Backdoor.Bladabindi

By CagedTech in Backdoors

Threat Scorecard

Popularity Rank:	6,610
Threat Level:	60 % (Medium)
Infected Computers:	105,802

First Seen:	May 1, 2013
Last Seen:	April 13, 2026
OS(es) Affected:	Windows

Table of Contents

Aliases

15 security vendors flagged this file as malicious.

Antivirus Vendor	Detection
Ikarus	not-a-virus:RiskTool.Win32.BitCoinMiner
Sophos	Bitcoin Miner
Kaspersky	not-a-virus:RiskTool.Win32.BitCoinMiner.cns
AVG	Generic32.CKXR
Sophos	Troj/Agent-ABNT
Kaspersky	Trojan.Win32.Redyms.pix
Avast	Win32:Rootkit-gen [Rtk]
Panda	Trj/Genetic.gen
AVG	Crypt_s.AVA
Ikarus	Trojan.Crypt_s
AhnLab-V3	Dropper/Win32.Clons
AntiVir	TR/Crypt.TPM.Gen
Comodo	Backdoor.Win32.Agent.SPA
Kaspersky	Trojan-Dropper.Win32.Clons.zzx
F-Prot	W32/Boaxxe.F2.gen!Eldorado

SpyHunter Detects & Remove Backdoor.Bladabindi

File System Details

Backdoor.Bladabindi may create the following file(s):

Expand All | Collapse All

#	File Name	MD5	Detections Detections: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
1.	c5dbc4b5114eccb1261dfdb2194089a8.exe	52e8d405637fbd963055823c15f0f9a1	144
Name: c5dbc4b5114eccb1261dfdb2194089a8.exe MD5: 52e8d405637fbd963055823c15f0f9a1 Size: 115.71 KB (115712 bytes) Detections: 144 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\c5dbc4b5114eccb1261dfdb2194089a8.exe Group: Malware file Last Updated: June 26, 2020
2.	48d63ee9bfd6d65c02373667cd2c8697.exe	71fb65eb058f3eec32c74a04a78e831c	61
Name: 48d63ee9bfd6d65c02373667cd2c8697.exe MD5: 71fb65eb058f3eec32c74a04a78e831c Size: 1.01 MB (1017856 bytes) Detections: 61 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\48d63ee9bfd6d65c02373667cd2c8697.exe Group: Malware file Last Updated: May 3, 2024
3.	5f805e177fa7c673482c92c255460b67.exe	d313b3409a30ce1040ce3d010f4e4b99	39
Name: 5f805e177fa7c673482c92c255460b67.exe MD5: d313b3409a30ce1040ce3d010f4e4b99 Size: 200.7 KB (200704 bytes) Detections: 39 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5f805e177fa7c673482c92c255460b67.exe Group: Malware file Last Updated: March 8, 2024
4.	017896e94ee32e077c688af9a248e03f.exe	dc45685c7921768488485c054a5562b0	25
Name: 017896e94ee32e077c688af9a248e03f.exe MD5: dc45685c7921768488485c054a5562b0 Size: 615.93 KB (615936 bytes) Detections: 25 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\017896e94ee32e077c688af9a248e03f.exe Group: Malware file Last Updated: July 27, 2023
5.	56950d8c4bc04b6faabb3fd849300f81.exe	e0d78fe03901a9a7d6b2bdae3c14cb72	19
Name: 56950d8c4bc04b6faabb3fd849300f81.exe MD5: e0d78fe03901a9a7d6b2bdae3c14cb72 Size: 1.63 MB (1635328 bytes) Detections: 19 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\56950d8c4bc04b6faabb3fd849300f81.exe Group: Malware file Last Updated: September 14, 2020
6.	7a4c1aa1519c6bee178f8fbf3ccffa01.exe	fecb975fe7b949c414640a3ff2cbae88	15
Name: 7a4c1aa1519c6bee178f8fbf3ccffa01.exe MD5: fecb975fe7b949c414640a3ff2cbae88 Size: 181.24 KB (181248 bytes) Detections: 15 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7a4c1aa1519c6bee178f8fbf3ccffa01.exe Group: Malware file Last Updated: July 24, 2022
7.	e7519346edbd1261bb7e4084fb50cd6b.exe	e4396258e2a50828a318f2d35785d93d	14
Name: e7519346edbd1261bb7e4084fb50cd6b.exe MD5: e4396258e2a50828a318f2d35785d93d Size: 16.89 KB (16896 bytes) Detections: 14 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e7519346edbd1261bb7e4084fb50cd6b.exe Group: Malware file Last Updated: June 26, 2020
8.	58c6ed6a71daea3cb58e4fa06beab2bd.exe	3a101e54c316fbf58778c71dda9299e5	12
Name: 58c6ed6a71daea3cb58e4fa06beab2bd.exe MD5: 3a101e54c316fbf58778c71dda9299e5 Size: 654.33 KB (654336 bytes) Detections: 12 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58c6ed6a71daea3cb58e4fa06beab2bd.exe Group: Malware file Last Updated: August 14, 2022
9.	3008b25cd890618ead84115e2b073a47.exe	fd21ff54f5a33b5b37260814d0731c2a	11
Name: 3008b25cd890618ead84115e2b073a47.exe MD5: fd21ff54f5a33b5b37260814d0731c2a Size: 202.24 KB (202240 bytes) Detections: 11 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3008b25cd890618ead84115e2b073a47.exe Group: Malware file Last Updated: June 26, 2020
10.	troj_generic_ebc5a6b5083f5b9a0d2e2aadfd2daa3d3697a23461c0cc40ff347672c75767d0.exe	d682acc4b6eae500dc3c908dbaedf519	10
Name: troj_generic_ebc5a6b5083f5b9a0d2e2aadfd2daa3d3697a23461c0cc40ff347672c75767d0.exe MD5: d682acc4b6eae500dc3c908dbaedf519 Size: 46.08 KB (46080 bytes) Detections: 10 Type: Executable File Path: c:\Users\<username>\downloads Group: Malware file Last Updated: April 19, 2019
11.	a0bd4888d482d751fa2518c73e7d2a9f.exe	5a33c50a8117f87ae4ef0da3bacfb12d	10
Name: a0bd4888d482d751fa2518c73e7d2a9f.exe MD5: 5a33c50a8117f87ae4ef0da3bacfb12d Size: 1.22 MB (1225160 bytes) Detections: 10 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0bd4888d482d751fa2518c73e7d2a9f.exe Group: Malware file Last Updated: June 26, 2020
12.	62b4a7f32364bd20762dd3b30db01d93.exe	09d66712ca96bd1a7d627e66c60b2b9c	9
Name: 62b4a7f32364bd20762dd3b30db01d93.exe MD5: 09d66712ca96bd1a7d627e66c60b2b9c Size: 300.54 KB (300544 bytes) Detections: 9 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62b4a7f32364bd20762dd3b30db01d93.exe Group: Malware file Last Updated: June 26, 2020
13.	cc6885fb771802b45c9dcc628f9ad989.exe	de479c9e92ecc1ac8447901cdce64bce	8
Name: cc6885fb771802b45c9dcc628f9ad989.exe MD5: de479c9e92ecc1ac8447901cdce64bce Size: 709.63 KB (709632 bytes) Detections: 8 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cc6885fb771802b45c9dcc628f9ad989.exe Group: Malware file Last Updated: June 26, 2020
14.	5db5c656e6f615eba326e0e421c56c58.exe	270c797a677b22b3f768350412969936	7
Name: 5db5c656e6f615eba326e0e421c56c58.exe MD5: 270c797a677b22b3f768350412969936 Size: 411.13 KB (411136 bytes) Detections: 7 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5db5c656e6f615eba326e0e421c56c58.exe Group: Malware file Last Updated: June 26, 2020
15.	79c3667e6e3ee30e7cbb11fd90ef9fe4.exe	fa3c14ca50dbc11e58800f1bdf462f5f	7
Name: 79c3667e6e3ee30e7cbb11fd90ef9fe4.exe MD5: fa3c14ca50dbc11e58800f1bdf462f5f Size: 139.26 KB (139264 bytes) Detections: 7 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79c3667e6e3ee30e7cbb11fd90ef9fe4.exe Group: Malware file Last Updated: June 26, 2020
16.	3565237e66224ab2498e196ce0aff5cd.exe	522848c65ceb2f2acb9fcfb2e99a94e6	7
Name: 3565237e66224ab2498e196ce0aff5cd.exe MD5: 522848c65ceb2f2acb9fcfb2e99a94e6 Size: 695.29 KB (695292 bytes) Detections: 7 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3565237e66224ab2498e196ce0aff5cd.exe Group: Malware file Last Updated: June 26, 2020
17.	69b5b7ca364f50a6f2ca0f32b9e3c064.exe	4c721d10ff63f1ec9bb0415a4a7a5c0e	7
Name: 69b5b7ca364f50a6f2ca0f32b9e3c064.exe MD5: 4c721d10ff63f1ec9bb0415a4a7a5c0e Size: 44.03 KB (44032 bytes) Detections: 7 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\69b5b7ca364f50a6f2ca0f32b9e3c064.exe Group: Malware file Last Updated: June 26, 2020
18.	a5ab2dbc68c601545cd9a9946ac0b01c.exe	3715f2a674f9b3996b0309724188aa73	6
Name: a5ab2dbc68c601545cd9a9946ac0b01c.exe MD5: 3715f2a674f9b3996b0309724188aa73 Size: 651.77 KB (651776 bytes) Detections: 6 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a5ab2dbc68c601545cd9a9946ac0b01c.exe Group: Malware file Last Updated: June 26, 2020
19.	9f192a1f8ea7e654ab7f4f6227bc120c.exe	3770847fb83d43a0fa2c2a9cff45202f	5
Name: 9f192a1f8ea7e654ab7f4f6227bc120c.exe MD5: 3770847fb83d43a0fa2c2a9cff45202f Size: 80.89 KB (80896 bytes) Detections: 5 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9f192a1f8ea7e654ab7f4f6227bc120c.exe Group: Malware file Last Updated: November 8, 2021
20.	f683abc40afcb2fb0f4a33d15709c9b7.exe	09604a0cc24b679da7cf9b2c0d576410	5
Name: f683abc40afcb2fb0f4a33d15709c9b7.exe MD5: 09604a0cc24b679da7cf9b2c0d576410 Size: 1.81 MB (1813504 bytes) Detections: 5 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f683abc40afcb2fb0f4a33d15709c9b7.exe Group: Malware file Last Updated: January 12, 2022
21.	7d4366b7a274f87b26c436a0e40a9090.exe	d62a817ace66b957d2602656b78d142f	4
Name: 7d4366b7a274f87b26c436a0e40a9090.exe MD5: d62a817ace66b957d2602656b78d142f Size: 24.06 KB (24064 bytes) Detections: 4 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7d4366b7a274f87b26c436a0e40a9090.exe Group: Malware file Last Updated: June 26, 2020
22.	db87ad7e45211040c408f1ad355e0739.exe	9c809e09d971aab8c42f77f4fb5effd4	3
Name: db87ad7e45211040c408f1ad355e0739.exe MD5: 9c809e09d971aab8c42f77f4fb5effd4 Size: 220.16 KB (220160 bytes) Detections: 3 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\db87ad7e45211040c408f1ad355e0739.exe Group: Malware file Last Updated: June 26, 2020
23.	adf954c8b8af53ba18232ab9e7f642d4.exe	c797a3bf5ed730a47d8324aed964bcc4	3
Name: adf954c8b8af53ba18232ab9e7f642d4.exe MD5: c797a3bf5ed730a47d8324aed964bcc4 Size: 66.56 KB (66560 bytes) Detections: 3 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adf954c8b8af53ba18232ab9e7f642d4.exe Group: Malware file Last Updated: June 26, 2020
24.	163ea917cb09d012dda3841f98d3c236.exe	78c6b9e3ad95a1715d7c2a129c0b65e2	3
Name: 163ea917cb09d012dda3841f98d3c236.exe MD5: 78c6b9e3ad95a1715d7c2a129c0b65e2 Size: 82.94 KB (82944 bytes) Detections: 3 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\163ea917cb09d012dda3841f98d3c236.exe Group: Malware file Last Updated: June 26, 2020
25.	file.exe	5ee9c9da29774358656354302309b2a9	2
Name: file.exe MD5: 5ee9c9da29774358656354302309b2a9 Size: 185.34 KB (185344 bytes) Detections: 2 Type: Executable File Group: Malware file Last Updated: January 22, 2019
26.	83e3167b6d6000037411bc720b9e1224.exe	d60bd321c043695ae67c0b630d5ab85c	2
Name: 83e3167b6d6000037411bc720b9e1224.exe MD5: d60bd321c043695ae67c0b630d5ab85c Size: 434.17 KB (434176 bytes) Detections: 2 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\83e3167b6d6000037411bc720b9e1224.exe Group: Malware file Last Updated: June 26, 2020
27.	3409dfc64132b6ba26c828455e34860f.exe	d9d919762f8c1e45978a72b5a3992863	2
Name: 3409dfc64132b6ba26c828455e34860f.exe MD5: d9d919762f8c1e45978a72b5a3992863 Size: 740.86 KB (740864 bytes) Detections: 2 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3409dfc64132b6ba26c828455e34860f.exe Group: Malware file Last Updated: June 26, 2020
28.	50a6ceecce3b6e575a63bbcea6a2bd9e.exe	bdfe70f9e4ab1b1437f130ebc2afd08c	2
Name: 50a6ceecce3b6e575a63bbcea6a2bd9e.exe MD5: bdfe70f9e4ab1b1437f130ebc2afd08c Size: 326.29 KB (326296 bytes) Detections: 2 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50a6ceecce3b6e575a63bbcea6a2bd9e.exe Group: Malware file Last Updated: June 26, 2020
29.	3098dbecbe29b36c4c0e9641f6559743.exe	038b69aee6c4f0d6585e11cb3db633d6	2
Name: 3098dbecbe29b36c4c0e9641f6559743.exe MD5: 038b69aee6c4f0d6585e11cb3db633d6 Size: 151.04 KB (151040 bytes) Detections: 2 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3098dbecbe29b36c4c0e9641f6559743.exe Group: Malware file Last Updated: June 26, 2020
30.	de8b5941a480a52b8514ae10547ac51a.exe	1d22c58f5ea666a3409b0d044a83cb22	2
Name: de8b5941a480a52b8514ae10547ac51a.exe MD5: 1d22c58f5ea666a3409b0d044a83cb22 Size: 69.63 KB (69632 bytes) Detections: 2 Type: Executable File Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\de8b5941a480a52b8514ae10547ac51a.exe Group: Malware file Last Updated: June 26, 2020

More files

Registry Details

Backdoor.Bladabindi may create the following registry entry or registry entries:

Regexp file mask

%ALLUSERSPROFILE%\images[RANDOM CHARACTERS].exe

%ALLUSERSPROFILE%\smss.exe

%ALLUSERSPROFILE%\System.exe

%ALLUSERSPROFILE%\system32.exe

%APPDATA%\ Explorer.exe

%APPDATA%\.pif

%APPDATA%\Documento Pdf.exe

%APPDATA%\GoogleCrashHandler.exe

%APPDATA%\Java\JavaUpdtr.exe

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Server.exe

%APPDATA%\Microsoft\Windows\Start Menu\Startup\DetaUp.exe

%APPDATA%\trof.exe

%APPDATA%\WindowsServices.exe

%APPDATA%\wored.exe

%HOMEDRIVE%\Java update.exe

%HOMEDRIVE%\svchost.exe

%TEMP%\ Explorer.exe

%TEMP%\audiodef.exe

%TEMP%\sam.exe

%USERPROFILE%\google.exe

%USERPROFILE%\svchost.exe

%USERPROFILE%\system[NUMBERS].exe

%WINDIR%\win32.exe

HKEY..\..\..\..{RegistryKeys}

SOFTWARE\e936a10f968ac948cd351c9629dbd36d

SOFTWARE\Microsoft\Tracing\JavaUpdtr_RASMANCS

SOFTWARE\Wow6432Node\Microsoft\Tracing\JavaUpdtr_RASMANCS

Analysis Report

General information

Family Name:	Backdoor.Bladabindi
Signature status:	No Signature

Known Samples

MD5: 16e5a665127117c3ad242fe9c8fa51cf

SHA1: d0bfc0b363c7cae87228dc1152fc626b4a7ff4e5

File Size: 44.03 KB, 44032 bytes

MD5: 1278baee347e6742d752da98dc98c949

SHA1: b536f993ab063eecb063b2fda7626eae965edfb2

File Size: 44.03 KB, 44032 bytes

MD5: 97a0552e5802d3db22e151c9ad9b07b7

SHA1: fd4b002ab7b7481b2eb54e6992ace7e8e5fdb57f

File Size: 44.03 KB, 44032 bytes

MD5: bc117d620b623485646c68a56d4ed40d

SHA1: 5f790cf8599738bffcf8ec75348e68648d382cc2

SHA256: 989DDBBFC1AC728F6B05FFA2030B050C114955C2DDFB67BB1C984720B63D449E

File Size: 44.03 KB, 44032 bytes

MD5: 923dcd09fb655bb00710181695d41e49

SHA1: 295f404c9c21c87371e771ac2874c56ff196261d

SHA256: 37CDDDE2BF487B139ECA6A9B3F6DC0F2E03F2C22247368BE7F72718413E072A5

File Size: 32.77 KB, 32768 bytes

MD5: 088ddab1269b52c97e984d44b776184c

SHA1: c070af3403bc93b882f194e357d3ea6e6f0f28f6

SHA256: B047134DEE98663D27DE7717724A5F1A2471BE25B1B229328CE1FB1581378718

File Size: 82.43 KB, 82432 bytes

MD5: 1388ce0db733fae88e9f90a965751767

SHA1: fcc3a19573ebacb838431cb93dbc992c7cbce059

SHA256: 6FECD4FAC74665BE3D197F6CBC21C30361872B46D9161A3B430281C30F45E9BA

File Size: 88.06 KB, 88064 bytes

MD5: 615bf2c36e04495828dd28cffdaf31b8

SHA1: 29e2db8d4f037fbe2129fe391846b1eafa4de585

SHA256: 8E93357BC288A204596110FA366087E1DFDCC0025825046829C6F96629C8D97A

File Size: 132.10 KB, 132096 bytes

MD5: 4a325c8ffc5778aeb2cd052db9660460

SHA1: 894c737c07176d255a021d74b186c5e1a5c3bd1a

SHA256: 270CB247D85CE330853F47DAF01E7D5CDBF93ACC56EB4CCF4E1F9C93CB43A1E1

File Size: 12.80 KB, 12800 bytes

MD5: e01fa91d82f1811606e2f45d46dfdcea

SHA1: 31cb631342f3ff0a4577dfa2d0f23ddca4d3964d

SHA256: 4F970CF2A437FDEEF55AA12522FC92873496B9B70EFF7F954CDE0FCD030700E7

File Size: 30.72 KB, 30720 bytes

MD5: eedb3a56d41a0f919daf5ef0bf5c1b42

SHA1: 73e6365acb5d2ea5182ac983f848af24cc4df09f

SHA256: 78D25E20E97C5277C180B1184463CA6AC71B1782DE531152912DEB296ED02F50

File Size: 91.14 KB, 91136 bytes

MD5: db054ba31579107bab0c3465881f2a67

SHA1: 6a43cb71e8691e50025e59f13b009d2cd2a53e72

SHA256: 34665D0EF0E8F93065EDD18E3A60DC5D15581F82F753AB4BBC3B390D6D0BE187

File Size: 32.77 KB, 32768 bytes

MD5: 9611cdcfbef47cb6443cff375d819c73

SHA1: c5620a281e8e7ff76c4352fff6fef3453e32e0ee

SHA256: F2FFEA07EDBE0C6D96BFE9454C99DAA0BCCBC0ACC72E366AE10D9302D3AED887

File Size: 12.80 KB, 12800 bytes

MD5: cca26e07d762472e00bbc12b7a725a59

SHA1: babe518dac866d6fc9549cc8c2bfe70e9a24aad5

SHA256: E0643BDDF9076A476B8C59C6AC5AFE231AF87C028AD4552ABF7B3398E84AC6BB

File Size: 29.70 KB, 29696 bytes

MD5: 576a8795bfd07f0400bafc172274a012

SHA1: 61f9ed0ecfac23714ba124e65fdcbee2a9ea8ba7

SHA256: EDBE593AB0CF45250EB6A6EFACA57185321A8C5BDF5166C5350E32CC0EBCDADB

File Size: 44.54 KB, 44544 bytes

MD5: bf35a7b7f90f250cc6c39513fac7f4c0

SHA1: 367cf91fe2ec37cb1e1d3dd6f1b542063a247921

SHA256: C16F6F097BA25ECD0540C860E7494565229B8BCF3F6B9D882D82AAA8515B68EB

File Size: 7.97 MB, 7973448 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have security information
File is .NET application
File is 32-bit executable
File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is not packed

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
Assembly Version	1.0.40.7 1.0.0.1 1.0.0.0 0.0.0.0
Company Name	Sand Studio
File Description	Android Keylogger
File Version	1.0.40.7 1.0.0.1 1.0.0.0 0.0.0.0
Internal Name	Android.dll azulmarzo.exe B.exe k.exe Keylogger.dll
Legal Copyright	Copyright 2011-2025 Sand Studio Copyright © 2017 Copyright © 2021
Legal Trademarks	AirDroid
Original Filename	Android.dll azulmarzo.exe B.exe k.exe Keylogger.dll
Product Name	AirDroid Keylogger
Product Version	1.0.40.7 1.0.0.1 1.0.0.0 0.0.0.0

Digital Signatures

Signer	Root	Status
SAND STUDIO CORPORATION LIMITED	Sectigo Public Code Signing Root R46	Root Not Trusted

File Traits

.NET
dll
HighEntropy
NewLateBinding
No Version Info
ntdll
RijndaelManaged
WriteProcessMemory
x86

Block Information

Total Blocks:	404
Potentially Malicious Blocks:	9
Whitelisted Blocks:	243
Unknown Blocks:	152

Visual Map

0 0 0 0 ? ? ? 0 ? 0 0 0 0 0 ? 0 ? ? ? ? ? ? ? ? 0 ? ? 0 0 ? ? 0 ? 0 ? 0 0 ? ? 0 ? 0 ? 0 x ? ? ? ? 0 ? 0 ? 0 ? 0 0 0 ? ? ? ? ? ? 0 ? ? ? x 0 ? 0 ? ? ? ? 0 0 ? 0 0 ? ? ? 0 ? ? ? ? ? 0 ? 0 ? ? 0 0 0 0 ? 0 0 0 0 ? 0 0 0 ? 0 0 0 ? ? ? 0 ? ? 0 ? ? ? ? ? ? 0 ? ? ? ? 0 0 0 ? ? ? ? 0 0 ? ? ? 0 ? 0 0 ? 0 ? 0 ? 0 0 0 0 0 0 0 0 0 ? ? 0 0 ? 0 ? ? ? ? ? ? ? ? 0 0 ? ? ? ? ? ? ? ? 0 ? 0 0 0 ? 0 0 0 ? ? ? x ? ? ? ? ? ? ? ? ? 0 x ? 0 x 0 0 ? 0 x 0 ? ? 0 0 0 0 0 0 ? 0 ? 0 ? 0 ? ? ? ? x ? 0 0 0 0 0 ? 0 x 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? x ? 0 0 ? ? ? ? ? ? 0 0 0 0 0 ? ? ? ? ? ? 0 ? 0 ? 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\svchost.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\local\temp\svchost.exe	Generic Write,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\svchost.exe	Generic Write,Read Data,Read Attributes,Delete,LEFT 262144
c:\users\user\appdata\local\temp\svchost.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\hkcmd.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\3c67905b3c2f29273f8e24b6e3d2a9a4.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\3c67905b3c2f29273f8e24b6e3d2a9a4.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\5afe10dbcec7d8a1b53abb0a4a679d2c.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\5afe10dbcec7d8a1b53abb0a4a679d2c.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144
c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\{ddfrcxat-292328-kkmyjd-kkmyjdh1fi}.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\{ddfrcxat-292328-kkmyjd-kkmyjdh1fi}.exe	Synchronize,Write Attributes
c:\users\user\appdata\roaming\systen32.exe	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete,LEFT 262144

Registry Modifications

Key::Value	Data	API Name
HKCU::di	!	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	沍䠱O᤹˃噀ñ቎Ĥ᝹ʁ뽹ɞ傄ë駃óߙĤÉ	RegNtPreCreateKey
HKCU\software\{ddfrcxat-292328-kkmyjd-kkmyjdh1fi}::h	MTI3LjAuMC4xOjIwNjY5LA==	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	㵖ȁ獖}	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	沊䠱O᤹˃噀ñ቎Ĥ뽹ɞ傄ë鶝駃óߙĤ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	沋䠱O᤹˃噀ñ቎Ĥ뽹ɞ傄ëķ鶝駃ó䧌VߙĤ⣳ġj鈄ĞꩠŖ	RegNtPreCreateKey

HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	沌䠱O᤹˃噀ñ቎Ĥ뽹ɞ傄ëķ鶝淃駃ó䧌VߙĤ⣳ġj鈄ĞꩠŖ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	沍䠱O᤹˃噀ñ቎Ĥ뽹ɞ傄ëķ鶝閾ʴ淃駃ó⟋ʪ䧌VߙĤ⣳ġj鈄ĞꩠŖ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\explorer\advanced::hidden		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::{ddfrcxat-292328-kkmyjd-kkmyjdh1fi}	"C:\Users\Aacjhuxh\AppData\Local\Temp\svchost.exe" ...	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKCU\environment::see_mask_nozonechecks	1	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	拀⏬ꕠǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::5afe10dbcec7d8a1b53abb0a4a679d2c	"C:\Users\Ezavswub\AppData\Roaming\Systen32.exe" ..	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::5afe10dbcec7d8a1b53abb0a4a679d2c	"C:\Users\Ezavswub\AppData\Roaming\Systen32.exe" ..	RegNtPreCreateKey
HKCU\local settings\muicache\1b\52c64b7e::@c:\windows\system32\firewallcontrolpanel.dll,-12122	Windows Defender Firewall	RegNtPreCreateKey
HKCU\software\3c67905b3c2f29273f8e24b6e3d2a9a4::hp	Y29ycm01MzE5LmRkbnMubmV0OjU1NTIs	RegNtPreCreateKey
HKCU\software\3c67905b3c2f29273f8e24b6e3d2a9a4::i	!	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	瀞ꈌǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::3c67905b3c2f29273f8e24b6e3d2a9a4	"C:\Users\Bptqwiaw\AppData\Roaming\hkcmd.exe" ..	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::3c67905b3c2f29273f8e24b6e3d2a9a4	"C:\Users\Bptqwiaw\AppData\Roaming\hkcmd.exe" ..	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	闸ȁ ਪˣ鈯ˣ遙̃豤̃অˣ炑̃龡^濖̃賬̃폾z獖} 鰚²਷ˣ邯̃뫯ʃ좟Êeᐊ엦1¶}ꙥꙥ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	鉟ᜁ뎘ǜ	RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\run::ba4c12bee3027d94da5c81db2d196bfd	"C:\Users\Jdsqogtl\AppData\Local\Temp\svchost.exe" ..	RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\windows\currentversion\run::ba4c12bee3027d94da5c81db2d196bfd	"C:\Users\Jdsqogtl\AppData\Local\Temp\svchost.exe" ..	RegNtPreCreateKey

Windows API Usage

Category	API
User Data Access	GetComputerName GetUserDefaultLocaleName GetUserName GetUserObjectInformation
Keyboard Access	GetAsyncKeyState GetKeyState
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
Other Suspicious	AdjustTokenPrivileges
Encryption Used	BCryptOpenAlgorithmProvider CryptAcquireContext
Network Winsock2	WSAConnect WSARecv WSASocket WSAStartup WSAttemptAutodialName
Network Winsock	closesocket freeaddrinfo getaddrinfo inet_addr send setsockopt
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcAcceptConnectPort ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcCreatePortSection ntdll.dll!NtAlpcCreateSectionView ntdll.dll!NtAlpcCreateSecurityContext ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl Show More ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateTimer ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDebugFilterState ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReadFile ntdll.dll!NtReadRequestData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRemoveIoCompletion ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationObject ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSetTimerEx ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile ntdll.dll!NtWriteVirtualMemory UNKNOWN win32u.dll!NtUserGetKeyboardLayout win32u.dll!NtUserGetThreadState
Process Shell Execute	CreateProcess ShellExecuteEx
Process Manipulation Evasion	NtUnmapViewOfSection
Service Control	OpenSCManager OpenService
Process Terminate	TerminateProcess

Shell Command Execution


							C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\c070af3403bc93b882f194e357d3ea6e6f0f28f6_0000082432.,LiQMAxHB


							(NULL) C:\Users\Aacjhuxh\AppData\Local\Temp\svchost.exe


							(NULL) C:\Users\Ezavswub\AppData\Roaming\Systen32.exe


							netsh firewall add allowedprogram "C:\Users\Ezavswub\AppData\Roaming\Systen32.exe" "Systen32.exe" ENABLE


							(NULL) C:\Users\Bptqwiaw\AppData\Roaming\hkcmd.exe


									netsh firewall add allowedprogram "C:\Users\Bptqwiaw\AppData\Roaming\hkcmd.exe" "hkcmd.exe" ENABLE


									(NULL) C:\Users\Jdsqogtl\AppData\Local\Temp\svchost.exe


									netsh firewall add allowedprogram "C:\Users\Jdsqogtl\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE


									C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\367cf91fe2ec37cb1e1d3dd6f1b542063a247921_0007973448.,LiQMAxHB

Backdoor.Bladabindi

Threat Scorecard

EnigmaSoft Threat Scorecard

Aliases

SpyHunter Detects & Remove Backdoor.Bladabindi

File System Details

Registry Details

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

Digital Signatures

Digital Signatures

File Traits

Block Information

Block Information

Visual Map

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Related Posts

Trending

Most Viewed