BlackShell

Released 18 years, 8 months ago. April 2006

Copyright © MegaSecurity

By ?


Informations
Author ?
Family BlackShell
Category Remote Access
Version BlackShell
Released Date Apr 2006, 18 years, 8 months ago.
Language C++, source included
Additional Information
Server:
dropped file:
c:\WINDOWS\system32\quickstart.dll    Size: 24,576 bytes 
c:\WINDOWS\system32\quickstart.exe    Size: 3,584 bytes 
c:\WINDOWS\system32\quickstart.ini    Size: 9 bytes 

startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Quickstart"
data: C:\WINDOWS\System32\quickstart.exe 




tested on Windows XP
May 20, 2006

Author Information / Description
This is the Black Rat trojan, it offers a basic interface and simple firewall/router evasion techniques. The trojan itself has three parts:
1. The actuall trojan code hosted inside of a DLL that we inject into IE.
2. The loader application that injects or trojan
3. A dropper app to install both the DLL and the loader

The idea is that you can send someone the dropper and thus infect them with your trojan. It then injects IE with the trojan code and uses that to bypass firewalls by tricking them into thinking its a trusted app. It also uses the connect back approach in order to go through router security as well. This offers both useful and negative aspects. The useful ideas behind this is obvious... we can connect to someone even behind a fortress of firewalls and network routers as well as the fact that we no longer need to find there IP (an annoying step in any case). The negative is that you have to code in your address to the trojan allowing an easy trace back to you.

A quick note is that I enabled the trojan to use a connect back to host names not just IPs. So if you register a No-IP Domain then you can use that with the trojan so that it will allways connect. Also there are commands to remove and change the stored IP if you want to clear your tracks.


To Use:
To use simply open the project and change the server app to connect to your IP. (the binary files that come with it are set to connect to 127.0.0.1)

To listen for the connection simply tell netcat to listen on port 700 with the following command
"nc -l -p 700"
Type help for a list of commands.

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.