Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 17, 2024, 1:35 p.m.	Oct. 17, 2024, 1:39 p.m.

Size	31.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`29a37b6532a7acefa7580b826f23f6dd`
SHA256	`7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69`
CRC32	`BF6DFABB`
ssdeep	`768:64+64ZRzo+zxJ+lS7gqzZ5XvzpQmIDUu0ti69j:xM3/Bh1QVkvj`
Yara	Win_Backdoor_njRAT_Zero - Win Backdoor njRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\NJRat.exe" "NJRat.exe" ENABLE
2692

Name	Response	Post-Analysis Lookup
startitit2-23969.portmap.host

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2027941	ET POLICY DNS Query to a Reverse Proxy Service Observed	Potential Corporate Privacy Violation
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2047872	ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .host)	Misc activity

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Oct. 17, 2024, 1:35 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA Oct. 17, 2024, 1:35 p.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Creates known NJRat files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\NJRat.exe

File has been identified by 68 AntiVirus engines on VirusTotal as malicious (50 out of 68 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Generic.lA1H
Elastic	Windows.Trojan.Njrat
CAT-QuickHeal	Trojan.GenericFC.S20328680
Skyhigh	BehavesLike.Win32.BackdoorNJRat.nm
ALYac	Gen:Variant.Jalapeno.1929
Cylance	Unsafe
VIPRE	Gen:Variant.Jalapeno.1929
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
BitDefender	Gen:Variant.Jalapeno.1929
K7GW	Trojan ( 700000121 )
Cybereason	malicious.532a7a
Arcabit	Trojan.Jalapeno.D789
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Backdoor.Win32.Bladabindi.XIP
Symantec	Backdoor.Ratenjay
tehtris	Generic.Malware
ESET-NOD32	a variant of MSIL/Bladabindi.AS
APEX	Malicious
McAfee	BackDoor-NJRat!29A37B6532A7
Avast	MSIL:Bladabindi-JK [Trj]
ClamAV	Win.Packed.Generic-9795615-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Backdoor:MSIL/Bladabindi.bc9b3d52
NANO-Antivirus	Trojan.Win32.Gen8.ecsqgn
MicroWorld-eScan	Gen:Variant.Jalapeno.1929
Rising	Backdoor.njRAT!1.9E49 (CLASSIC)
Emsisoft	Gen:Variant.Jalapeno.1929 (B)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	BackDoor.Bladabindi.15771
Zillya	Trojan.Bladabindi.Win32.96772
TrendMicro	BKDR_BLADABI.SMC
McAfeeD	Real Protect-LS!29A37B6532A7
FireEye	Generic.mg.29a37b6532a7acef
Sophos	Mal/Bladabi-D
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDropper.Autoit.dce
Webroot	W32.Malware.Gen
Google	Detected
Avira	TR/Dropper.Gen7
MAX	malware (ai score=100)
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi.as
Kingsoft	malware.kb.c.1000
Gridinsoft	Backdoor.Win32.Gen.ns
Xcitium	Backdoor.MSIL.Bladabindi.BA@7oej5x
Microsoft	Backdoor:MSIL/Bladabindi.B
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	MSIL.Trojan-Spy.Bladabindi.BQ
Varist	W32/MSIL_Bladabindi.A.gen!Eldorado

NJRat.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All