Bladabindi RAT

malware analysis bladabindi njrat trojan
OO.exe is a Remote Access Trojan (RAT) known as Bladabindi written in .NET. This is sometimes associated with NJRAT and has been modified heavily over the last several years.


When executed, OO.exe will copy and execute itself in the %TEMP% directory, setup persistence (see persistence), and kill the original executable . The program will then add a firewall rule with the following command:
  • netsh firewall add allowedprogram "[malware path]" "[malware name]" ENABLE

 Once network access has been achieved, the trojan will beacon to the C&C server found in it’s configuration. The configuration for the current file contains various parameters to include current MUTEX and the C&C IP/Port. These settings can be found near offset 0x4a9a as depicted in the image to the right.

The trojan’s initial beacons contain limited system survey information (left image). The next packet contains the implant’s current configuration settings (right image - Shown B64 decoded).

When the trojan successfully connects to the C&C server it can perform the following RAT functionality:
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • uninstall itself
  • send the list of running processes to a remote computer
  • terminate running processes
  • execute shell commands
  • delete Registry entries
  • create Registry entries
  • capture screenshots


  • C:\Users\User\AppData\Local\Temp\OO.exe


  • C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OO.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\[path-to-malware\OO.exe]


The Bladabindi trojan communicates via TCP, does not authenticate with the C&C, and does not use any obfuscation/encryption aside from Base64 in some fields.

The first 4 bytes represent packet length [TotalPacketLength - 4] in ASCII. The ASCII number takes up the first 3 bytes and must be NULL terminated at the 4th byte.

The next set of bytes contain a command sent to the implant from the controller. In my testing this field ranged from 2 to 4 bytes and used ASCII characters (see command table below).

The next field represents a custom delimiter for separating commands/data/parameters. In my testing this always contained the ASCII string |’|’| and is most likely configurable via the implant’s settings. The number of delimiters vary depending on the command. In the following example we see 3 parameters being passed to the implant [ ~, examples, 1234 ].


Disassembling Bladabindi reveals the command table function “Ind”. Many of the commands were implemented through dynamic network analysis. Some command functionality was determined through code analysis and not replication.


The network protocol used by this RAT is easily interpreted using common techniques. The lack of authentication with the C&C and the failure to employ basic encryption/obfuscation leaves this RAT vulnerable to tampering/exploitation.


The following SNORT Signature will detect Bladabindi network communications.
  • alert tcp any any -> any any ( msg:"Bladabindi RAT Network Traffic"; pcre:"/^[0-9]{3}\0[a-zA-Z]{2,4}\|'\|'\|/"; )


The Bladabindi RAT is very malicious, but it isn’t special. It employs common persistence techniques, is heavily detected by Antivirus engines, and its functionality is mirrored by nearly every RAT on the market. The real danger with this trojan is its susceptibility to remote exploitation by other actors.