MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


njrat


Vendor detections: 13


Intelligence 13 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541
SHA3-384 hash: 0d0662e057d13ca9d00895f3da8a35932ebcab449f1eb8b2c08d50733f7aa71432041ac56217183e4931cae7c09fede2
SHA1 hash: 62ff5acfb6ca367a6e426b765b15068e4c6c31aa
MD5 hash: 9003f47b3f40a0f18e565e438c55308a
humanhash: bravo-zebra-salami-texas
File name:L5PRICE QUOTEE.pdf.bat
Download: download sample
Signature njrat
Create hunting rule
File size:64'382 bytes
First seen:2025-09-03 09:50:13 UTC
Last seen:2025-09-03 13:43:27 UTC
File type:Batch (bat) bat
MIME type:text/plain
ssdeep 1536:/5ZcZzeefLI0FKT8sySBoWJw+N4i3JtK+SIt+hdKqV0jxOapnjkdOoynO7ke:/5Zc1bFh/i9pIQogKke
Threatray 695 similar samples on MalwareBazaar
TLSH T1D4536C07CF9F3E76FFA0020132EE98E52A5D275A02F08DAB3D4A8DD90E8646419D59F5
Magika txt
Reporter abuse_ch
Tags:bat NjRAT RAT


Avatar
abuse_ch
njrat C2:
196.251.83.209:5085

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
196.251.83.209:5085 https://threatfox.abuse.ch/ioc/1581107/

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
L5PRICEQUOTEE.pdf.bat
Verdict:
No threats detected
Analysis date:
2025-09-03 09:53:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/eea57f29-cf49-412a-97d5-ae634d809fc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24896/
Detection(s):
SecuriteInfo.com.BAT.Obfus-4.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b80f78eb163e0ec1843b35
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 cmd evasive lolbin masquerade obfuscated obfuscated powershell timeout
Link:
https://www.filescan.io/uploads/68b80f7f1c81c34281dcd747/reports/6694bd59-3be5-4a93-8c45-3a83a3056b00/overview
Verdict:
Malicious
Labled as:
TrojanDropper/VBS.Agent
Link:
https://www.hybrid-analysis.com/sample/f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541
Verdict:
Malicious
File Type:
ps1
First seen:
2025-09-03T06:46:00Z UTC
Last seen:
2025-09-03T06:46:00Z UTC
Hits:
~10
Detections:
Trojan.PowerShell.AmsiBypass.sb Backdoor.MSIL.Bladabindi.sb Backdoor.Bladabindi.TCP.C&C Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541/results?tab=lookup
Result
Threat name:
Njrat
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1770258
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops script or batch files to the startup folder
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Drops script at startup location
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Powershell Decrypt And Execute Base64 Data
Sigma detected: Suspicious PowerShell IEX Execution Patterns
Suricata IDS alerts for network traffic
Suspicious command line found
Suspicious powershell command line found
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Njrat
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1770258 Sample: L5PRICE QUOTEE.pdf.bat Startdate: 03/09/2025 Architecture: WINDOWS Score: 100 55 Suricata IDS alerts for network traffic 2->55 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 14 other signatures 2->61 9 cmd.exe 1 2->9         started        12 cmd.exe 1 2->12         started        process3 signatures4 65 Suspicious command line found 9->65 14 cmd.exe 1 9->14         started        17 conhost.exe 9->17         started        19 cmd.exe 1 12->19         started        21 conhost.exe 12->21         started        process5 signatures6 75 Suspicious command line found 14->75 23 powershell.exe 6 31 14->23         started        28 conhost.exe 14->28         started        30 cmd.exe 1 14->30         started        32 powershell.exe 19->32         started        34 conhost.exe 19->34         started        36 cmd.exe 1 19->36         started        38 timeout.exe 1 19->38         started        process7 dnsIp8 53 196.251.83.209, 49690, 5085 SONIC-WirelessZA Seychelles 23->53 49 C:\Users\user\AppData\...\SystemRestore.bat, ASCII 23->49 dropped 67 Suspicious powershell command line found 23->67 69 Drops script or batch files to the startup folder 23->69 71 Found suspicious powershell code related to unpacking or dynamic code loading 23->71 73 Loading BitLocker PowerShell Module 23->73 40 powershell.exe 37 23->40         started        43 powershell.exe 8 23->43         started        51 \Device\ConDrv, ASCII 32->51 dropped 45 powershell.exe 32->45         started        file9 signatures10 process11 signatures12 63 Loading BitLocker PowerShell Module 40->63 47 conhost.exe 40->47         started        process13
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541/
Verdict:
Malicious
Threat:
Family.NJRAT
Link:
https://tip.neiki.dev/file/f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541
Threat name:
Script-BAT.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-03 09:50:44 UTC
File Type:
Text (Batch)
AV detection:
8 of 24 (33.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7hpq4uh7z26o7cvkutl7jodqsg3yzwetururgek3skevahafsvaq._file
Verdict:
malicious
Label(s):
njrat
Create hunting rule
Similar samples:
102c57004decd2173d86522467863123425f1ecccf37561fa34fca5c1de1c402
njrat
2fd3d4a53dba424e61cab4f1f7b2f6d02079e0d0f06ed91dcc9f5214b1ee174a
njrat
31ee08e0aad9297988beb54957c0fa5bce2d9b1d0d2c16e4932e247c73c19348
njrat
4c432c454b36e2e9b73faec7ca3404f582218583055db2602d5ba609e394eb9d
njrat
6b023387ea48536d7900b1caff4c3568eb8761b55e0559b5680258bf28c55eec
njrat
8cd2c50d76ca6672c8f99a66343af62f3a41c35a141f478f55044198ba8147c9
njrat
a6d472279fb47d3881bae4e241d50a96af105b40b82af5cb71ec8f4991bd22f7
njrat
cb1ee7fa3edcc9795877868ad56cf32b9d6c3d95ea59d348e55c2b5caf87a180
njrat
cdb8d74735fd803936cbb3f259418fa76aa5fa7ad03f8cba3b7d310006052e61
njrat
e9b303f24082eaf87853558d2d427ad2eecc78acd538d37e1f4397d378b47c27
njrat
error
njrat
+ 685 additional samples on MalwareBazaar
Result
Malware family:
njrat
Create hunting rule
Score:
  10/10
Tags:
family:njrat botnet:nyan cat discovery execution trojan
Link:
https://tria.ge/reports/250903-lvabkaaq31/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Drops startup file
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Njrat family
njRAT/Bladabindi
Malware Config
C2 Extraction:
196.251.83.209:5085
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f9df0e50ffcebcef8aaaa4d7f4b87091b78cd893a46913115b9289501c059541

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Base64_Encoded_Powershell_Directives
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24896/

Comments