Overview

overview

10

Static

static

1

Vlauncher.exe

windows7-x64

10

Vlauncher.exe

windows10-2004-x64

10

Resubmissions

14-04-2023 18:17

230414-ww48faba58 10

14-04-2023 18:14

230414-wvs4saba53 10

10-04-2023 04:57

230410-fle8kahb3z 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Vlauncher.exe

  • Size

    26.4MB

  • Sample

    230410-fle8kahb3z

  • MD5

    29af9f200a5555eaf2c91369eeb61ef9

  • SHA1

    e16c1da506b2c570eb0bb0025236fdf49e36d0e5

  • SHA256

    2ac1ab2ecb9c0ef930dbc8b19fb0af28a75d801fc488ee0fdc8313274af94c10

  • SHA512

    f9d776acdec355a88b018b06c4d6ed96ea19d1584459de3708c11e293c7d8509148c2c3dab272d419af57f7420a66cec7d794c128704282991e02c3f2d80b6d7

  • SSDEEP

    786432:z18588kf2V8N1gigncPb8Ltt9Vp3kzsOJDtz0uk:qVc1yc+ttT0sOnYj

Score
10/10
darkcometnjratminecraftepibmineezevasionpersistencerattrojan

Malware Config

Extracted

Family

darkcomet

Botnet

MINEEZ

C2

blackacoleka.ddns.net:81

blackacoleka.ddns.net:1604

185.184.130.37:81

185.184.130.37:1604
Mutex

DC_MUTEX-QWTG6XT

Attributes
  • InstallPath

    MSDCSC\msdcsc.exe

  • gencode

    U5loPcxXxbBL

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    MicroUpdate

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

MinecraftePIb

C2

blackacoleka.ddns.net:5552

Mutex

Windows Update

Attributes
  • reg_key

    Windows Update

  • splitter

    |Hassan|

Targets

    • Target

      Vlauncher.exe

    • Size

      26.4MB

    • MD5

      29af9f200a5555eaf2c91369eeb61ef9

    • SHA1

      e16c1da506b2c570eb0bb0025236fdf49e36d0e5

    • SHA256

      2ac1ab2ecb9c0ef930dbc8b19fb0af28a75d801fc488ee0fdc8313274af94c10

    • SHA512

      f9d776acdec355a88b018b06c4d6ed96ea19d1584459de3708c11e293c7d8509148c2c3dab272d419af57f7420a66cec7d794c128704282991e02c3f2d80b6d7

    • SSDEEP

      786432:z18588kf2V8N1gigncPb8Ltt9Vp3kzsOJDtz0uk:qVc1yc+ttT0sOnYj

    Score
    10/10
    darkcometnjratminecraftepibmineezpersistencerattrojanevasion

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Disables RegEdit via registry modification

      evasion

    • Disables Task Manager via registry modification

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks