URL: | https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Trojan.Bladabindi/Trojan.Bladabindi.zip?raw=true |
Full analysis: | https://app.any.run/tasks/4186113b-c55e-4fd1-94fc-0985344dcddf |
Verdict: | Malicious activity |
Threats: | njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world. |
Analysis date: | January 14, 2022, 21:20:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 44AC41843CF469BF48DF530CE290F450 |
SHA1: | 1F092A3BAB11337591A6161E85AA65D186A095AB |
SHA256: | 13F871F5165F7F1D4D993A225777D635051111A19B921C5021AEC61533E754B2 |
SSDEEP: | 3:N8tEdsxHuJKqIEHDhzzknE1fnE10Ej:2u6tuJKz+BFyrj |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3660 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Trojan.Bladabindi/Trojan.Bladabindi.zip?raw=true" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2080 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Trojan.Bladabindi/Trojan.Bladabindi.zip?raw=true | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2724 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.0.1345385875\778016606" -parentBuildID 20201112153044 -prefsHandle 1132 -prefMapHandle 1120 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 1220 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 83.0 Modules
| |||||||||||||||
3096 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.6.1970295046\1512721138" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2876 -prefsLen 181 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 2892 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
308 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.13.1311578479\543549496" -childID 2 -isForBrowser -prefsHandle 3152 -prefMapHandle 3148 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3164 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2980 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.20.1706066929\226551640" -childID 3 -isForBrowser -prefsHandle 3644 -prefMapHandle 3144 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3628 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3328 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.27.1448391918\507484362" -childID 4 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3888 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3324 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2080.28.1906240146\987921710" -childID 5 -isForBrowser -prefsHandle 3904 -prefMapHandle 3760 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2080 "\\.\pipe\gecko-crash-server-pipe.2080" 3924 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
4028 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Trojan.Bladabindi.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
1820 | "C:\Users\admin\Desktop\hostr.exe" | C:\Users\admin\Desktop\hostr.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Description: Exit code: 0 Version: 0.0.0.0 Modules
|
(PID) Process: | (3660) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: 0FF8672150000000 | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 4801682150000000 | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 1 | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|ServicesSettingsServer |
Value: https://firefox.settings.services.mozilla.com/v1 | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash |
Value: 97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2080) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2080 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2080 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
2080 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:808E325E46F21722F2149FA409A6290F | SHA256:ED33404E9FA13A1B19D07CF0EB4EA18A68FB38AB5C8959A3227BC54BA377F776 | |||
2080 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | text | |
MD5:808E325E46F21722F2149FA409A6290F | SHA256:ED33404E9FA13A1B19D07CF0EB4EA18A68FB38AB5C8959A3227BC54BA377F776 | |||
2080 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_K7sxlSJ1PcK9EVQ | binary | |
MD5:351821E41EC0086E5EE4B40B74B78C7C | SHA256:7D0661D8684356385C846B65461F3E45C1F187264BC7C9AF978218FCA02FC8B8 | |||
2080 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | binary | |
MD5:56AD6F46ADF9D5223558C0C78BECB40C | SHA256:53BF1A9D79ED5347D0C63B06831B28D452451E2BB3E9E2D5BCEF6241CAC00213 | |||
2080 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_bMfgBJE0v1eX6Ix | binary | |
MD5:6576AE8B623130C767712BBD5303A45C | SHA256:FB9350B50214C1B258C2F5EB2621310BF0414ED3C04A41DA060DCE6F8AFD9514 | |||
2080 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
2080 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
2080 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2080 | firefox.exe | POST | 200 | 142.250.185.99:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
2080 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2080 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2080 | firefox.exe | POST | 200 | 142.250.185.99:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
2080 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2080 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 278 b | whitelisted |
2080 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | US | text | 8 b | whitelisted |
2080 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2080 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
2080 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2080 | firefox.exe | 142.250.186.138:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2080 | firefox.exe | 142.250.185.99:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2080 | firefox.exe | 143.204.98.33:443 | firefox.settings.services.mozilla.com | — | US | suspicious |
2080 | firefox.exe | 143.204.98.70:443 | snippets.cdn.mozilla.net | — | US | malicious |
2080 | firefox.exe | 52.26.7.9:443 | locprod2-elb-us-west-2.prod.mozaws.net | Amazon.com, Inc. | US | unknown |
2080 | firefox.exe | 143.204.98.120:443 | content-signature-2.cdn.mozilla.net | — | US | suspicious |
2080 | firefox.exe | 142.250.185.206:443 | location.services.mozilla.com | Google Inc. | US | whitelisted |
2080 | firefox.exe | 54.190.2.244:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
github.com |
| shared |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
firefox.settings.services.mozilla.com |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2080 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2080 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
— | — | Potentially Bad Traffic | ET POLICY DNS Query to DynDNS Domain *.zapto .org |