Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 17, 2024, 2:44 p.m.	Oct. 17, 2024, 2:47 p.m.

Size	23.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`47713554f0dcd00ab2c69ca3fea53d3c`
SHA256	`dec6422bc9ccb3162c6dd992478fa6f0407c742a4bc1fa1215676d419f1c01df`
CRC32	`B625EAE9`
ssdeep	`384:wslUlEvOEJ8xWwYJOMiOBZEdO1567gtwi5Hhb0mRvR6JZlbw8hqIusZzZ19d:peEvwIlL/RpcnuS`
Yara	Win_Backdoor_njRAT_Zero - Win Backdoor njRAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\nojeira.exe" "nojeira.exe" ENABLE
2156

Name	Response	Post-Analysis Lookup
troia23.ddns.net	A 20.206.240.170	20.206.240.170

IP Address	Status	Action
164.124.101.2	Active	Moloch
20.206.240.170	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2028675	ET POLICY DNS Query to DynDNS Domain *.ddns .net	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA Oct. 17, 2024, 2:45 p.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA Oct. 17, 2024, 2:45 p.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

Connects to a Dynamic DNS Domain (1 event)

domain

troia23.ddns.net

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

20.206.240.170:1177

File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 events)

Bkav	W32.FamVT.binANHb.Worm
Elastic	Windows.Trojan.Njrat
CAT-QuickHeal	Trojan.Generic.TRFH5
Skyhigh	BehavesLike.Win32.BackdoorNJRat.mm
ALYac	Generic.MSIL.Bladabindi.FA2779B3
Cylance	Unsafe
VIPRE	Generic.MSIL.Bladabindi.FA2779B3
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 700000121 )
BitDefender	Generic.MSIL.Bladabindi.FA2779B3
K7GW	Trojan ( 700000121 )
Cybereason	malicious.4f0dcd
Arcabit	Generic.MSIL.Bladabindi.FA2779B3
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Backdoor.Win32.Generic.AWM
Symantec	Backdoor.Ratenjay
ESET-NOD32	a variant of MSIL/Bladabindi.AS
APEX	Malicious
McAfee	Trojan-FIGN
Avast	MSIL:Agent-DRD [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
NANO-Antivirus	Trojan.Win32.Disfa.dtznyx
MicroWorld-eScan	Generic.MSIL.Bladabindi.FA2779B3
Rising	Backdoor.njRAT!1.9E49 (CLASSIC)
Emsisoft	Trojan.Bladabindi (A)
F-Secure	Trojan.TR/Dropper.Gen7
DrWeb	Trojan.DownLoader23.25967
Zillya	Trojan.Disfa.Win32.27264
TrendMicro	BKDR_BLADABI.SMC
McAfeeD	Real Protect-LS!47713554F0DC
Trapmine	malicious.moderate.ml.score
FireEye	Generic.mg.47713554f0dcd00a
Sophos	Troj/DotNet-P
Ikarus	Trojan.MSIL.Bladabindi
Jiangmin	TrojanDropper.Autoit.dce
Webroot	W32.Backdoor.Gen
Google	Detected
Avira	TR/Dropper.Gen7
MAX	malware (ai score=86)
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi.as
Kingsoft	malware.kb.c.1000
Xcitium	Backdoor.MSIL.Bladabindi.A@566ygc
Microsoft	Backdoor:MSIL/Bladabindi
ViRobot	Backdoor.Win32.Bladabindi.Gen.A
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	MSIL.Backdoor.Bladabindi.AV
Varist	W32/MSIL_Bladabindi.AU.gen!Eldorado
AhnLab-V3	Win-Trojan/Zbot.24064
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZemsilF.36812.bmW@ai!!rNj

nojeira.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All