Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 29, 2025, 10:29 a.m.	April 29, 2025, 10:32 a.m.

Size	37.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`7020cfffa61029750dd0bfb5f347fc35`
SHA256	`c82f8c5092aceb7586837977c4cce6277bfb90f5143cf9fc7cf27f453a5fe282`
CRC32	`E94E0319`
ssdeep	`384:QmOs0IiejvCVLO309QmykrtG+dA+VfwvOSiKrAF+rMRTyN/0L+EcoinblneHQM31:GFdGdkrgYRwWS9rM+rMRa8NuEft`
Yara	PE_Header_Zero - PE File Signature Win_Backdoor_njRAT_Zero - Win Backdoor njRAT Is_DotNET_EXE - (no description) IsPE32 - (no description) Generic_Malware_Zero - Generic Malware

netsh.exe netsh firewall add allowedprogram "C:\Users\test22\AppData\Local\Temp\sdc.exe" "sdc.exe" ENABLE
2216

Name	Response	Post-Analysis Lookup
7.tcp.eu.ngrok.io	A 3.126.224.214 A 3.125.188.168	3.126.224.214

IP Address	Status	Action
164.124.101.2	Active	Moloch
3.125.188.168	Active	Moloch
3.126.224.214	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022642	ET INFO DNS Query to a *.ngrok domain (ngrok.io)	Misc activity
TCP 192.168.56.103:49167 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49167 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49174 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49178 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49178 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49164 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49164 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49170 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49165 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49180 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49163 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49163 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49172 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49171 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49177 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49185 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49181 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49181 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2022642	ET INFO DNS Query to a *.ngrok domain (ngrok.io)	Misc activity
TCP 192.168.56.103:49205 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49205 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49189 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49189 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49188 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49188 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49190 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49190 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49176 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49194 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49194 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49183 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49168 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49184 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49184 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49173 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49186 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49175 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49175 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49187 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49187 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49179 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49195 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49195 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49182 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49166 -> 3.125.188.168:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 3.125.188.168:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49192 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49192 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49196 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49196 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49197 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49197 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49199 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49199 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49202 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49202 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49201 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49201 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49191 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49191 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49193 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49193 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49198 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49198 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49200 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49200 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49204 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49204 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity
TCP 192.168.56.103:49203 -> 3.126.224.214:17449	2033132	ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49203 -> 3.126.224.214:17449	2055385	ET INFO Possible Host Profile Exfiltration In Pipe Delimited Format	Misc activity

Suricata TLS

No Suricata TLS

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleA April 29, 2025, 10:29 a.m.	buffer: IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . console_handle: 0x00000007	1	1	0
WriteConsoleA April 29, 2025, 10:29 a.m.	buffer: Ok. console_handle: 0x00000007	1	1	0

File has been identified by 66 AntiVirus engines on VirusTotal as malicious (50 out of 66 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.njrat.4!c
CAT-QuickHeal	Backdoor.Bladabindi.B3
Skyhigh	BehavesLike.Win32.BackdoorNJRat.nm
Cylance	Unsafe
VIPRE	Gen:Heur.MSIL.Krypt.44
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Heur.MSIL.Krypt.44
K7GW	Trojan ( aaa0070a1 )
K7AntiVirus	Trojan ( 700000121 )
Arcabit	Trojan.MSIL.Krypt.44
Baidu	MSIL.Backdoor.Bladabindi.a
VirIT	Trojan.Win32.DownLoader21.BPQW
Symantec	Backdoor.Ratenjay!gen3
Elastic	Windows.Trojan.Njrat
ESET-NOD32	a variant of MSIL/Bladabindi.AR
APEX	Malicious
Avast	MSIL:Bladabindi-JK [Trj]
ClamAV	Win.Packed.Bladabindi-7994427-0
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Trojan:MSIL/njRAT.ade5688f
NANO-Antivirus	Trojan.Win32.Autoruner2.ebrjyu
MicroWorld-eScan	Gen:Heur.MSIL.Krypt.44
Rising	Backdoor.njRAT!1.9E49 (CLASSIC)
Emsisoft	Worm.Bladabindi (A)
F-Secure	Trojan.TR/ATRAPS.Gen
DrWeb	Trojan.MulDrop6.43244
Zillya	Trojan.Bladabindi.Win32.72266
TrendMicro	Backdoor.Win32.NJRAT.YXFD1Z
McAfeeD	Real Protect-LS!7020CFFFA610
Trapmine	malicious.moderate.ml.score
CTX	exe.trojan.msil
Sophos	Troj/Bbindi-W
SentinelOne	Static AI - Malicious PE
Jiangmin	TrojanDropper.Autoit.dce
Webroot	W32.Trojan.Gen
Google	Detected
Avira	TR/ATRAPS.Gen
Antiy-AVL	Trojan[Backdoor]/MSIL.Bladabindi.as
Kingsoft	malware.kb.c.1000
Gridinsoft	Trojan.Win32.NjRat.tr
Xcitium	TrojWare.MSIL.Spy.Agent.CP@4pqytu
Microsoft	Trojan:MSIL/njRAT.RDSA!MTB
ViRobot	Backdoor.Win32.Agent.37888.AL
ZoneAlarm	Troj/Bbindi-W
GData	MSIL.Trojan-Spy.Bladabindi.BQ
Varist	W32/MSIL_Troj.AP.gen!Eldorado
AhnLab-V3	Trojan/Win32.Korat.R207428
McAfee	Trojan-FIGN

sdc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All