blacknet | 90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320 | Triage

Submit
Reports

Overview

overview

Static

static

90071cffdf...20.exe

windows7_x64

90071cffdf...20.exe

windows10_x64

Sharing

General

Target

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
Size

228KB
Sample

201109-3fyklnqg4j
MD5

e12000b9b526a5caff5b13d2cb2d07d0
SHA1

7f9227195996aac1d27b38d5b95a837e8c2b43c2
SHA256

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
SHA512

a506b0e76e72cf2e4f92e60c12ac4cee7aedcca37e3aa6c71eb3150438363122e4e880608cfde334c51de4aaf9e5677d5a7b353f1fb3ef49741ef9a3467a2643

Score

10^/10

blacknet microwave coreentity evasion rezer0 trojan

Static task

static1

Behavioral task

behavioral1

Sample

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

Resource

win7v20201028

blacknet microwave coreentity evasion rezer0 trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320.exe

Resource

win10v20201028

blacknet microwave coreentity evasion rezer0 trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

blacknet

Version

v3.5 Public

Botnet

Microwave

C2

http://thehacker.club/update

Mutex

BN[GBefMSlt-8433340]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
14247ae8e9bdf8a07859c46cc6c701e5
startup
false
usb_spread
false

Targets

- Target
  
  90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
- Size
  
  228KB
- MD5
  
  e12000b9b526a5caff5b13d2cb2d07d0
- SHA1
  
  7f9227195996aac1d27b38d5b95a837e8c2b43c2
- SHA256
  
  90071cffdfe6465b764829a706fe27f1abbb58d719bfcb428b210ae8c939a320
- SHA512
  
  a506b0e76e72cf2e4f92e60c12ac4cee7aedcca37e3aa6c71eb3150438363122e4e880608cfde334c51de4aaf9e5677d5a7b353f1fb3ef49741ef9a3467a2643
Score

10^/10

blacknet microwave coreentity evasion rezer0 trojan
- BlackNET
  BlackNET is an open source remote access tool written in VB.NET.
  trojan blacknet
- BlackNET Payload
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- CoreEntity .NET Packer
  A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
  coreentity
- Looks for VirtualBox Guest Additions in registry
  evasion
- ReZer0 packer
  Detects ReZer0, a packer with multiple versions used in various campaigns.
  rezer0
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blacknetmicrowavecoreentityevasionrezer0trojan

behavioral2

blacknetmicrowavecoreentityevasionrezer0trojan

© 2018-2024

Terms | Privacy