Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Nov. 26, 2023, 1:32 p.m.	Nov. 26, 2023, 1:42 p.m.

Size	23.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`a92ef911215a303fc49de97c4c6d837f`
SHA256	`cd9c6c3774a1465f229f729469ac9a73561f883a3f980625198571dc9c82a4c4`
CRC32	`5244D1A4`
ssdeep	`384:yY324bcgPiJLQrfARGSRUJsbY6ZgvSMBD3t8mRvR6JZlbw8hqIusZzZmM:lL2s+tRyRpcnus`
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) Win_Backdoor_njRAT_Zero - Win Backdoor njRAT

netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
2800

Name	Response	Post-Analysis Lookup
needforrat.hopto.org

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2028681	ET POLICY DNS Query to DynDNS Domain *.hopto .org	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Nov. 26, 2023, 1:32 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA Nov. 26, 2023, 1:32 p.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

needforrat.hopto.org

File has been identified by 65 AntiVirus engines on VirusTotal as malicious (50 out of 65 events)

Bkav	W32.FamVT.binANHb.Worm
Lionic	Trojan.Win32.Generic.mAmC
MicroWorld-eScan	Trojan.GenericKDZ.80457
CAT-QuickHeal	Trojan.Generic.TRFH5
Skyhigh	BehavesLike.Win32.Trojan.mm
McAfee	Trojan-FIGN
Malwarebytes	Generic.Malware.AI.DDS
Zillya	Trojan.Disfa.Win32.27264
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	Trojan:Win32/Bladabindi.374
K7GW	Trojan ( 700000121 )
K7AntiVirus	Trojan ( 700000121 )
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Backdoor.Win32.Generic.AWM
Symantec	Backdoor.Ratenjay
Elastic	Windows.Trojan.Njrat
ESET-NOD32	MSIL/Bladabindi.BC
APEX	Malicious
ClamAV	Win.Packed.Generic-9795615-0
Kaspersky	Trojan.MSIL.Disfa.bqd
BitDefender	Trojan.GenericKDZ.80457
NANO-Antivirus	Trojan.Win32.Disfa.dtznyx
Avast	MSIL:Agent-DRD [Trj]
Tencent	Trojan.Msil.Bladabindi.za
Emsisoft	Trojan.Bladabindi (A)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	BackDoor.Bladabindi.13678
VIPRE	Trojan.GenericKDZ.80457
TrendMicro	BKDR_BLADABI.SMC
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.a92ef911215a303f
Sophos	Troj/DotNet-P
SentinelOne	Static AI - Malicious PE
MAX	malware (ai score=100)
Jiangmin	TrojanDropper.Autoit.dce
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Dropper.Gen7
Varist	W32/MSIL_Bladabindi.AU.gen!Eldorado
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi.as
Kingsoft	malware.kb.c.1000
Microsoft	Backdoor:MSIL/Bladabindi
Xcitium	Backdoor.MSIL.Bladabindi.A@566ygc
Arcabit	Trojan.Generic.D13A49
ViRobot	Backdoor.Win32.Bladabindi.Gen.A
ZoneAlarm	Trojan.MSIL.Disfa.bqd
GData	MSIL.Backdoor.Bladabindi.AV
Cynet	Malicious (score: 100)
AhnLab-V3	Win-Trojan/Zbot.24064

Server.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All