popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sosi_biby.exe

backdoor njRAT Generic Malware PE File PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 17, 2024, 2:44 p.m. Oct. 17, 2024, 2:46 p.m.
Size 37.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 e11aa2c789dfd4b10e77090c4c3e448f
SHA256 61f6d97939e73cf2a5c172bd2a19ae50e5b4c76fb5426cb30d062e1a0bc5071d
CRC32 2A26612A
ssdeep 384:fW/gUiDrblmJEpRGyEfdDPTuWCYqAlLrAF+rMRTyN/0L+EcoinblneHQM3epzX9J:e/yHpR9EfdDCWClAprM+rMRa8Nu/vzt
Yara
  • Win_Backdoor_njRAT_Zero - Win Backdoor njRAT
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware

Name Response Post-Analysis Lookup
6.tcp.eu.ngrok.io
A 3.68.171.119
A 3.69.157.220
3.69.115.178
IP Address Status Action
164.124.101.2 Active Moloch
3.68.171.119 Active Moloch
3.69.157.220 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:54148 -> 164.124.101.2:53 2022642 ET INFO DNS Query to a *.ngrok domain (ngrok.io) Misc activity
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2022642 ET INFO DNS Query to a *.ngrok domain (ngrok.io) Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 .
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Ok.
console_handle: 0x00000007
1 1 0
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.Bladabindi.4!c
CAT-QuickHeal Backdoor.Bladabindi.B3
Skyhigh BehavesLike.Win32.Trojan.nm
ALYac Trojan.Keylogger.njRAT
Cylance Unsafe
VIPRE Gen:Heur.MSIL.Krypt.44
Sangfor Suspicious.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Gen:Heur.MSIL.Krypt.44
K7GW Trojan ( 700000121 )
K7AntiVirus Trojan ( 700000121 )
Arcabit Trojan.MSIL.Krypt.44
Baidu MSIL.Backdoor.Bladabindi.a
VirIT Trojan.Win32.DownLoader21.BPQW
Symantec Backdoor.Ratenjay!gen3
Elastic Windows.Trojan.Njrat
ESET-NOD32 a variant of MSIL/Bladabindi.AR
APEX Malicious
Avast MSIL:Bladabindi-JK [Trj]
ClamAV Win.Packed.Bladabindi-7994427-0
Kaspersky HEUR:Trojan.Win32.Generic
Alibaba Trojan:MSIL/njRAT.a895f52c
NANO-Antivirus Trojan.Win32.Autoruner2.ebrjyu
MicroWorld-eScan Gen:Heur.MSIL.Krypt.44
Rising Backdoor.njRAT!1.9E49 (CLASSIC)
Emsisoft Worm.Bladabindi (A)
F-Secure Trojan.TR/ATRAPS.Gen
DrWeb Trojan.DownLoader20.55401
Zillya Trojan.Bladabindi.Win32.72266
TrendMicro BKDR_BLADABI.SMC
McAfeeD Real Protect-LS!E11AA2C789DF
Trapmine malicious.high.ml.score
CTX exe.trojan.bladabindi
Sophos Troj/Bbindi-W
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.e11aa2c789dfd4b1
Jiangmin TrojanDropper.Autoit.dce
Google Detected
Avira TR/ATRAPS.Gen
Antiy-AVL Trojan[Backdoor]/MSIL.Bladabindi.as
Kingsoft malware.kb.c.1000
Xcitium TrojWare.MSIL.Spy.Agent.CP@4pqytu
Microsoft Trojan:MSIL/njRAT.RDSA!MTB
ViRobot Backdoor.Win32.Agent.37888.AL
ZoneAlarm HEUR:Trojan.Win32.Generic
GData MSIL.Trojan-Spy.Bladabindi.BQ
Varist W32/MSIL_Troj.AP.gen!Eldorado
AhnLab-V3 Trojan/Win32.Korat.R207428
McAfee Trojan-FIGN
dead_host 192.168.56.101:49191
dead_host 192.168.56.101:49171
dead_host 192.168.56.101:49165
dead_host 192.168.56.101:49175
dead_host 192.168.56.101:49176
dead_host 192.168.56.101:49184
dead_host 192.168.56.101:49180
dead_host 192.168.56.101:49188
dead_host 192.168.56.101:49166
dead_host 192.168.56.101:49168
dead_host 192.168.56.101:49177
dead_host 192.168.56.101:49172
dead_host 192.168.56.101:49185
dead_host 192.168.56.101:49181
dead_host 192.168.56.101:49189
dead_host 192.168.56.101:49167
dead_host 192.168.56.101:49169
dead_host 3.69.157.220:17297
dead_host 192.168.56.101:49178
dead_host 3.68.171.119:17297
dead_host 192.168.56.101:49173
dead_host 192.168.56.101:49186
dead_host 192.168.56.101:49182
dead_host 192.168.56.101:49190
dead_host 192.168.56.101:49170
dead_host 192.168.56.101:49179
dead_host 192.168.56.101:49164
dead_host 192.168.56.101:49174
dead_host 192.168.56.101:49187
dead_host 192.168.56.101:49183