82d36ec0f74ba240259122268de8ecb4374d82af78406dfa4bd99318a17599f1

Sharing

Copy URL

Twitter E-mail

General

Target

TurboVPN_setup.exe
Size

24.9MB
Sample

240710-bmxf1sxdpj
MD5

df96bc092b1ab5a0408d6e9f1a73b040
SHA1

213aca467554c527f844c7cb733ab6cd2e1cdc62
SHA256

82d36ec0f74ba240259122268de8ecb4374d82af78406dfa4bd99318a17599f1
SHA512

de19e9e4324622c858bf76c38c49c8ee7d4c0a6b2f3f08e8b72509b1c2b3c323650e1341f85dfbfb3cea94e40a35c845816e6a5ed02cdd27f09aae3aa23167e9
SSDEEP

393216:G4h+a/U4V51O/qiAqjSnj3iAmQlt/UkJDMgtypvjmjhsmjCrkal/AHFcaKkYi5zz:bh+a/U4f1O/qiYpfWxAhHj8BcFekLp

Score

8^/10

Malware Config

Targets

- Target
  
  TurboVPN_setup.exe
- Size
  
  24.9MB
- MD5
  
  df96bc092b1ab5a0408d6e9f1a73b040
- SHA1
  
  213aca467554c527f844c7cb733ab6cd2e1cdc62
- SHA256
  
  82d36ec0f74ba240259122268de8ecb4374d82af78406dfa4bd99318a17599f1
- SHA512
  
  de19e9e4324622c858bf76c38c49c8ee7d4c0a6b2f3f08e8b72509b1c2b3c323650e1341f85dfbfb3cea94e40a35c845816e6a5ed02cdd27f09aae3aa23167e9
- SSDEEP
  
  393216:G4h+a/U4V51O/qiAqjSnj3iAmQlt/UkJDMgtypvjmjhsmjCrkal/AHFcaKkYi5zz:bh+a/U4f1O/qiYpfWxAhHj8BcFekLp
Score

8^/10

bootkit discovery persistence
- Drops file in Drivers directory
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2
- Target
  
  Driver32/driver_win7_x64/tap0901.sys
- Size
  
  26KB
- MD5
  
  d765f43cbea72d14c04af3d2b9c8e54b
- SHA1
  
  daebe266073616e5fc931c319470fcf42a06867a
- SHA256
  
  89c5ca1440df186497ce158eb71c0c6bf570a75b6bc1880eac7c87a0250201c0
- SHA512
  
  ff83225ed348aa8558fb3055ceb43863bad5cf775e410ed8acda7316b56cd5c9360e63ed71abbc8929f7dcf51fd9a948b16d58242a7a2b16108e696c11d548b2
- SSDEEP
  
  768:23TW/1EGrmXdi0OGNwe2AC8nZluRpG/caKk1/yhd:X1EwcJHuqEaKk1qhd
Score

1^/10
behavioral3 behavioral4
- Target
  
  Driver32/driver_win7_x86/tap0901.sys
- Size
  
  22KB
- MD5
  
  f49967c396969b71c3a72537db03a68b
- SHA1
  
  f59d3a5d2afd85fbb9fb36f1411c767be2bf96cf
- SHA256
  
  3b1ff5252012d6e8a7dd6e4621ec43812510dca1a25a9a2e07288800f445dd41
- SHA512
  
  cda4269b5a13e573469b3e3a75432117079c65279e06322519af704a80862e43bceb4cc9d6352dd19db00bb10d10f64b02eee6c5dc29f56fa5f99c89823a62e3
- SSDEEP
  
  384:NumNz7O8/AvUAvm/wMWJ4pdsfH1aJhjJvjiissrisprwEYBu:QmNxAYB9zKal75pwZBu
Score

1^/10
behavioral5 behavioral6
- Target
  
  Driver32/libeay32.dll
- Size
  
  1.4MB
- MD5
  
  2f6ed582a413daa90177afcbd7f2aa93
- SHA1
  
  1826abd63cde45326093cd15516073b1cbc2837d
- SHA256
  
  9c82fbdd2009434cd3ff75e431ed252bd71291808b4eb641cb0755cd17e8fe42
- SHA512
  
  b3ba5ecc6b2f9e280a36b7b5761e7e085d31fd0cf884d811081967983faae90362fa46e7b04f53f517fa24f340b9ef2a1a02012868c3b14c800ab936fd55ee1a
- SSDEEP
  
  24576:yPQ+KpPRZN0lrdZOoU2A8CJtQQ9RnFeIskTRBWV3YPq7qkfUk7P8IqfqqTHYdN7l:Talrda5Rn8Z7qkfUk7P7qCqTHAN7l
Score

1^/10
behavioral7 behavioral8
- Target
  
  Driver32/libpkcs11-helper-1.dll
- Size
  
  182KB
- MD5
  
  1dc10126ccb8e594a3c2d01505e79666
- SHA1
  
  a002a0509e218cc88b9fe48f6371e1142e940ea6
- SHA256
  
  9de1250bdba0f9c04fbf795b1c22964696b0b13a11c4498961010c75ac313e37
- SHA512
  
  71210abff3411d608b43bc3ec7e5a7cef9f713f3c8a66219cdd9c428e87d68da6e50576296d01e1d03046cc3a6ebe2a950e40ad137ab908b4544fa793c5b2508
- SSDEEP
  
  3072:fOCoyuyAqBrMKocCzB/tWJdenLozjgPAHZGqEup6jZfqXrZoGlCf/u0EU3oPk/0a:Wr1yt19C/cHgo5hpeZfqXrZExE2akca
Score

3^/10
behavioral10 behavioral9
- Target
  
  Driver32/lzo2.dll
- Size
  
  164KB
- MD5
  
  443795e93d7de4d3bfcd941d6037a763
- SHA1
  
  a3dc98dfd618dfc54afd135814d6f082802ad749
- SHA256
  
  52af76d4dd84776f7e17e154d4a0ffe9699e4f85c12bc9af613f0e12d8a07aff
- SHA512
  
  1ccfa1a838773715440c71855f55f2bb50ad58ffba6ac3adefbeaf18eb3696b4eb563e6ec23438e24403b7de394eb6429eefb9c14e124842c7450145536b2cb3
- SSDEEP
  
  3072:HxEP+tDLF28K46Cuwi6sQXX9xsRv1e1INfu0K9V/2:HKP+tzK46rwi6X9A1biV+
Score

1^/10
behavioral11 behavioral12
- Target
  
  Driver32/ssleay32.dll
- Size
  
  375KB
- MD5
  
  5c988b55d51053ebd8d36667ae43723b
- SHA1
  
  c74ae91e4ec57e60ec1436e61496364584721197
- SHA256
  
  42240a4873747fd9901fae9abdc484fd5164803f4019112edf7bba65bfcdb789
- SHA512
  
  414ce8779228e46534becd73aa2c9c4b35cb06497507cfb4403c87282e39434cb5d062f39988b41ee163591ffb04390092ea26ac9ad5de9af7657c2b0f7144f8
- SSDEEP
  
  6144:DX1kZ6K0M7rYJRWgjasmKQXLdsxJOHhT3lWJjQe15E/omMAr2gCcNsLrR2H4iJfD:DX1kZ6K0M7rYJRWgj7mKQXLdsxUBT3lP
Score

1^/10
behavioral13 behavioral14
- Target
  
  Driver32/vpncore.exe
- Size
  
  832KB
- MD5
  
  26f55b75e92ddef3af96ffe53b04906d
- SHA1
  
  d37ca606a6ee18ea22d6a2c0861c89b7d63d8d92
- SHA256
  
  2a78b03a4581109bbc02934b18531fc747adde6339a2753b9f15c59edb258cd6
- SHA512
  
  aeff8b9f9b669feec5bf1112b67c28614c6009b58013784ace4d2fc34e5b25adea28f83828395bd8ecf74cd6c2a419c344d8d7e8c94d4f6d4db10a50e60ddd25
- SSDEEP
  
  24576:lnLQr5y565qEENN6ngcB4C0Y6nZx+LUFEtbh/B:lLQr5UEE7bc0Ykr0hp
Score

1^/10
behavioral15 behavioral16
- Target
  
  NewClientDL/Clientdl.exe
- Size
  
  2.1MB
- MD5
  
  fd8de67e58e17c480fd43ea70495f94b
- SHA1
  
  ac0ca65528641e74d87834f22d2800e15c51d161
- SHA256
  
  2082ac0501cc9ec1878bd1da20b30d29ed5f5008c80596ef078f10047e68484a
- SHA512
  
  351dd8500a5a76b9820f56e6caf9d2751da08fec4b1d1703296e02f0c8fec56228c6353e5e130c5bfba318d9411264d3850a1ebfa8e6a4cd46f93e21b37f0598
- SSDEEP
  
  49152:hLo2q/XQV7D9ro7t1T9qRZhf+165ah5G25WRnFT8wU+GmFQzH8:htN7D9ro7t1T9qRZhf+16Yh5G25WRnZb
Score

8^/10

bootkit persistence discovery
- Drops file in Drivers directory
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral17 behavioral18
- Target
  
  Retention.exe
- Size
  
  1.6MB
- MD5
  
  d6c69d44382bed476ae63f85fa735091
- SHA1
  
  ab426e12b9abcf0c38cc087924d18216e2b336c6
- SHA256
  
  9cd6e8e75f4e60510cb3975b851fc9c8e82746e9a406f21906e34c3a49259c74
- SHA512
  
  f99a10ebd4b4455cff8c7fcbd1acbed82f41432a23e28fb98c7407bcce5148f6a87c083de7a50ef76daa937b64cf63111fbf781c7b393169d618650a97522bc9
- SSDEEP
  
  49152:cikJkLGH+OfAjgBlSj1hlza3TqWLs3Rk2xv/TWJP0K4H1fC2S:dGH+OfAjgBlSj7WLs3RB0JoVf6
Score

1^/10
behavioral19 behavioral20
- Target
  
  TurboVPN.exe
- Size
  
  7.4MB
- MD5
  
  781ae32e7d42865284b8a21e83e7fedd
- SHA1
  
  7b51184832c98699cbf28af1979eadefbd706ea3
- SHA256
  
  cb8f3977c6137d48557e530fd05887c23ab68e7a1aedec02166dae5fa8e00f45
- SHA512
  
  f15b61720a01a32c8e23ce699b3cb2c2ec37880ad07a3010216ba741bbc6619235fef533f1f8522f1e18e040457ad6ccf3cc44cac249a4f4c70c91e697f42101
- SSDEEP
  
  196608:zVkzJqWXi0tieKcwfopsQ8jGV8kqJdmUEuWAGInlCOE:z6qWXi0tieKcvOQ8s8/JAPKflCOE
Score

6^/10

bootkit persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
behavioral21 behavioral22
- Target
  
  TurboVPNLauncher.exe
- Size
  
  579KB
- MD5
  
  e53c69edb4c0fba69b40241843fab3ca
- SHA1
  
  c78bed497eb24ec53146f303a233de3629fef679
- SHA256
  
  b3caf9297ab0303747a90e958047252a7c9177b301ec2542d9d7230cd2999bac
- SHA512
  
  32d393139463007f1aa137ecbd46fca6d4172f588c15a79493a53045aaa34a94f75f7b32a6e44563d8b4a2666554683a281f63ed11e6a9676769c649b4c03a47
- SSDEEP
  
  12288:cjGZmuxR910FjCOcXj0WkuF5rkoLtAV0a0K2TsvAVgU9iwVHupAypZwJi9mj70jK:z09y0WbBtM0a0K4JR02
Score

6^/10

bootkit persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
behavioral23 behavioral24
- Target
  
  WebView2Loader.dll
- Size
  
  112KB
- MD5
  
  33f7fa1198c0bf4988a0210f144b20b4
- SHA1
  
  06d50e37389480f542c8e15ae2e85106bbe9c304
- SHA256
  
  8c1b0ae8b7e7aa402407f00f22efb1989e47aeaa9c6a1ffa98341672d9ecf6dc
- SHA512
  
  09905095729e37f00fde5ce967fb309c8e64c76bf0f6839fa27bede39b91d663684c8de05c16fda63699df73a78a23a60a367a5e9c56366d6c74424506a4454d
- SSDEEP
  
  3072:TsaDUh9T2dO9O3ed9zJ11Xx3QKHwsTNOEt+AlLix3TF:Tsp9T2dO4o91OEt7hC35
Score

3^/10
behavioral25 behavioral26
- Target
  
  WinSparkle.dll
- Size
  
  1.9MB
- MD5
  
  85c8c1dda5d38db100dc2b437aa30ee5
- SHA1
  
  f46141e0ff833958a48e8e6ae286b2b25409a3f6
- SHA256
  
  cf71c62cd4a97c058a15a36236b0c91337a760e9b748a742edf2f5d8e4d93689
- SHA512
  
  bdf46cdb095435c41b07756e0c140ca900e4a3d5d7e0a6353f4b64d7706b9958836167f3cdd3628f368af3c22dec52a910556e387ad698b0b3f9a3d735e4b37b
- SSDEEP
  
  24576:njpgelFfeDGr5+gTtMlOGKhunqREzxvnKxSsKwCdEn4CBji7+PSwLFINb:tgaeDGBjYGgnxsKN6n4CBawLFINb
Score

1^/10
behavioral27 behavioral28
- Target
  
  breakpad.dll
- Size
  
  306KB
- MD5
  
  9546554126522c004977d014003c3a8e
- SHA1
  
  b6ad6feab06c4b6efeec7ebcf810708caeac8d72
- SHA256
  
  583b6f0078fbf090e13a225b9078a6b10c8af77949d34bfcb40ed292e61773c6
- SHA512
  
  b9b0bf907b164ef1953a29c0dafb3d18e873fbcb60639f512815a0495d02d47ed1932143bf88f8190c6591c7263feae4ec392e29ad23025dfefd368fdafb1607
- SSDEEP
  
  6144:ByFygpSFy+AFQ8JoMw4dSfVM8Fyi6N/c/efK41zfe2dEm5/DeBilU0Dtqhc0hjfJ:By8g1+qJoOcVM8FyiAEGfhzfFeD0Uhdz
Score

3^/10
behavioral29 behavioral30
- Target
  
  core/tun2socks.exe
- Size
  
  13.8MB
- MD5
  
  cf75258849e2f01de116d27e785d3684
- SHA1
  
  636b94437c306910cd60000ab6b1d79761bd1e6b
- SHA256
  
  152c6bb2d838ae3b6555027f31f93594278311ef191ba22d8c53e8916ad9e053
- SHA512
  
  f6d53c2423029de1e16c5bbd8d96768488d7a0e76fa355b491e7fd3c639f11caa43dfe6e48422c21b135d2df0a7e113639338f18f9c8fd234f3d5789a49c58cb
- SSDEEP
  
  196608:nF+tAj9IGpsl2apYkEWaxwijcMFihB5foWhG:sd4FWu0MF4B5PhG
Score

1^/10
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Drops file in Drivers directory

Adds Run key to start application

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Drops file in Drivers directory

Adds Run key to start application

Downloads MZ/PE file

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Looks up external IP address via web service

Writes to the Master Boot Record (MBR)

Checks computer location settings

Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31

behavioral32