General

  • Target

    90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

  • Size

    228KB

  • Sample

    201109-3fyklnqg4j

  • MD5

    e12000b9b526a5caff5b13d2cb2d07d0

  • SHA1

    7f9227195996aac1d27b38d5b95a837e8c2b43c2

  • SHA256

    90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

  • SHA512

    a506b0e76e72cf2e4f92e60c12ac4cee7aedcca37e3aa6c71eb3150438363122e4e880608cfde334c51de4aaf9e5677d5a7b353f1fb3ef49741ef9a3467a2643

Malware Config

Extracted

Family

blacknet

Version

v3.5 Public

Botnet

Microwave

C2

http://thehacker.club/update

Mutex

BN[GBefMSlt-8433340]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    14247ae8e9bdf8a07859c46cc6c701e5

  • startup

    false

  • usb_spread

    false

Targets

    • Target

      90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

    • Size

      228KB

    • MD5

      e12000b9b526a5caff5b13d2cb2d07d0

    • SHA1

      7f9227195996aac1d27b38d5b95a837e8c2b43c2

    • SHA256

      90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

    • SHA512

      a506b0e76e72cf2e4f92e60c12ac4cee7aedcca37e3aa6c71eb3150438363122e4e880608cfde334c51de4aaf9e5677d5a7b353f1fb3ef49741ef9a3467a2643

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET Payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • CoreEntity .NET Packer

      A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    • Looks for VirtualBox Guest Additions in registry

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks