popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

winlog32.exe

njRAT GIF Format Lnk Format PE File PE32 .NET EXE
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Feb. 12, 2025, 1:18 p.m. Feb. 12, 2025, 1:20 p.m.
Size 27.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 741b73ac32f93409f2eff52fc470acd7
SHA256 533ffecb86555b7eb74923b557f289b5a7f1c820baa3e0ec76a1bcf27aa06bad
CRC32 E4A9D752
ssdeep 384:TLH4ZoTmgEJLbwvqWGhP9Z9jMIAQk93vmhm7UMKmIEecKdbXTzm9bVhcamcL6MrZ:3UNvwNIA/vMHTi9bDX
Yara
  • PE_Header_Zero - PE File Signature
  • Win_Backdoor_njRAT_2_Zero - Win Backdoor njRAT
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
21.ip.gl.ply.gg
A 147.185.221.21
147.185.221.21
IP Address Status Action
185.143.228.176 Active Moloch
147.185.221.21 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2054989 ET INFO Tunneling Service in DNS Lookup (* .ply .gg) Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 1900544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00660000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00440000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00480000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002d2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00415000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0041b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00417000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00540000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00407000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00541000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f6e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00406000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00542000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000046c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description winlog32.exe tried to sleep 186 seconds, actually delayed analysis time by 186 seconds
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0
host 185.143.228.176
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk
dead_host 147.185.221.21:56106
Bkav W32.AIDetectMalware.CS
Lionic Trojan.Win32.Generic.lWjm
MicroWorld-eScan Generic.MSIL.Bladabindi.37F8F495
CAT-QuickHeal Trojan.GenericFC.S17873958
ALYac Generic.MSIL.Bladabindi.37F8F495
Cylance Unsafe
VIPRE Generic.MSIL.Bladabindi.37F8F495
Sangfor Suspicious.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Generic.MSIL.Bladabindi.37F8F495
K7GW Trojan ( 004b90a21 )
K7AntiVirus Trojan ( 004b90a21 )
Arcabit Generic.MSIL.Bladabindi.37F8F495
VirIT Backdoor.Win32.BladabindiNET.J
Symantec ML.Attribute.HighConfidence
Elastic Windows.Trojan.Njrat
ESET-NOD32 a variant of MSIL/Bladabindi.AS
APEX Malicious
Avast Win32:KeyloggerX-gen [Trj]
Kaspersky HEUR:Trojan.Win32.Generic
Alibaba Backdoor:MSIL/AsyncRat.9a0d6783
Rising Backdoor.njRAT!1.D4D6 (CLASSIC)
Emsisoft Generic.MSIL.Bladabindi.37F8F495 (B)
F-Secure Trojan.TR/Dropper.Gen7
DrWeb BackDoor.BladabindiNET.9
Zillya Trojan.Bladabindi.Win32.20413
TrendMicro BKDR_BLADABI.SMC
McAfeeD Real Protect-LS!741B73AC32F9
Trapmine malicious.moderate.ml.score
CTX exe.trojan.bladabindi
Sophos Mal/AsyncRat-B
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.741b73ac32f93409
Jiangmin TrojanDropper.Autoit.dce
Google Detected
Avira TR/Dropper.Gen7
Kingsoft malware.kb.c.1000
Gridinsoft Ransom.Win32.Bladabindi.sa
Microsoft Backdoor:MSIL/AsyncRat!atmn
ViRobot Trojan.Win.Z.Bladabindi.27648.AMC
GData MSIL.Trojan.Bladabindi.BW
Varist W32/MSIL_Bladabindi.GD.gen!Eldorado
AhnLab-V3 Backdoor/Win32.Bladabindi.R137413
McAfee BackDoor-NJRat!741B73AC32F9
DeepInstinct MALICIOUS
VBA32 Trojan.MSIL.Autorave.Heur
Malwarebytes Bladabindi.Backdoor.Bot.DDS
Ikarus Trojan.MSIL.Agent
Panda Trj/GdSda.A
Zoner Trojan.Win32.118968