MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
SHA3-384 hash: b09c57a00ec5c01af9178cd7b66e83d809262954c6c7ae24016f4bd9d25312522e927c4960f06327dba315d90b27a6d0
SHA1 hash: f825ebd2682f13782c50c37a447e13a43f61dd74
MD5 hash: 9ece38dcd2362f9476263fad64f49b50
humanhash: triple-moon-avocado-low
File name:file
Download: download sample
Signature njrat
Create hunting rule
File size:1'012'736 bytes
First seen:2025-11-17 22:32:01 UTC
Last seen:2025-11-17 22:34:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 60559adcf3698c3eb3c69577ebf28413 (1 x njrat)
ssdeep 24576:9fz79P7T0z/c+Gzu9IGUC5rsHCDwfQ09U4rug:9fn9P7Qjc+gu96C6HeHMzSg
Threatray 67 similar samples on MalwareBazaar
TLSH T16F2533DAB2D79C45C1BAB3B13DE4FD6F0AC4391D0A96D27A1FC841D63D43360E9A2618
TrID 38.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.6% (.ICL) Windows Icons Library (generic) (2059/9)
15.4% (.EXE) OS/2 Executable (generic) (2029/13)
15.2% (.EXE) Generic Win/DOS Executable (2002/3)
15.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543 NjRAT


Avatar
Bitsight
url: http://178.16.55.189/files/762279693/PLxmlr8.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
111
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860.exe
Verdict:
Malicious activity
Analysis date:
2025-11-17 22:32:31 UTC
Tags:
auto-reg pulsar rat crypto-regex
Link:
https://app.any.run/tasks/f61c1c57-2d2b-4c11-9401-f6edd1665a46

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/38509/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=691ba276bdb0ec3a9dc2e3a0
Tags:
autorun spawn sage remo
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %AppData% directory
Launching a process
DNS request
Connection attempt
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto hacktool packed
Link:
https://www.filescan.io/uploads/691ba274a4e47f6c207206cc/reports/f8970ec2-89ba-40ed-a992-83d854a9a3ee/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-17T19:53:00Z UTC
Last seen:
2025-11-19T06:40:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.MSIL.Agent.sb Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb Trojan.MSIL.Quasar.a Trojan.MSIL.Agent.sb Backdoor.MSIL.Agent.sb PDM:Trojan.Win32.Generic Trojan.Win64.Agentb.sb PDM:Trojan.Win32.Tasker.cust HEUR:Trojan-Banker.MSIL.ClipBanker.gen Backdoor.MSIL.PulsarRAT.sb Backdoor.MSIL.PulsarRAT.b
Link:
https://opentip.kaspersky.com/f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c01ce786-89a0-4059-90b4-221de14e53b0
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/9ece38dcd2362f9476263fad64f49b50
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-17 22:32:23 UTC
File Type:
PE+ (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6tsnttduvqvross6hpcbykpoup54x2tz74zpjfjvxnvfnrsshbqa._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
quasarrat
Create hunting rule
Similar samples:
0455ebce0a62e2413a730a8e172cde5e6171d2a3569c4620c7e10a6ff04a3710
njrat
3df1c2d8cb6357dec23ffe7083d6058c300419519ee7b34efcfba3a0384ea08b
njrat
4c11c9bbd2047a1e8dc2fe3ed94c2d74914ff45e79cbd8b48fcd5c3f5eebe39d
njrat
5796230cdd9dac9064551b7e0aeecd62ff2c25808dfe854e774c54815f66c741
njrat
b6dcacaf75735e6be8c056532acf62de6bf3f58e7447b2e9dc1b0013605d9511
njrat
e6a5b25f6908df2812d77e1b071f71002eae1c6584da91bbb571d073c2ec2c6b
njrat
error
njrat
+ 57 additional samples on MalwareBazaar
Result
Malware family:
quasar
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:quasar execution loader persistence spyware trojan
Link:
https://tria.ge/reports/251117-2f4vmafq5y/
Behaviour
Scheduled Task/Job: Scheduled Task
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Executes dropped EXE
Detects DonutLoader
DonutLoader
Donutloader family
Quasar RAT
Quasar family
Quasar payload
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4cc70779-c15b-4ae2-91de-15a001912f57
Unpacked files
SH256 hash:
f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860
MD5 hash:
9ece38dcd2362f9476263fad64f49b50
SHA1 hash:
f825ebd2682f13782c50c37a447e13a43f61dd74
Link:
https://www.unpac.me/results/ece70568-bf90-43c6-9059-7f9173ffbafe/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f4e4d9cc74ac/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Executable exe f4e4d9cc74ac2b174a5e3bc41c29eea3fbcbea79ff32f49535bb6a56c6523860

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3710822/
Cape
Cape
https://www.capesandbox.com/analysis/38509/

Comments