Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 6, 2024, 3:23 p.m.	Aug. 6, 2024, 3:25 p.m.

Size	43.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d61a862be780c78ac1b87594b6b2f155`
SHA256	`edcc9d522fa2dec8f963f6703a0df5907d56faf94f55803f57763af1981082f8`
CRC32	`2BF62C53`
ssdeep	`384:CHZydWkNkli0yiIhh7SvOWmea7BEjzqTV8zkIij+ZsNO3PlpJKkkjh/TzF7pWna0:C5u6ABiQ7SvOWmeM4GguXQ/o7C+L`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

Name	Response	Post-Analysis Lookup
SIGMA125789-39601.portmap.host	A 193.161.193.99	193.161.193.99

IP Address	Status	Action
164.124.101.2	Active	Moloch
193.161.193.99	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027941	ET POLICY DNS Query to a Reverse Proxy Service Observed	Potential Corporate Privacy Violation
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2047872	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)	Misc activity

Suricata TLS

No Suricata TLS

File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 events)

Bkav	W32.AIDetectMalware.CS
Elastic	Windows.Trojan.Njrat
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
Skyhigh	BehavesLike.Win32.Trojan.pm
ALYac	Generic.Malware.SLcbg.6A416EDC
Cylance	Unsafe
VIPRE	Generic.Malware.SLcbg.6A416EDC
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
BitDefender	Generic.Malware.SLcbg.6A416EDC
K7GW	Trojan ( 700000121 )
Cybereason	malicious.be780c
Arcabit	Generic.Malware.SLcbg.6A416EDC
VirIT	Trojan.Win32.Dnldr23.CQQH
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Bladabindi.BB
APEX	Malicious
McAfee	Trojan-FUTJ!D61A862BE780
Avast	Win32:BackDoor-AFW [Trj]
ClamAV	Win.Packed.Msilperseus-9220094-0
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Generic.Malware.SLcbg.6A416EDC
Rising	Backdoor.njRAT!1.C5D1 (CLASSIC)
Emsisoft	Trojan.Bladabindi (A)
F-Secure	Trojan:W32/njRAT.B
DrWeb	Trojan.DownLoader24.52964
Zillya	Trojan.Bladabindi.Win32.83275
TrendMicro	BKDR_BLADABI.SMC
McAfeeD	Real Protect-LS!D61A862BE780
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.d61a862be780c78a
Sophos	Troj/Bladabi-DR
Ikarus	Trojan.MSIL.Bladabindi
Jiangmin	Trojan.Generic.argvt
Google	Detected
Avira	TR/Dropper.Gen7
MAX	malware (ai score=83)
Kingsoft	malware.kb.c.1000
Gridinsoft	Backdoor.Win32.Bladabindi.vl!ni
Xcitium	TrojWare.MSIL.Bladabindi.CC@7ebfqa
Microsoft	Trojan:MSIL/Bladabindi.OE!MTB
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	MSIL.Backdoor.Bladabindi.BV
Varist	W32/MSIL_Bladabindi.A.gen!Eldorado
AhnLab-V3	Win-Trojan/NjRAT04.Exp
BitDefenderTheta	Gen:NN.ZemsilF.36810.cmW@auxkSkn
DeepInstinct	MALICIOUS
VBA32	Trojan.MSIL.Bladabindi.Heur
Malwarebytes	Bladabindi.Backdoor.Bot.DDS
Panda	Trj/GdSda.A

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (30 events)

dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49171
dead_host	192.168.56.101:49165
dead_host	192.168.56.101:49175
dead_host	193.161.193.99:39601
dead_host	192.168.56.101:49176
dead_host	192.168.56.101:49184
dead_host	192.168.56.101:49180
dead_host	192.168.56.101:49188
dead_host	192.168.56.101:49166
dead_host	192.168.56.101:49168
dead_host	192.168.56.101:49177
dead_host	192.168.56.101:49172
dead_host	192.168.56.101:49185
dead_host	192.168.56.101:49163
dead_host	192.168.56.101:49181
dead_host	192.168.56.101:49189
dead_host	192.168.56.101:49167
dead_host	192.168.56.101:49169
dead_host	192.168.56.101:49178
dead_host	192.168.56.101:49173
dead_host	192.168.56.101:49186
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49190
dead_host	192.168.56.101:49170
dead_host	192.168.56.101:49179
dead_host	192.168.56.101:49164
dead_host	192.168.56.101:49174
dead_host	192.168.56.101:49187
dead_host	192.168.56.101:49183

solara.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All