90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

General
Target

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

Size

228KB

Sample

201109-3fyklnqg4j

Score
10 /10
MD5

e12000b9b526a5caff5b13d2cb2d07d0

SHA1

7f9227195996aac1d27b38d5b95a837e8c2b43c2

SHA256

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

SHA512

a506b0e76e72cf2e4f92e60c12ac4cee7aedcca37e3aa6c71eb3150438363122e4e880608cfde334c51de4aaf9e5677d5a7b353f1fb3ef49741ef9a3467a2643

Malware Config
Targets
Target

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

MD5

e12000b9b526a5caff5b13d2cb2d07d0

Filesize

228KB

Score
10 /10
SHA1

7f9227195996aac1d27b38d5b95a837e8c2b43c2

SHA256

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320

SHA512

a506b0e76e72cf2e4f92e60c12ac4cee7aedcca37e3aa6c71eb3150438363122e4e880608cfde334c51de4aaf9e5677d5a7b353f1fb3ef49741ef9a3467a2643

Tags

Signatures

  • BlackNET

    Description

    BlackNET is an open source remote access tool written in VB.NET.

    Tags

  • BlackNET Payload

  • Contains code to disable Windows Defender

    Description

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • rezer0

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                  Privilege Escalation
                    Tasks