Concrete signature match: Trojan - Appears legitimate but performs malicious actions for .NET (Microsoft Intermediate Language) platform, family Bladabindi
Trojan:MSIL/Bladabindi is a critical threat targeting .NET applications, identified by concrete signatures related to specific executable names like 'w.exe' and numerous randomly generated registry keys under the 'Software' hive. As a Trojan, it is designed to establish persistence and perform unauthorized malicious activities, potentially leading to system compromise, data theft, or further malware deployment.
Relevant strings associated with this threat:
- ExeName (PEHSTR_EXT)
- w.exe (PEHSTR_EXT)
- w.My.Resources (PEHSTR_EXT)
- CompDir (PEHSTR)
- Software\043ed596af7365236306a463494dc0f4 (REGKEY)
- Software\08f4dc96bbb7af09d1a37fe35c75a42f (REGKEY)
- Software\0be9b5be78fc1a603e5105b3437989a7 (REGKEY)
- Software\102b3bcad4053f1630a0d725fba934ba (REGKEY)
- Software\1052b8e9071d5b658c32c84c463014f5 (REGKEY)
- Software\125d3f6ae0a53efa91122391603b15de (REGKEY)
- Software\12ce4e06a81e8d54fd01d9b762f1b1bb (REGKEY)
- Software\13cf9d8bf1b79e8de8ac0fe37a6739fe (REGKEY)
- Software\1ce5c21bd74c042cdcd945e699c951c5 (REGKEY)
- Software\2320633bbd5b9c41d628d6d2b760a34d (REGKEY)
- Software\23556fb1360f366337f97c924e76ead3 (REGKEY)
- Software\2fd22e8065aba1ef1bdfa994748d4cec (REGKEY)
- Software\301b5fcf8ce2fab8868e80b6c1f912fe (REGKEY)
- Software\45ca55fc1756e880072f0dde4455397b (REGKEY)
- Software\45cd603ee23d7c7a771df421f5721e99 (REGKEY)
- Software\46d93431630fc8e404fed7204e708738 (REGKEY)
- Software\4a926bc2f0d66095f68f194a4f64ff52 (REGKEY)
- Software\55b3825ee39ada2fcddf7c7accbde69e (REGKEY)
- Software\5cd8f17f4086744065eb0992a09e05a2 (REGKEY)
- Software\60f0d0e0d2dd518d7530a18795742b3f (REGKEY)
- server.exe (PEHSTR_EXT)
- \Nouveau (PEHSTR_EXT)
- njRAT.proc.resources (PEHSTR)
- Builder.resources (PEHSTR)
- njRAT.Chat.resources (PEHSTR)
- ntdll (PEHSTR_EXT)
- capGetDriverDescriptionA (PEHSTR_EXT)
- avicap32.dll (PEHSTR_EXT)
- cmd.exe / (PEHSTR_EXT)
- ping 127.0.0.1 & del " (PEHSTR_EXT)
- Server.exe (PEHSTR_EXT)
- \stub.exe (PEHSTR_EXT)
- ok.exe (PEHSTR_EXT)
- capGetDriverDescriptionA (PEHSTR_EXT)
- \Mr.Zamil\Zamil\obj\Debug\ (PEHSTR_EXT)
- Patch.exe (PEHSTR_EXT)
- NJServer.exe (PEHSTR_EXT)
- NJServer (PEHSTR_EXT)
- NJServer.MDIParent1.resources (PEHSTR_EXT)
- e = "http://icbg-iq.com/Scripts/kinetics/droids/gangrini/upload/regzab.exe" (MACROHSTR_EXT)
- CreateObject("WScript.Shell").Run (Replace(c, "https://www.google.com/images/srpr/logo1w.png", e)), 0, True (MACROHSTR_EXT)
- Stub.exe (PEHSTR_EXT)
- CreateObject("Wscript.Shell") (PEHSTR_EXT)
- WScript.sleep (PEHSTR_EXT)
- .sendkeys"{numlock}" (PEHSTR_EXT)
- .sendkeys"{capslock}" (PEHSTR_EXT)
- .sendkeys"{scrolllock}" (PEHSTR_EXT)
- WScript.sleep (PEHSTR_EXT)
- Server.sfx.exe (PEHSTR_EXT)
- \Worm (PEHSTR_EXT)
- set_UseShellExecute (PEHSTR_EXT)
- ServerComputer (PEHSTR_EXT)
- CopyFromScreen (PEHSTR_EXT)
- System.Net.Sockets (PEHSTR_EXT)
- Svhost64.Hmza (PEHSTR_EXT)
- Svhost64.Utility (PEHSTR_EXT)
- EXE (PEHSTR_EXT)
- C:\Users\NO_LOVINO\ (PEHSTR_EXT)
- TypeScript Keyboard Sync.exe (PEHSTR)
- 33333333.exe (PEHSTR_EXT)
- .exe (PEHSTR)
- System Exporer.pdb (PEHSTR_EXT)
- Source\Repos\deploy\deploy\obj\Debug\deploy.pdb (PEHSTR_EXT)
- crypter black cat semi fud = usar esse = final\software.pdb (PEHSTR_EXT)
- Software.Resources.resources (PEHSTR_EXT)
- #Bw.#Th.resources (PEHSTR_EXT)
- TubeHygrostat.dll (PEHSTR)
- (%%\rundll32.exe TubeHygrostat,Xerophytes (PEHSTR)
- *%%\rundll32.exe Cholecystostomy,Shorelines (PEHSTR)
- Cholecystostomy.dll (PEHSTR)
- %%%\rundll32.exe Creatinine,Shorelines (PEHSTR)
- Creatinine.dll (PEHSTR)
- %%\rundll32.exe Chilblain,Pretor (PEHSTR)
- Chilblain.dll (PEHSTR)
- QcXFu~jV(;".resources (PEHSTR_EXT)
- ~TVqQ,M,,E,,//8,Lg,,,,AQ,,,,,,,,,,,,,,,,,,,,,,,Ag,,A4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJ (PEHSTR)
- System.Net.NetworkInformation (PEHSTR_EXT)
- Covid.exe (PEHSTR_EXT)
- https://hastebin.com/raw/maruzucehi (PEHSTR_EXT)
- http://www.gustabf.tk/update.txt (PEHSTR_EXT)
- \Documents\Pass Vault\AccountPassword (PEHSTR_EXT)
- \Documents\Pass Vault\Keys.txt (PEHSTR_EXT)
- \Documents\Pass Vault\KeysDecrypted.txt (PEHSTR_EXT)
- cmd.exe /c ping 0 -n 2 & del (PEHSTR_EXT)
- get_ExecutablePath (PEHSTR_EXT)
- Decompress (PEHSTR_EXT)
- ExecBytes (PEHSTR_EXT)
- Beta.Charlie (PEHSTR_EXT)
- good.dll (PEHSTR_EXT)
- /c start /I (PEHSTR_EXT)
- njStub (PEHSTR_EXT)
- CompressionMode (PEHSTR_EXT)
- HttpWebResponse (PEHSTR_EXT)
- DecompressGzip (PEHSTR_EXT)
- \Documents\dllhost /f (PEHSTR_EXT)
- cmd.exe /C Y /N /D Y /T 1 & Del (PEHSTR_EXT)
- Debug.txt (PEHSTR_EXT)
- Debug\TestCrypter0.pdb (PEHSTR_EXT)
- temp\Assembly.exe (PEHSTR_EXT)
- svchost.Windows (PEHSTR_EXT)
- C:\Users\AShoky (PEHSTR_EXT)
- svchost.pdb (PEHSTR_EXT)
- $this.Text (PEHSTR_EXT)
- GetExecutingAssembly (PEHSTR_EXT)
- ScreenLock (PEHSTR_EXT)
- SOFTWARE\Microsoft\Windows\CurrentVersion\Run (PEHSTR_EXT)
- ComputeStringHash (PEHSTR_EXT)
- CompareString (PEHSTR_EXT)
- https://cdn.discordapp.com/attachment (PEHSTR_EXT)
- RunWorkerCompletedEventHandler (PEHSTR_EXT)
- OneDrive.CSGO_ERR.resources (PEHSTR_EXT)
- Phoenix\source\repos\OneDrive\OneDrive\obj\ (PEHSTR_EXT)
- \OneDrive.pdb (PEHSTR_EXT)
- TVqQAAMAAAAEAAAA// (PEHSTR_EXT)
- cubel.userspprtaddrss@gmail.com (PEHSTR_EXT)
- Esyybfsfz.Properties.Resources (PEHSTR_EXT)
- TripleDESCryptoServiceProvider (PEHSTR_EXT)
- System.Threading.Tasks (PEHSTR_EXT)
- System.Net.Http (PEHSTR_EXT)
- HttpClient (PEHSTR_EXT)
- FuckinPizdec.core.Config (PEHSTR_EXT)
- Updata.exe (PEHSTR_EXT)
- AAhvUE4rEQTdIaoQ5jS (PEHSTR_EXT)
- AesCryptoServiceProvider (PEHSTR_EXT)
- Anon_SE.Resources.resource (PEHSTR_EXT)
- moc.nibetsap (PEHSTR_EXT)
- /war/@58EC30A9C23230564C@ (PEHSTR_EXT)
- a.top4top.io/p_2428mn69 (PEHSTR_EXT)
- LOST.DIR (PEHSTR_EXT)
- Newtonsoft.Json (PEHSTR_EXT)
- virus@satinfo.es (PEHSTR_EXT)
- Keylogger.Bladabindi (PEHSTR_EXT)
- Malware.Postal (PEHSTR_EXT)
- Ransom.Servcc (PEHSTR_EXT)
- Trojan.DistTrack (PEHSTR_EXT)
- Malware.Zambrano (PEHSTR_EXT)
- OQVwu.dll (PEHSTR_EXT)
- fwsrM.dll (PEHSTR_EXT)
- SHELL.pdb (PEHSTR_EXT)
- SHELL.exe (PEHSTR_EXT)
- C:\Users\xD\source\repos\SHELL\SHELL\obj\Release\SHELL.pdb (PEHSTR_EXT)
- Powered by SmartAssembly 8.1.0.4892 (PEHSTR_EXT)
- 4System.Web.Services.Protocols.SoapHttpClientProtocol (PEHSTR_EXT)
- BasedAntiVT.exe (PEHSTR_EXT)
- asdjJ.My.Resources (PEHSTR_EXT)
- EbVk9dMWvodsu0FgZR.NmURtsZH4NPNGZPSBg (PEHSTR_EXT)
- PNtI1fLt4Uo6sHbjOZ.h4cXQoprHHsXJ7n4FT (PEHSTR_EXT)
- iW9w8DsHAomrjYpRwi.iihBjoh62YiGXsMgBR (PEHSTR_EXT)
- /:/CQ0JX,FV1Vd2We0Sa4Tc4Q (PEHSTR_EXT)
- shell.Run Gbkjkskbnmbsss (PEHSTR_EXT)
- sS.Resources.resource (PEHSTR_EXT)
- SEEDCRACKER.g.resources (PEHSTR_EXT)
- CM_Links.Properties.Resources.resource (PEHSTR_EXT)
- MI.exe (PEHSTR_EXT)
- xra8xOYACcZLOEIdG1.7QPJAtJLH9hkO4Nex9 (PEHSTR_EXT)
- WindowsApplication2.Resources.resource (PEHSTR_EXT)
- tmpC394.tmp (PEHSTR_EXT)
- 33333333.g.resources (PEHSTR_EXT)
- aR3nbf8dQp2feLmk31.lSfgApatkdxsVcGcrktoFd.resources (PEHSTR_EXT)
- sss.Resources (PEHSTR_EXT)
- WindowsFormsApp1.Properties.Resources.resources (PEHSTR_EXT)
- exe2powershell-master (PEHSTR_EXT)
- imfree2.Resources.resource (PEHSTR_EXT)
- Encryptado.exe (PEHSTR_EXT)
- HttpResponse (PEHSTR_EXT)
- System.Security.Cryptography (PEHSTR_EXT)
- CompressShell (PEHSTR_EXT)
- TVqQ==M====E====//8==Lg=========Q===============================================g=====4fug4=t=nNI (PEHSTR_EXT)
- sk-krona.fun (PEHSTR_EXT)
- qapifexugaroluruje (PEHSTR_EXT)
- textfile.txt (PEHSTR_EXT)
- Microsoft\svchost.exe (PEHSTR_EXT)
- cmd.exe /k ping 0 & del (PEHSTR_EXT)
- root\SecurityCenter (PEHSTR_EXT)
- Nero lait\obj\Debug\Nero lait.pdb (PEHSTR_EXT)
- i_Shitted_My_Self.exe (PEHSTR_EXT)
- http://167.71.14.135 (PEHSTR_EXT)
- Add-MpPreference -ExclusionProcess "svchost.exe" (PEHSTR_EXT)
- AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (PEHSTR_EXT)
- AppData\Roaming\Microsoft\Windows';Add-MpPreference -ExclusionPath 'C:\Users (PEHSTR_EXT)
- Microsoft\Windows\Windows.exe (PEHSTR_EXT)
- powershell.exe (PEHSTR_EXT)
- \obj\Debug\Software.pdb (PEHSTR_EXT)
- X.lugia.resources (PEHSTR_EXT)
- XClient.g.resources (PEHSTR_EXT)
- crypter0.My.Resources (PEHSTR_EXT)
- ExtractAndRunExe (PEHSTR_EXT)
- R///e///////g/A//////s/m/./e////x/////e (PEHSTR_EXT)
- Uninst.exe (PEHSTR_EXT)
- Uninstaller.exe (PEHSTR_EXT)
- Uninstal.exe (PEHSTR_EXT)
- N/T(. (SNID)
- .L`]vM (SNID)
- .0eIM[ (SNID)
- //#9w (SNID)
- "aU\W (SNID)
- Nt^r8f. (SNID)
- KZ.C:S (SNID)
- xzP\yf (SNID)
- \V`bo] (SNID)
- Gag\4 (SNID)
- !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
- rundll32 (PEHSTR_EXT)
- !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
- !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
- !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
- !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)rule Trojan_MSIL_Bladabindi_PA_2147744898_0
{
meta:
author = "threatcheck.sh"
detection_name = "Trojan:MSIL/Bladabindi.PA!MTB"
threat_id = "2147744898"
type = "Trojan"
platform = "MSIL: .NET intermediate language scripts"
family = "Bladabindi"
severity = "Critical"
info = "MTB: Microsoft Threat Behavior"
signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
threshold = "22"
strings_accuracy = "Low"
strings:
$x_1_1 = "EntryPoint" wide //weight: 1
$x_1_2 = "Invoke" wide //weight: 1
$x_10_3 = {70 18 18 28 ?? 00 00 06 6f ?? 00 00 0a ?? ?? 14 72 ?? 00 00 70 14 14 14 14 28 ?? 00 00 0a 14 72 ?? 00 00 70 18 8d 01 00 00 01 [0-4] 16 16 8c ?? 00 00 01 a2 [0-2] 14 14 14 28 ?? 00 00 0a [0-2] 2a a0 00 28 ?? 00 00 06 ?? 28 ?? 00 00 0a 06 [0-2] 28 ?? 00 00 0a 28 ?? 00 00 0a} //weight: 10, accuracy: Low
$x_10_4 = {0a 0b 06 6f ?? 00 00 0a [0-2] 73 ?? 00 00 0a 0c 08 07 6f ?? 00 00 0a [0-2] 08 04 6f ?? 00 00 0a [0-2] 08 05 6f ?? 00 00 0a [0-2] 08 6f ?? 00 00 0a [0-2] 02 16 02 8e 69 6f ?? 00 00 0a [0-2] 0d 08 6f ?? 00 00 0a [0-2] 09 13 04 11 04 2a} //weight: 10, accuracy: Low
condition:
(filesize < 20MB) and
(all of ($x*))
}b4abd1c57d5deab070c3d3dd4a8210ce666799a9fd8d72a4cdd62a7fe4a6c6e5Immediately isolate the infected system from the network. Perform a full system scan with up-to-date antivirus software to quarantine and remove all identified malicious files and associated registry entries. Thoroughly investigate for any signs of further compromise, lateral movement, or data exfiltration, and consider reviewing system logs and user accounts for suspicious activity.