{
	"id": "7b8558d1-a86c-4f9d-94b1-7b50329d92d6",
	"created_at": "2026-04-06T00:22:25.011765Z",
	"updated_at": "2026-04-10T03:21:49.181745Z",
	"deleted_at": null,
	"sha1_hash": "19541a9d11c8a9348ed5d3f7e3c557e0eabb40ae",
	"title": "Bladabindi Remains A Constant Threat By Using Dynamic DNS Services",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2932230,
	"plain_text": "Bladabindi Remains A Constant Threat By Using Dynamic DNS\r\nServices\r\nBy Lilia Elena Gonzalez Medina\r\nPublished: 2016-11-30 · Archived: 2026-04-05 17:19:27 UTC\r\nThe Fortinet research team has been developing a industrial-grade analysis system that allows us to concentrate\r\ninformation from samples collected from a variety of sources. Using this tool, we recently started to see the\r\nrecurrence of URLs from the domains hopto.org and myftp.biz. In most cases, each sample was connected to a\r\nunique URL in one of the domains, although we also found some samples that connected to the same URL. \r\nFigure 1. Examples of the domains and samples collected by the team’s FortiGuard analysis system\r\nThis threat, also known as njRAT, is detected as MSIL/Bladabindi.U!tr or MSIL/Agent.LI!tr by the Fortinet\r\nAntiVirus service. If installed, the user’s private data is compromised because of the malware’s capability to\r\nprovide the malicious actor with unauthorized access to the infected computer in order to collect different kinds of\r\ninformation, such as: screenshots, words typed (which often include usernames, passwords, websites, documents,\r\netc.),running processes, pictures taken with the webcam, etc.\r\nThreat Description\r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 1 of 10\n\nThis malware family uses the .NET framework. And this sample in particular has two important classes called kl\r\nand OK.\r\nkl\r\nThis class uses the functions GetAsyncKeyState, GetKeyboardLayout, GetKeyboardState,\r\nGetWindowThreadProcessId, MapVirtualKey and ToUnicodeEx to capture keystrokes.\r\nOK\r\nThis class contains the other functionalities of the RAT. The important activities are summarized below:\r\nMakes the following modifications to the registry:\r\nHKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\050ed846adcc1b8729af0a70a0fefe4d:\r\n“”C:\\Users\\\\AppData\\Local\\Temp\\server.exe” ..”\r\nHKCU\\Software\\050ed846adcc1b8729af0a70a0fefe4d\\[kl]: “”\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\050ed846adcc1b8729af0a70a0fefe4d:\r\n“”C:\\Users\\\\AppData\\Local\\Temp\\server.exe” ..”\r\nHKCU\\di: “!”\r\nThe string “050ed846adcc1b8729af0a70a0fefe4d” is hardcoded in the sample.\r\nBesides storing the keylogger logs, the sub registry key HKCU\\Software\\050ed846adcc1b8729af0a70a0fefe4d\\\r\nalso contains malicious executables loaded from the sample as binary data. \r\nFigure 2. Malicious executables stored in Windows Registry\r\nAll those samples are, of course, detected by the Fortinet AntiVirus service:\r\nThe strings in b88ece4c04f706c9717bbe6fbda49ed2 reference No-IP’s Dynamic Update Client (DUC) that\r\nautomatically updates the IP address if it changes, but also contain lines like “SELECT * FROM moz_logins” to\r\nobtain Firefox’s stored credentials. \r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 2 of 10\n\nFigure 3. Part of a malicious executable stored as data\r\nCreates the mutex 050ed846adcc1b8729af0a70a0fefe4d. If the mutex already exists, the sample calls\r\nProjectData.EndApp to close all related files and stop the process.\r\nChecks whether a file called server.exe already exists in C:\\Users\\\\AppData\\Local\\Temp\\. If it exists, the\r\nsample deletes it. Otherwise, the file is created and executed. The file server.exe is a copy of the sample.\r\nCreates an environment variable called “SEE_MASK_NOZONECHECKS” and sets its value to 1.\r\nCreates a rule to allow the process server.exe on the Windows firewall.\r\nFigure 4. Command used by the sample to create a firewall rule\r\nCopies server.exe in the Startup folder.\r\nChecks the value of HKCU\\Software\\050ed846adcc1b8729af0a70a0fefe4d\\[kl] because the keylogger\r\nstores what it captures in this registry key, to later send to its C\u0026C.\r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 3 of 10\n\nFigure 5. Example of the keylogging functionality\r\nUses GetWindowText to copy the text of the active window's title bar to later send to the remote server\r\ncoded in base64.\r\nGets information about the C: drive, particularly the volume serial number.\r\nWhen all the necessary information has been collected, the sample generates a string with the data coded in\r\nbase64, and with this structure:\r\n “ll” + HacKed22_VolumeSerialNumber + ComputerName + Username + LastWriteTimeOfSampleinTemp +\r\nOSandServicePack + Architecture + Camera(Yes/No) + 0.7d (PossiblyTheMalwareVersion) + .. +\r\nActiveWindowName + ActiveWindowName…\r\nThis stolen information is sent to the malicious URL in hopto.org or myftp.biz domain using port 1177, 5552, or\r\n5112, depending on the sample. The traffic can be detected by Fortinet IPS signature Bladabindi.Botnet.\r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 4 of 10\n\nFigure 6. Fragment of the coded data sent to the C\u0026C\r\nHere are some examples of the decoded windows names:\r\nTemp: VGVtcAA=\r\nRoaming: Um9hbWluZwA=\r\nRegshot 1.9.0 x86 Unicode: UmVnc2hvdCAxLjkuMCB4ODYgVW5pY29kZQA=\r\nLocal: TG9jYWwA\r\nProcess Monitor Filter: UHJvY2VzcyBNb25pdG9yIEZpbHRlcgA=\r\nApplying Event Filter: QXBwbHlpbmcgRXZlbnQgRmlsdGVyAA==\r\nEvent Properties: RXZlbnQgUHJvcGVydGllcwA=\r\nCreate dump of server.exe: Q3JlYXRlIGR1bXAgb2Ygc2VydmVyLmV4ZQA=\r\nUses the function capGetDriverDescriptionA to find out if the infected computer has a webcam installed.\r\nDeletes the keys and files related to the infection.\r\nIt also includes functions to decompress zip files and obtain MD5 hashes.\r\nThe sample responds to the commands sent from its C\u0026C. The following table explains some of them:\r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 5 of 10\n\nkl Sends the data collected by the keylogger.\r\nprof +\r\n“~”\r\nAdds a value to the subkey HKCU\\Software\\050ed846adcc1b8729af0a70a0fefe4d\\\r\nprof +\r\n“!”\r\nAdds a value to the subkey HKCU\\Software\\050ed846adcc1b8729af0a70a0fefe4d\\\r\nSends data to the C\u0026C.\r\nprof +\r\n“@”\r\nDeletes the specified registry key.\r\nrn Downloads a file and executes it.\r\nret Obtains the collected passwords.\r\nCAP Takes screenshot, saves it as JPEG, and sends it to its C\u0026C.\r\nun +\r\n“~”\r\nDeletes the registry keys, the file server.exe in the Startup folder and the firewall rule to allow it.\r\nUn +\r\n“!”\r\nEnds current process.\r\nUn +\r\n“@”\r\nEnds current process and starts a new one.\r\nUp\r\nDownloads file from a remote server and executes it. Afterwards it deletes the registry keys and the\r\nfiles related to the infection. This command is used for updates.\r\nEx Obtains information about the running processes, the services, and the active connections.\r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 6 of 10\n\nCH Opens a chat window so that the C\u0026C can communicate with the infected computer.\r\nA fragment of the decompiled code for the “CAP” command to take screenshots can be seen below. It basically\r\nuses CopyFromScreen to copy the screen’s pixels to the bitmap through a graphic object. \r\nFigure 7. Fragment of code to take screenshots\r\nC\u0026C interface\r\nWhen active, the domain prosa15.myftp.biz is used by the sample to connect to its C\u0026C through port 1177. To\r\nsimulate the RAT behavior in a controlled environment, a sample of njRAT was downloaded and installed. Once\r\nthe sample connected to the C\u0026C, the panel displayed information such as its IP address, its computer name,\r\ncountry, whether a webcam was installed, the active window, and a small screenshot. \r\nFigure 8. njRAT’s administration panel\r\nThe picture below shows part of the data collected by the keylogger. Not only does it record the pressed keys, but\r\nit also specifies the window in which the words were written.\r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 7 of 10\n\nFigure 9. Keylogger window\r\nAs mentioned above, the malware is also capable of collecting active processes, services, and connections,\r\naccessing the registry keys, and executing commands with a remote shell. \r\nFigure 10. Other capabilities of the RAT\r\nStatistics\r\nBoth hopto.org and myftp.biz domains are available, amongst various other options, from the dynamic DNS\r\nprovider called No-IP.  The use of this service guarantees that an infected PC will be able to maintain\r\ncommunication with its C\u0026C even if it changes the IP address.\r\nFrom September 12 to November 16, our FortiGuard analysis system collected 194 samples connecting to\r\nhopto.org or myftp.biz. \r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 8 of 10\n\nOut of those, 166 were related to Bladabindi samples and the rest to different threats, which indicates that the use\r\nof dynamic DNS providers could now be more common amongst malware writers.\r\nAlthough it is common for this malware family to report to its C\u0026C using port 1177, the information gathered\r\nreveals that ports 5552 and 5112 are also now being used. \r\nFinally, the next chart shows the number of samples collected by our FortiGuard analysis system from September\r\n12 to November 16. \r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 9 of 10\n\nConclusion\r\nThe Bladabindi malware family continues to be one of the most popular threats because of how easy it is to\r\ndownload. In fact, there are plenty of videos and websites available that provide detailed tutorials of how to use it.\r\nOne proof of its ease of use is the fact that many of the collected samples hadn’t been submitted to Virus Total at\r\nthe time of the analysis. Furthermore, the samples we examined use dynamic DNS services that make it hard to\r\nmonitor and keep track of the domains and the IP addresses used. \r\nSource: https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nhttps://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services"
	],
	"report_names": [
		"bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services"
	],
	"threat_actors": [],
	"ts_created_at": 1775434945,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/19541a9d11c8a9348ed5d3f7e3c557e0eabb40ae.pdf",
		"text": "https://archive.orkl.eu/19541a9d11c8a9348ed5d3f7e3c557e0eabb40ae.txt",
		"img": "https://archive.orkl.eu/19541a9d11c8a9348ed5d3f7e3c557e0eabb40ae.jpg"
	}
}