Categories: Malware

MSIL/Bladabindi.GI (file analysis)

The MSIL/Bladabindi.GI is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.

DOWNLOAD NOW

6-day free trial available.

What MSIL/Bladabindi.GI virus can do?

SetUnhandledExceptionFilter detected (possible anti-debug)
Behavioural detection: Executable code extraction – unpacking
Yara rule detections observed from a process memory dump/dropped files/CAPE
Creates RWX memory
Possible date expiration check, exits too soon after checking local time
Guard pages use detected – possible anti-debugging.
Dynamic (imported) function loading detected
Enumerates the modules from a process (may be used to locate base addresses in process injection)
Reads data out of its own binary image
A process created a hidden window
CAPE extracted potentially suspicious content
Authenticode signature is invalid
Uses Windows utilities for basic functionality
Collects and encrypts information about the computer likely to send to C2 server
Deletes executed files from disk

How to determine MSIL/Bladabindi.GI?


File Info:
name: 5D6BEC33CE003AA623AD.mlwpath: /opt/CAPEv2/storage/binaries/e0173d73e77a72e16491160fe09f3af5de14fddb16f2964e2439713e84a72958crc32: 0C4B8462md5: 5d6bec33ce003aa623ad4c3c9af22b23sha1: f0e47f5e32f8ef394774e809c5c6da02791a4164sha256: e0173d73e77a72e16491160fe09f3af5de14fddb16f2964e2439713e84a72958sha512: f8e30f8787bbd5f47ef65c0d0f0f41809af25d6100ae795cf622cd8ce20c5b14cdc1e0f66874d7d11011280925dc12163871d5888a9adf43febb366e7ea5804bssdeep: 768:Nsn8wPAtk4AcjW0xH/Q0xpjEvEubSU9/+7:NbPtvjW2HT+bSU9m7type: PE32 executable (GUI) Intel 80386, for MS Windowstlsh: T1172364797E609213E67BD57989864101F2FCE9C33131DE4669DB2A4C220DAC06E4A7FFsha3_384: 2c87b496cb671b5ef10430a5276d826fa8c1c6b748bc52255445ebc191670bf0784757ceebf3aa011d192592229446bdep_bytes: ff250020400000000000000000000000timestamp: 2016-07-14 08:42:22
Version Info:
Translation: 0x0000 0x04b0Comments: Skype Updater ServiceCompanyName: Skype TechnologiesFileDescription: Skype Updater ServiceFileVersion: 7.0.0.425InternalName: Mul.exeLegalCopyright: (c) Skype Technologies. All rights reserved.LegalTrademarks: All rights reserved.OriginalFilename: Mul.exeProductName: SkypeProductVersion: 7.0.0.425Assembly Version: 7.0.0.0

MSIL/Bladabindi.GI also known as:

Lionic	Trojan.Multi.Generic.4!c
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Trojan ( 0055efca1 )
Alibaba	Trojan:Win32/starter.ali1000139
K7GW	Trojan ( 0055efca1 )
BitDefenderTheta	Gen:NN.ZemsilF.34806.cm0@aulv1fn
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	MSIL/Bladabindi.GI
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.MSIL.Bladabindi.gen
NANO-Antivirus	Trojan.Win32.Bladabindi.ekmyiv
Avast	Win32:Malware-gen
Tencent	Win32.Trojan.Razy.Sxyp
Comodo	Malware@#3jn27gqoxko7w
DrWeb	BackDoor.BladabindiNET.10
McAfee-GW-Edition	Generic.bdm
FireEye	Generic.mg.5d6bec33ce003aa6
Sophos	Mal/Generic-S
APEX	Malicious
Avira	HEUR/AGEN.1203406
Kingsoft	Win32.Troj.Generic.v.(kcloud)
ZoneAlarm	HEUR:Backdoor.MSIL.Bladabindi.gen
Microsoft	Trojan:Win32/Dynamer!ac
Cynet	Malicious (score: 99)
Acronis	suspicious
McAfee	Generic.bdm
Ikarus	Trojan.MSIL.Bladabindi
Rising	Trojan.Generic/MSIL@AI.98 (RDM.MSIL:BtgqQ048F15mAr1BRBxbIA)
Yandex	Trojan.Bladabindi!eE7c9vk6lYw
SentinelOne	Static AI – Malicious PE
MaxSecure	Trojan.Malware.1728101.susgen
Fortinet	MSIL/Bladabindi.GI!tr
AVG	Win32:Malware-gen
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_100% (W)