popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Update.exe

  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 8, 2021, 11:27 a.m. March 8, 2021, 11:29 a.m.
Size 37.0KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 808e1ade2dea30a742f120a5a26d6a32
SHA256 f0e7500c34b73fe1a535138f3e42e6192e4540d54f14688f9de00f382c953735
CRC32 F662BC5B
ssdeep 384:joJTgiG1CHZfursvO6yszaDIvRgTHWzSrAF+rMRTyN/0L+EcoinblneHQM3epzXT:kJn5WpszaDIWDWerM+rMRa8NuXft
Yara
  • IsPE32 - (no description)
  • IsNET_EXE - (no description)
  • IsWindowsGUI - (no description)
  • keylogger - Run a keylogger
  • Win_Backdoor_njRAT_Zero - Win Backdoor njRAT
  • PE_Header_Zero - PE File Signature Zero

Name Response Post-Analysis Lookup
gore.p-e.kr
A 125.185.111.249
125.185.111.249
IP Address Status Action
125.185.111.249 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

WriteConsoleA

 buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 .
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Ok.
console_handle: 0x00000007
1 1 0
url http://www.expedia.com/favicon.ico
url http://uk.ask.com/favicon.ico
url http://www.priceminister.com/
url http://ru.wikipedia.org/
url http://www.merlin.com.pl/favicon.ico
url http://www.cnet.com/favicon.ico
url http://search.nifty.com/
url http://ns.adobe.com/exif/1.0/
url http://www.etmall.com.tw/
url http://search.goo.ne.jp/
url http://fr.wikipedia.org/favicon.ico
url http://busca.estadao.com.br/favicon.ico
url http://search.hanafos.com/favicon.ico
url http://search.chol.com/favicon.ico
url http://amazon.fr/
url http://www.amazon.co.jp/
url http://www.mtv.com/favicon.ico
url http://busqueda.aol.com.mx/
url http://search.live.com/results.aspx?FORM=SOLTDF
url http://msdn.microsoft.com/
url http://msdn.microsoft.com/workshop/security/privacy/overview/privacyimportxml.asp)
url http://www.sify.com/favicon.ico
url http://yellowpages.superpages.com/
url http://suche.freenet.de/
url http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson
url http://search.aol.com/
url http://browse.guardian.co.uk/
url http://www.mercadolibre.com.mx/
url http://www.asharqalawsat.com/
url http://www.facebook.com/
url http://si.wikipedia.org/favicon.ico
url http://www.rtl.de/favicon.ico
url http://search.msn.com/results.aspx?q=
url http://www.microsoft.com/pki/certs/MicrosoftWinPCA.crt0
url http://search.naver.com/favicon.ico
url http://en.wikipedia.org/favicon.ico
url http://si.wikipedia.org/w/api.php?action=opensearch
url http://udn.com/favicon.ico
url http://rover.ebay.com
url http://search.ebay.fr/
url http://www.univision.com/
url http://pt.wikipedia.org/w/api.php?action=opensearch
url http://it.wikipedia.org/favicon.ico
url http://uk.ask.com/
url http://www.google.co.uk/
url http://cnweb.search.live.com/results.aspx?q=
url http://www.google.cz/
url http://www.google.co.jp/
url http://search.ebay.co.uk/
url http://www.weather.com/
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
description Communications over P2P network rule network_p2p_win
description Communications over HTTP rule network_http
description File downloader/dropper rule network_dropper
description Communications over FTP rule network_ftp
description Communications over RAW socket rule network_tcp_socket
description Communications use DNS rule network_dns
description Communication using dga rule network_dga
description Escalade priviledges rule escalate_priv
description Take screenshot rule screenshot
description Run a keylogger rule keylogger
description Steal credential rule cred_local
description Record Audio rule sniff_audio
description APC queue tasks migration rule migrate_apc
description Malware can spread east-west file rule spreading_file
description Malware can spread east-west using share drive rule spreading_share
description Create or check mutex rule win_mutex
description Affect system registries rule win_registry
description Affect system token rule win_token
description Affect private profile rule win_private_profile
description Affect private profile rule win_files_operation
description Match Winsock 2 API library declaration rule Str_Win32_Winsock2_Library
description Match Windows Inet API library declaration rule Str_Win32_Wininet_Library
description Match Windows Inet API call rule Str_Win32_Internet_API
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Disable Firewall rule disable_firewall
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Code injection with CreateRemoteThread in a remote process rule inject_thread
description Hijack network configuration rule hijack_network
description Create a windows service rule create_service
description Create a COM server rule create_com_service
description Communications over UDP network rule network_udp_sock
description Listen for incoming communication rule network_tcp_listen
dead_host 125.185.111.249:5555
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader21.44181
MicroWorld-eScan Generic.MSIL.Bladabindi.814D18B9
CAT-QuickHeal Backdoor.Bladabindi.B3
McAfee Trojan-FIGN
Cylance Unsafe
Zillya Trojan.Bladabindi.Win32.72266
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan ( 700000121 )
Alibaba Backdoor:MSIL/Bladabindi.fbd6c1c2
K7GW Trojan ( 700000121 )
Cybereason malicious.e2dea3
Arcabit Generic.MSIL.Bladabindi.814D18B9
BitDefenderTheta Gen:NN.ZemsilF.34590.cmW@a0DXh0o
Cyren W32/MSIL_Troj.AP.gen!Eldorado
Symantec Backdoor.Ratenjay!gen3
ESET-NOD32 a variant of MSIL/Bladabindi.AR
APEX Malicious
Avast MSIL:Bladabindi-JK [Trj]
ClamAV Win.Trojan.B-468
Kaspersky HEUR:Trojan.Win32.Generic
BitDefender Generic.MSIL.Bladabindi.814D18B9
NANO-Antivirus Trojan.Win32.Autoruner2.ebrjyu
Paloalto generic.ml
AegisLab Trojan.Win32.Generic.4!c
Tencent Win32.Trojan.Generic.Dyqg
Ad-Aware Generic.MSIL.Bladabindi.814D18B9
Emsisoft Generic.MSIL.Bladabindi.814D18B9 (B)
Comodo TrojWare.MSIL.Spy.Agent.CP@4pqytu
F-Secure Trojan.TR/ATRAPS.Gen
Baidu MSIL.Backdoor.Bladabindi.a
VIPRE Trojan.Win32.Generic!BT
TrendMicro BKDR_BLADABI.SMC
McAfee-GW-Edition BehavesLike.Win32.Backdoor.nm
FireEye Generic.mg.808e1ade2dea30a7
Sophos Mal/Generic-R + Troj/Bbindi-W
Ikarus Worm.MSIL.Bladabindi
Jiangmin TrojanDropper.Autoit.dce
MaxSecure Trojan.Malware.300983.susgen
Avira TR/ATRAPS.Gen
MAX malware (ai score=100)
Antiy-AVL Trojan[Backdoor]/MSIL.Bladabindi.as
Microsoft Backdoor:MSIL/Bladabindi.B
ViRobot Backdoor.Win32.Agent.37888.AL
ZoneAlarm HEUR:Trojan.Win32.Generic
GData MSIL.Trojan-Spy.Bladabindi.BQ
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Korat.R207428
Acronis suspicious
VBA32 Trojan.Downloader