MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d
SHA3-384 hash: a6dc4703425f7d543d71c6498de4aa80794f6d377156ae190fa991bd8c05761df2393a05d7f0691608e2e188f58465f9
SHA1 hash: 3aa5c5dccfc3ecce6b5eced88e3e157ef4d92f15
MD5 hash: edda1fce1f05edb3f7f493b5cf2f49c3
humanhash: bakerloo-edward-black-bravo
File name:sostener.vbs
Download: download sample
Signature njrat
Create hunting rule
File size:12'609 bytes
First seen:2025-09-24 16:28:44 UTC
Last seen:Never
File type:Visual Basic Script (vbs) vbs
MIME type:text/plain
ssdeep 384:eS2QEkYlKxtGu3aAjTxFrVsrV5ZhDyVNB4pU4A:ejojxwC
Threatray 1'078 similar samples on MalwareBazaar
TLSH T1BF42D0832906D1A8403606356D3B6D17BED11C12A1A16EB3BEDCDAC46F34B9FE2D358C
Magika vba
Reporter abuse_ch
Tags:NjRAT vbs

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28858/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d547b31e4783989051df49
Tags:
bladabindi njrat
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/68d41ef3674d5fd6aa0b6c0d/reports/cb6e2de2-1d52-4083-8b26-9d59307165cf/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d
Verdict:
Malicious
File Type:
vbs
First seen:
2025-09-23T16:02:00Z UTC
Last seen:
2025-09-23T16:02:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d/results?tab=lookup
Result
Threat name:
Njrat, PureLog Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1783437
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Contains functionality to log keystrokes (.Net Source)
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Uses dynamic DNS services
VBScript performs obfuscated calls to suspicious functions
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Njrat
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1783437 Sample: sostener.vbs Startdate: 24/09/2025 Architecture: WINDOWS Score: 100 39 njcolombia8590.duckdns.org 2->39 41 pastebin.com 2->41 43 dpaste.org 2->43 53 Suricata IDS alerts for network traffic 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 63 15 other signatures 2->63 8 wscript.exe 1 2->8         started        11 svchost.exe 1 1 2->11         started        signatures3 59 Uses dynamic DNS services 39->59 61 Connects to a pastebin service (likely for C&C) 41->61 process4 dnsIp5 65 VBScript performs obfuscated calls to suspicious functions 8->65 67 Suspicious powershell command line found 8->67 69 Wscript starts Powershell (via cmd or directly) 8->69 71 3 other signatures 8->71 15 powershell.exe 12 8->15         started        18 powershell.exe 16 8->18         started        22 powershell.exe 14 16 8->22         started        51 127.0.0.1 unknown unknown 11->51 37 C:\ProgramData\Microsoft37etwork\...\qmgr.jfm, COM 11->37 dropped file6 signatures7 process8 dnsIp9 73 Writes to foreign memory regions 15->73 75 Injects a PE file into a foreign processes 15->75 24 InstallUtil.exe 2 2 15->24         started        27 conhost.exe 15->27         started        45 dpaste.org 104.20.36.119, 443, 49682 CLOUDFLARENETUS United States 18->45 33 C:\Users\user\AppData\Local\Temp\d.txt, ASCII 18->33 dropped 29 conhost.exe 18->29         started        47 pastebin.com 172.66.171.73, 443, 49681 CLOUDFLARENETUS United States 22->47 35 C:\Users\user\AppData\Local\...\data_exp.txt, ASCII 22->35 dropped 31 conhost.exe 22->31         started        file10 signatures11 process12 dnsIp13 49 njcolombia8590.duckdns.org 193.23.3.29, 49691, 8590 HOSTSLIM-GLOBAL-NETWORKNL unknown 24->49
Score:
35%
Verdict:
Susipicious
File Type:
SCRIPT
Link:
https://malprob.io/report/f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d/
Verdict:
Malicious
Threat:
Family.NJRAT
Link:
https://tip.neiki.dev/file/f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-24 16:39:04 UTC
File Type:
Text (VBS)
AV detection:
4 of 36 (11.11%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7f6fr4rixcvqlnue3mscslpnd2a3eibges4k2ewy3zfmxosrpmgq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
2803fb8dfd94517a466f941b6367751e2029d8959775ad02f71acead9e7acd19
njrat
33b9eeb13a32c6d3f60133bfd4796cfca83c6a573cf7255d259875a952dadea8
njrat
4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d
njrat
6def44dc1df43eea7558948636a1198532b41fe64b2aa6f45519a71163b78af5
njrat
778f865a655377b4fbbfa80c0bd46c0d3a91e5c5041e87017208a23151174ab7
njrat
99cfe13849d87766b3c10e12360915d7ee8201795806d8a2c148f705c3d7dab9
njrat
error
njrat
f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541
njrat
fed260507508e3c24632800ee2cd39e9c401cf6f84ebe3467979857cec2dfe9c
njrat
+ 1'068 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat discovery execution trojan
Link:
https://tria.ge/reports/250924-t3mkvsbj3z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
njcolombia8590.duckdns.org:8590
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:detect_tiny_vbs
Create hunting rule
Author:daniyyell
Description:Detects tiny VBS delivery technique
Rule name:SUSP_PowerShell_Base64_Decode
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects PowerShell code to decode Base64 data. This can yield many FP
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

njrat

Visual Basic Script (vbs) vbs f97c58f228b8ab05b684db24292ded1e81b2202624b8ad12d8de4acbba517b0d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3497558/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3497556/
Cape
Cape
https://www.capesandbox.com/analysis/28858/

Comments