Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Sept. 27, 2023, 9:57 a.m.	Sept. 27, 2023, 9:59 a.m.

Size	23.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`84c28541e9f2bdd1d7b5d3858c319972`
SHA256	`c21e2b22c173da1dc5886e436fc79aa8b7378d32a4575feb828d91002875d441`
CRC32	`5D2B488D`
ssdeep	`384:DnsqCm6yocx/Yp7jemiO0nd08/VQ6bgNQC5h7tmRvR6JZlbw8hqIusZzZqz:D8SoQA6mlcrRpcnub`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_njRAT_Zero - Win Backdoor njRAT

netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\84c28541e9f2bdd1d7b5d3858c319972.exe" "84c28541e9f2bdd1d7b5d3858c319972.exe" ENABLE
2188

Name	Response	Post-Analysis Lookup
microsoft-virtualpc.duckdns.org	A 141.255.159.143	141.255.159.143

IP Address	Status	Action
141.255.159.143	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:63709 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:62846 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Sept. 27, 2023, 9:57 a.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA Sept. 27, 2023, 9:57 a.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

microsoft-virtualpc.duckdns.org

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

141.255.159.143:1177

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 events)

Bkav	W32.FamVT.binANHb.Worm
Elastic	Windows.Trojan.Njrat
MicroWorld-eScan	Generic.MSIL.Bladabindi.8225873D
CAT-QuickHeal	Trojan.Generic.TRFH5
McAfee	Trojan-FIGN
Malwarebytes	Bladabindi.Backdoor.Bot.DDS
Zillya	Backdoor.Agent.Win32.55233
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
K7GW	Trojan ( 700000121 )
Cybereason	malicious.07d6bf
Arcabit	Generic.MSIL.Bladabindi.D7D8451D
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Backdoor.Win32.Generic.AWM
Cyren	W32/MSIL_Bladabindi.AU.gen!Eldorado
Symantec	Backdoor.Ratenjay
ESET-NOD32	MSIL/Bladabindi.BC
Cynet	Malicious (score: 100)
APEX	Malicious
ClamAV	Win.Packed.Generic-9795615-0
Kaspersky	HEUR:Trojan.Win32.Generic
BitDefender	Generic.MSIL.Bladabindi.8225873D
NANO-Antivirus	Trojan.Win32.Disfa.dtznyx
Avast	MSIL:Agent-DRD [Trj]
Tencent	Trojan.Msil.Bladabindi.za
Emsisoft	Trojan.Bladabindi (A)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	Trojan.DownLoader19.37002
VIPRE	Generic.MSIL.Bladabindi.8225873D
TrendMicro	BKDR_BLADABI.SMC
McAfee-GW-Edition	BehavesLike.Win32.Trojan.mm
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.84c28541e9f2bdd1
Sophos	Troj/DotNet-P
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDropper.Autoit.dce
Webroot	W32.Trojan.Gen
Avira	TR/Dropper.Gen7
MAX	malware (ai score=87)
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi.as
Kingsoft	malware.kb.c.1000
Xcitium	Backdoor.MSIL.Bladabindi.A@566ygc
Microsoft	Backdoor:MSIL/Bladabindi
ViRobot	Backdoor.Win32.Bladabindi.Gen.A
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	MSIL.Backdoor.Bladabindi.AV
Google	Detected
AhnLab-V3	Backdoor/Win32.Bladabindi.R91438
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZemsilF.36722.bmW@aW!qyCf

84c28541e9f2bdd1d7b5d3858c319972.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All