General
-
Target
af711c6269728cc41a4b6cab99dc00d2.exe
-
Size
3.2MB
-
Sample
210722-c2j53ms7dj
-
MD5
af711c6269728cc41a4b6cab99dc00d2
-
SHA1
02a1cff69f43552c5aa6fea7547e5f68018dbc84
-
SHA256
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
-
SHA512
94b6ba8fcdbb5dd175096e305698a41078fb1a99725610bb49159d02ccf2484b01fd7bfcf48fb4644af6b92c77453855f7eba46445f93ff449317f25613bb8a6
Static task
static1
Behavioral task
behavioral1
Sample
af711c6269728cc41a4b6cab99dc00d2.exe
Resource
win7v20210410
Malware Config
Extracted
blacknet
v3.7.0 Public
OTwjgZ
http://54.237.66.139
BN[a4bfa882efc194e2bcd370ea]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
19eb68018edbdeae69b26450d3d0915f
-
startup
false
-
usb_spread
false
Targets
-
-
Target
af711c6269728cc41a4b6cab99dc00d2.exe
-
Size
3.2MB
-
MD5
af711c6269728cc41a4b6cab99dc00d2
-
SHA1
02a1cff69f43552c5aa6fea7547e5f68018dbc84
-
SHA256
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
-
SHA512
94b6ba8fcdbb5dd175096e305698a41078fb1a99725610bb49159d02ccf2484b01fd7bfcf48fb4644af6b92c77453855f7eba46445f93ff449317f25613bb8a6
-
BlackNET Payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-