports/260203-xnvjpset7g/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
AutoIT Executable
UPX packed file
Adds Run key to start application
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Modifies Windows Firewall
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
dl3.sytes.net:3737
Unpacked files
SH256 hash:
ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf
MD5 hash:
176bcd107f362818222aae3b88eb4418
SHA1 hash:
67314caa0d581df0f8f01f6213d604eec1695d83
Link:
https://www.unpac.me/results/fbafb8e3-2205-46ee-95a3-19bcc2c50e30/
SH256 hash:
296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
MD5 hash:
89511df61678befa2f62f5025c8c8448
SHA1 hash:
df3961f833b4964f70fcf1c002d9fd7309f53ef8
Link:
https://www.unpac.me/results/fbafb8e3-2205-46ee-95a3-19bcc2c50e30/
SH256 hash:
a388665fb90f5084ff9ccb42d218ae9b9251abd9a9cd49242ce31c3898ce35ab
MD5 hash:
564a6585a3cb0320506a24d4591c364e
SHA1 hash:
0e9fd5dc39257762006f5cd63ee9ae297eeacbac
Detections:
PyInstaller
Create hunting rule
Link:
https://www.unpac.me/results/fbafb8e3-2205-46ee-95a3-19bcc2c50e30/
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec4b7dadd05d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec4b7dadd05d47dafc327563e32c148c1e5897ad7a6867084917aa642044c2bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Compiled
Create hunting rule
Author:@bartblaze
Description:Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious.
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SelfExtractingRAR
Create hunting rule
Author:Xavier Mertens
Description:Detects an SFX archive with automatic script execution
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:UPXProtectorv10x2
Create hunting rule
Author:malware-lu
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:upx_largefile
Create hunting rule
Author:k3nr9
Rule name:YahLover
Create hunting rule
Author:Kevin Falcoz
Description:YahLover

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/51559/

Comments