Overview

overview

10

Static

static

3

Thunder Free.exe

windows10-2004-x64

10

Thunder Free.exe

windows11-21h2-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Thunder Free.exe

  • Size

    3.2MB

  • Sample

    241208-gl6k7avpfv

  • MD5

    eca98d2c56e4f340d9cf6571ba359f5a

  • SHA1

    a93442327357e844ea68274554dc0052d93b0862

  • SHA256

    b3846b72c3635aad8929d4908bc5bb131ffea57f41879f00a68b3c1207eaa1f3

  • SHA512

    afbf97d2d203405f0e850116f4eeb662a476df770c6517f3a4aece62550483941ce48d50d590239647e292d01ed91e9445c85f21f6d234e645dbf8e59b62669a

  • SSDEEP

    49152:eXdV944HnLTdse8o3zN+RLn36PSAwdxgn1GDaeRbTj2bAuSfSPyI:eNTrTdn8ojURji/8+2bj20pfuy

Score
10/10
crimsonratdarkcometdefense_evasiondiscoveryevasionpersistencephishingprivilege_escalationrattrojan

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

    • Target

      Thunder Free.exe

    • Size

      3.2MB

    • MD5

      eca98d2c56e4f340d9cf6571ba359f5a

    • SHA1

      a93442327357e844ea68274554dc0052d93b0862

    • SHA256

      b3846b72c3635aad8929d4908bc5bb131ffea57f41879f00a68b3c1207eaa1f3

    • SHA512

      afbf97d2d203405f0e850116f4eeb662a476df770c6517f3a4aece62550483941ce48d50d590239647e292d01ed91e9445c85f21f6d234e645dbf8e59b62669a

    • SSDEEP

      49152:eXdV944HnLTdse8o3zN+RLn36PSAwdxgn1GDaeRbTj2bAuSfSPyI:eNTrTdn8ojURji/8+2bj20pfuy

    Score
    10/10
    crimsonratdarkcometdiscoveryevasionpersistencerattrojandefense_evasionphishingprivilege_escalation

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Crimsonrat family

      crimsonrat

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Darkcomet family

      darkcomet

    • Modifies WinLogon for persistence

      persistence

    • Downloads MZ/PE file

    • Sets file to hidden

      Modifies file attributes to stop it showing in Explorer etc.

      evasion

    • Sets service image path in registry

      persistence

    • A potential corporate email address has been identified in the URL: [email protected]

      phishing

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Tasks