Overview

overview

10

Static

static

1

free-vpn-3...v1.exe

windows11-21h2-x64

10

Resubmissions

13-08-2024 08:41

240813-klh2nstfje 10

13-08-2024 08:34

240813-kgp97aybnm 7

13-08-2024 08:31

240813-ke339stcnh 7

13-08-2024 08:22

240813-j9la9stama 10

13-08-2024 08:15

240813-j5ww7sxeqm 10

13-08-2024 08:11

240813-j3kq6axdpl 6

13-08-2024 08:07

240813-jz4d4aseke 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    free-vpn-3.2-installer_96-miv1.exe

  • Size

    1.7MB

  • Sample

    240813-j9la9stama

  • MD5

    2798a45b6137fdc262bc01d6c13a2c7d

  • SHA1

    743587eb5afd358591146b8222d2b97d82cb9d1f

  • SHA256

    d69299761308057d6288300f98222484af40c1ebc98432bcbcc9c737ac219245

  • SHA512

    4c8b70261ec5fe915b2c3dcfb6ff644873adcf0d8abb1ba83be30eb600bf1c7fbd6bbd5d0730a610f129e3492517e7cd77e882e9f7b3bfa214e73bfbd361be1b

  • SSDEEP

    24576:W7FUDowAyrTVE3U5F/XkbjztjfSKh7P/1Ks6vk9XpSwR1HNmJrFxgzUsYz:WBuZrEUcztdqAXpSwRWNQ9Y

Score
10/10
darkcometnjratdefense_evasiondiscoveryevasionpersistenceprivilege_escalationrattrojan

Malware Config

Targets

    • Target

      free-vpn-3.2-installer_96-miv1.exe

    • Size

      1.7MB

    • MD5

      2798a45b6137fdc262bc01d6c13a2c7d

    • SHA1

      743587eb5afd358591146b8222d2b97d82cb9d1f

    • SHA256

      d69299761308057d6288300f98222484af40c1ebc98432bcbcc9c737ac219245

    • SHA512

      4c8b70261ec5fe915b2c3dcfb6ff644873adcf0d8abb1ba83be30eb600bf1c7fbd6bbd5d0730a610f129e3492517e7cd77e882e9f7b3bfa214e73bfbd361be1b

    • SSDEEP

      24576:W7FUDowAyrTVE3U5F/XkbjztjfSKh7P/1Ks6vk9XpSwR1HNmJrFxgzUsYz:WBuZrEUcztdqAXpSwRWNQ9Y

    Score
    10/10
    darkcometnjratdefense_evasiondiscoveryevasionpersistenceprivilege_escalationrattrojan

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • njRAT/Bladabindi

      Widely used RAT written in .NET.

      trojannjrat

    • Drops file in Drivers directory

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Modifies Windows Firewall

      evasion

    • Drops file in System32 directory

    • Modifies WinLogon for persistence

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify System Firewall

1
T1562.004

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks