Overview

overview

10

Static

static

7

af4586015e...0c.exe

windows7_x64

10

af4586015e...0c.exe

windows10_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 18:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe

  • Size

    256KB

  • MD5

    fe562bb60356ea0885d298fee6e0772a

  • SHA1

    b4febb6af54c4ddc31fb821159528e2257367ca1

  • SHA256

    af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c

  • SHA512

    265d3f7b0296195430e7d0edd1102e3318136734846e5e409421518cc0f72ee563cc9f2a71d1ddd3b4feeab0a20f212b853c7174e7a86cfc979fa7cbfdf3552f

Score
10/10
blacknetrbewpersistencetrojan

Malware Config

Extracted

Family

blacknet

Version

v3.5 Public

Botnet

rbew

C2

http://a0524310.xsph.ru/bc

Mutex

BN[xnTOPNSD-0273934]

Attributes
  • antivm

    true

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    afb3cc6e308d70ced0a4393b4c6a085d

  • startup

    true

  • usb_spread

    false

Signatures

  • BlackNET

    BlackNET is an open source remote access tool written in VB.NET.

    trojanblacknet
  • BlackNET Payload 3 IoCs
  • Contains code to disable Windows Defender 3 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe
    "C:\Users\Admin\AppData\Local\Temp\af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'usymyr kilul';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'usymyr kilul' -Value '"C:\Users\Admin\Documents\chome_exe\vlc.exe"' -PropertyType 'String'
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1524
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1444
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 2816
        3⤵
        • Program crash
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:1292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\48f61eec-53fc-4051-a0a0-85b6cd68ee5f\AgileDotNetRT.dll
    MD5

    edd74be9723cdc6a5692954f0e51c9f3

    SHA1

    e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686

    SHA256

    55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7

    SHA512

    80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

    Download Submit
  • memory/1100-59-0x0000000000D00000-0x0000000000D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1100-63-0x0000000004900000-0x0000000004901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1100-64-0x00000000003A0000-0x00000000003B6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1100-65-0x00000000003C0000-0x00000000003D5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/1292-119-0x0000000000630000-0x0000000000642000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1292-103-0x0000000000000000-mapping.dmp
    Download
  • memory/1444-78-0x0000000004F80000-0x0000000004F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-118-0x0000000004FAA000-0x0000000004FAC000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1444-71-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1444-116-0x0000000004FA7000-0x0000000004FA8000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-68-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1444-117-0x0000000004FA8000-0x0000000004FAA000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1444-115-0x0000000004FA6000-0x0000000004FA7000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-113-0x0000000004FA4000-0x0000000004FA5000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-79-0x0000000004F81000-0x0000000004F82000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-109-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-114-0x0000000004FA5000-0x0000000004FA6000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-81-0x0000000004F82000-0x0000000004F83000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-100-0x0000000004F98000-0x0000000004F99000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-69-0x00000000004123BE-mapping.dmp
    Download
  • memory/1444-112-0x0000000004FA3000-0x0000000004FA4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-111-0x0000000004FA2000-0x0000000004FA3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-98-0x0000000004F87000-0x0000000004F98000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1444-110-0x0000000004FA1000-0x0000000004FA2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-102-0x0000000004F9A000-0x0000000004F9B000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-101-0x0000000004F99000-0x0000000004F9A000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-104-0x0000000004F9B000-0x0000000004F9C000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-105-0x0000000004F9C000-0x0000000004F9D000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-106-0x0000000004F9D000-0x0000000004F9E000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-108-0x0000000004F9F000-0x0000000004FA0000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1444-107-0x0000000004F9E000-0x0000000004F9F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-74-0x0000000004920000-0x0000000004921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-99-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-97-0x0000000006280000-0x0000000006281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-90-0x0000000006170000-0x0000000006171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-89-0x0000000006100000-0x0000000006101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-84-0x00000000060A0000-0x00000000060A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-80-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-77-0x00000000048E2000-0x00000000048E3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-76-0x00000000048E0000-0x00000000048E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-75-0x00000000045C0000-0x00000000045C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-73-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1524-67-0x00000000760C1000-0x00000000760C3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1524-66-0x0000000000000000-mapping.dmp
    Download