Bladabindi RAT

malware analysis bladabindi njrat trojan

OO.exe is a Remote Access Trojan (RAT) belonging to the Bladabindi family. Written in .NET, it is closely associated with NJRAT and has undergone significant modifications over several years of active deployment.

Filename: OO.exe
MD5: 22e7c961504b78aefa4ab6b0398ef583
Sample: Download via Malwr

Technical Details

Upon execution, OO.exe clones itself to the %TEMP% directory and initiates a persistence routine. To ensure exclusivity and stealth, it terminates the original executable and modifies local firewall rules using the following command:

netsh firewall add allowedprogram "[malware path]" "[malware name]" ENABLE

The trojan extracts its Command & Control (C2) configuration from its internal resource section (near offset 0x4a9a). This configuration includes the C2 IP address, Port, and a unique MUTEX to prevent multiple infections on the same host.

The initial network beacon transmits a limited system survey. Subsequent packets reveal the implant’s full configuration, typically encoded in Base64.

Survey Beacon Config Packet

RAT Functionality

Once connected to the C2, the operator gains extensive control over the victim machine, including:

  • File upload/download and remote execution.
  • Self-updating and uninstallation capabilities.
  • Process management (listing and termination).
  • Registry manipulation (CRUD operations).
  • Interactive shell command execution and screen capture.

Forensic Artifacts

Dropped Files

  • C:\Users\User\AppData\Local\Temp\OO.exe

Persistence Mechanisms

  • Startup Folder: C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OO.exe
  • Registry Run Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\[path-to-malware\OO.exe]

Network Protocol Analysis

Bladabindi utilizes a custom TCP protocol without authentication or encryption (relying solely on Base64).

  • Packet Length: The first 4 bytes indicate the length [TotalPacketLength - 4] in ASCII, followed by a NULL terminator.
  • Command Field: 2 to 4 bytes identifying the operation to be performed.
  • Delimiters: Parameters are separated by a custom string, typically |'|'|.

Command Structure

Disassembly of the Ind function reveals the following command table mapping:

Detection & Conclusion

Snort Signature:

alert tcp any any -> any any ( msg:"Bladabindi RAT Network Traffic"; pcre:"/^[0-9]{3}\0[a-zA-Z]{2,4}\|'\|'\|/"; )

Conclusion: While Bladabindi is a potent threat, it relies on standard persistence and communication methods that are well-documented and widely detected. Its primary weakness—and a danger to the victim—is the unauthenticated nature of its C2 protocol, which allows third-party actors to potentially hijack the connection and exploit the infected host.

Happy hunting.