Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Dec. 20, 2022, 1:59 p.m.	Dec. 20, 2022, 2:02 p.m.

Size	37.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`32ecbfcd1b769c857657f0455bfae8de`
SHA256	`81bd058bdfbfc79e61c1886729fb82f958fec8d935f94a719e42d5cf41282e81`
CRC32	`DBF87E7C`
ssdeep	`384:CkG23hUidkGXR21cGMy8Pqq53tGFlymkirAF+rMRTyN/0L+EcoinblneHQM3epz3:rG23ZLGv8Pqq58imHrM+rMRa8NuImt`
Yara	Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Win_Backdoor_njRAT_Zero - Win Backdoor njRAT Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature

netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\system.exe" "system.exe" ENABLE
2672

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
211.213.183.65	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Dec. 20, 2022, 1:59 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA Dec. 20, 2022, 1:59 p.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Communicates with host for which no DNS query was performed (1 event)

host

211.213.183.65

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

211.213.183.65:8639

File has been identified by 64 AntiVirus engines on VirusTotal as malicious (50 out of 64 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Generic.4!c
Elastic	Windows.Trojan.Njrat
MicroWorld-eScan	Trojan.GenericKD.64381464
CAT-QuickHeal	Backdoor.Bladabindi.B3
ALYac	Generic.MSIL.Bladabindi.8F74514A
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
Alibaba	Backdoor:MSIL/Bladabindi.d183f013
K7GW	Trojan ( 700000121 )
Cybereason	malicious.d1b769
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Trojan.Win32.DownLoader21.BPQW
Cyren	W32/MSIL_Troj.AP.gen!Eldorado
Symantec	Backdoor.Ratenjay!gen3
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Bladabindi.AR
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Packed.Bladabindi-7994427-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Trojan.GenericKD.64381464
NANO-Antivirus	Trojan.Win32.Autoruner2.ebrjyu
ViRobot	Backdoor.Win32.Agent.37888.AL
Avast	MSIL:Bladabindi-JK [Trj]
Tencent	Trojan.Msil.Bladabindi.fa
Ad-Aware	Trojan.GenericKD.64381464
TACHYON	Trojan/W32.DN-Agent.37888.BN
Emsisoft	Worm.Bladabindi (A)
Comodo	TrojWare.MSIL.Spy.Agent.CP@4pqytu
DrWeb	Trojan.MulDrop6.47155
VIPRE	Generic.MSIL.Bladabindi.8F74514A
TrendMicro	BKDR_BLADABI.SMC
McAfee-GW-Edition	BehavesLike.Win32.Generic.nm
FireEye	Generic.mg.32ecbfcd1b769c85
Sophos	Mal/Generic-R + Troj/Bbindi-W
Ikarus	Trojan.MSIL.Bladabindi
GData	MSIL.Trojan-Spy.Bladabindi.BQ
Jiangmin	TrojanDropper.Autoit.dce
Webroot	W32.Trojan.Gen
Avira	TR/ATRAPS.Gen
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi.as
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.NjRat.bot
Arcabit	Trojan.Generic.D3D66218
ZoneAlarm	HEUR:Trojan.Win32.Generic
Microsoft	Trojan:MSIL/njRAT.RDSA!MTB
Google	Detected
AhnLab-V3	Trojan/Win32.Korat.R207428

system.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All