blacknet | af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c

General

Target

af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe
Size

256KB
MD5

fe562bb60356ea0885d298fee6e0772a
SHA1

b4febb6af54c4ddc31fb821159528e2257367ca1
SHA256

af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c
SHA512

265d3f7b0296195430e7d0edd1102e3318136734846e5e409421518cc0f72ee563cc9f2a71d1ddd3b4feeab0a20f212b853c7174e7a86cfc979fa7cbfdf3552f

Score

10^/10

blacknet rbew persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.5 Public

Botnet

rbew

C2

http://a0524310.xsph.ru/bc

Mutex

BN[xnTOPNSD-0273934]

Attributes

antivm
true
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
afb3cc6e308d70ced0a4393b4c6a085d
startup
true
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET Payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/568-127-0x0000000000400000-0x0000000000418000-memory.dmp	family_blacknet
behavioral2/memory/568-128-0x00000000004123BE-mapping.dmp	family_blacknet
behavioral2/memory/568-149-0x0000000004DF0000-0x00000000052EE000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/568-127-0x0000000000400000-0x0000000000418000-memory.dmp	disable_win_def
behavioral2/memory/568-128-0x00000000004123BE-mapping.dmp	disable_win_def
behavioral2/memory/568-149-0x0000000004DF0000-0x00000000052EE000-memory.dmp	disable_win_def

Loads dropped DLL 1 IoCs

Processes:

af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe

pid process

4764 af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\afb3cc6e308d70ced0a4393b4c6a085d = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	RegAsm.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe

description	pid	process	target process
PID 4764 set thread context of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

Processes:

af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exepowershell.exeRegAsm.exe

pid	process
4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe
4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe
3100	powershell.exe
3100	powershell.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
3100	powershell.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe
568	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exepowershell.exeRegAsm.exe

description	pid	process
Token: SeDebugPrivilege	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	568	RegAsm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegAsm.exe

pid process

568 RegAsm.exe
568 RegAsm.exe

pid	process
568	RegAsm.exe
568	RegAsm.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe

description	pid	process	target process
PID 4764 wrote to memory of 3100	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	powershell.exe
PID 4764 wrote to memory of 3100	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	powershell.exe
PID 4764 wrote to memory of 3100	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	powershell.exe
PID 4764 wrote to memory of 520	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 520	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 520	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe
PID 4764 wrote to memory of 568	4764	af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe
"C:\Users\Admin\AppData\Local\Temp\af4586015e689d670854702df4aa5748eb90da472dc6c479f065bfb49e624d0c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'usymyr kilul';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'usymyr kilul' -Value '"C:\Users\Admin\Documents\chome_exe\vlc.exe"' -PropertyType 'String'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\48f61eec-53fc-4051-a0a0-85b6cd68ee5f\AgileDotNetRT.dll
MD5
edd74be9723cdc6a5692954f0e51c9f3

SHA1
e9fb66ceee1ba4ce7e5b8271b3e1ed7cb9acf686

SHA256
55ff1e0a4e5866d565ceeb9baafac73fdcb4464160fc6c78104d935009935cd7

SHA512
80abecdd07f364283f216d8f4d90a4da3efd4561900631fce05c2916afeb1b5bbce23ae92d57430b7b2b06c172b2ad701b2ab75b6dfd2a861abcf7edc38462f3

Download Submit
memory/568-150-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-128-0x00000000004123BE-mapping.dmp

Download
memory/568-159-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-158-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-157-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-156-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-155-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-152-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-149-0x0000000004DF0000-0x00000000052EE000-memory.dmp

Filesize
5.0MB

Download
memory/568-143-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/568-137-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/568-127-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3100-126-0x0000000000000000-mapping.dmp

Download
memory/3100-140-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/3100-132-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/3100-133-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/3100-136-0x0000000004B72000-0x0000000004B73000-memory.dmp

Filesize
4KB

Download
memory/3100-169-0x0000000004B73000-0x0000000004B74000-memory.dmp

Filesize
4KB

Download
memory/3100-142-0x0000000007CD0000-0x0000000007CD1000-memory.dmp

Filesize
4KB

Download
memory/3100-164-0x00000000093F0000-0x00000000093F1000-memory.dmp

Filesize
4KB

Download
memory/3100-144-0x0000000007FC0000-0x0000000007FC1000-memory.dmp

Filesize
4KB

Download
memory/3100-163-0x0000000008920000-0x0000000008921000-memory.dmp

Filesize
4KB

Download
memory/3100-145-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/3100-146-0x0000000007F90000-0x0000000007F91000-memory.dmp

Filesize
4KB

Download
memory/3100-147-0x0000000008730000-0x0000000008731000-memory.dmp

Filesize
4KB

Download
memory/3100-162-0x0000000009460000-0x0000000009461000-memory.dmp

Filesize
4KB

Download
memory/3100-135-0x0000000007630000-0x0000000007631000-memory.dmp

Filesize
4KB

Download
memory/4764-123-0x0000000005360000-0x0000000005376000-memory.dmp

Filesize
88KB

Download
memory/4764-122-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/4764-121-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/4764-120-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/4764-114-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4764-118-0x0000000071BC0000-0x0000000071C40000-memory.dmp

Filesize
512KB

Download
memory/4764-124-0x0000000005380000-0x0000000005395000-memory.dmp

Filesize
84KB

Download
memory/4764-125-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4764-119-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/4764-116-0x0000000005160000-0x0000000005161000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads