Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 17, 2024, 1:35 p.m.	Oct. 17, 2024, 1:41 p.m.

Size	23.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`21af95224fabbc4909c0c8b06765f904`
SHA256	`6f2abb38913bc40f4fddd98515ecacd52f5a66580987a6e94ce168f282bd53fa`
CRC32	`1092FBFA`
ssdeep	`384:KFwTSiYWD2Z7w3CsJeiecwJ3fw6FgzeAh33RtmRvR6JZlbw8hqIusZzZxW:K4vZiBK1edJRpcnuL`
Yara	Win_Backdoor_njRAT_Zero - Win Backdoor njRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\Discord.exe" "Discord.exe" ENABLE
2232

Name	Response	Post-Analysis Lookup
central-randy.gl.at.ply.gg	A 147.185.221.22	147.185.221.22

IP Address	Status	Action
147.185.221.22	Active	Moloch
164.124.101.2	Active	Moloch
208.95.112.1	Active	Moloch
45.120.178.138	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2044590	ET INFO playit .gg Tunneling Domain in DNS Lookup	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2054989	ET INFO Tunneling Service in DNS Lookup (* .ply .gg)	Misc activity

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Oct. 17, 2024, 1:35 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA Oct. 17, 2024, 1:35 p.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Communicates with host for which no DNS query was performed (2 events)

host	208.95.112.1
host	45.120.178.138

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 events)

Bkav	W32.FamVT.binANHb.Worm
CAT-QuickHeal	Trojan.Generic.TRFH5
Skyhigh	BehavesLike.Win32.BackdoorNJRat.mm
ALYac	Generic.MSIL.Bladabindi.DCF63BD0
Cylance	Unsafe
VIPRE	Generic.MSIL.Bladabindi.DCF63BD0
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
BitDefender	Generic.MSIL.Bladabindi.DCF63BD0
K7GW	Trojan ( 700000121 )
K7AntiVirus	Trojan ( 700000121 )
Arcabit	Generic.MSIL.Bladabindi.DCF63BD0
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Backdoor.Win32.Generic.AWM
Symantec	Backdoor.Ratenjay
Elastic	Windows.Trojan.Njrat
ESET-NOD32	MSIL/Bladabindi.BC
APEX	Malicious
Avast	MSIL:Agent-DRD [Trj]
ClamAV	Win.Packed.Generic-9795615-0
Kaspersky	HEUR:Trojan.Win32.Generic
NANO-Antivirus	Trojan.Win32.Disfa.dtznyx
MicroWorld-eScan	Generic.MSIL.Bladabindi.DCF63BD0
Rising	Backdoor.njRAT!1.9E49 (CLASSIC)
Emsisoft	Trojan.Bladabindi (A)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	Trojan.DownLoader19.37002
Zillya	Backdoor.Agent.Win32.55233
TrendMicro	BKDR_BLADABI.SMC
McAfeeD	Real Protect-LS!21AF95224FAB
Trapmine	malicious.moderate.ml.score
CTX	exe.unknown.bladabindi
Sophos	Troj/DotNet-P
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.21af95224fabbc49
Jiangmin	TrojanDropper.Autoit.dce
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/Dropper.Gen7
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi.as
Kingsoft	malware.kb.c.1000
Xcitium	Backdoor.MSIL.Bladabindi.A@566ygc
Microsoft	Backdoor:MSIL/Bladabindi!atmn
ViRobot	Backdoor.Win32.Bladabindi.Gen.A
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	MSIL.Backdoor.Bladabindi.AV
Varist	W32/MSIL_Bladabindi.AU.gen!Eldorado
AhnLab-V3	Backdoor/Win32.Bladabindi.R91438
Acronis	suspicious
McAfee	Trojan-FIGN

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 events)

dead_host	192.168.56.103:49163
dead_host	147.185.221.22:55475

Discord.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All