General

  • Target

    4B71D55F16C4A497FB2457C340D5A8A6.exe

  • Size

    4.2MB

  • Sample

    210723-5bfl1557bx

  • MD5

    4b71d55f16c4a497fb2457c340d5a8a6

  • SHA1

    b8d17306aa1c757e6329bb69d976c224e585838a

  • SHA256

    4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364

  • SHA512

    93f66aca97affda90dee4631069255800ccf40a5ab912f77814f526df95ac5a8c6a1e63f74d2ba38b147b53a8f7d258f636db9cefd9a98ebb5ac869eb79ae79f

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

OTwjgZ

C2

http://54.237.66.139

Mutex

BN[a4bfa882efc194e2bcd370ea]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    19eb68018edbdeae69b26450d3d0915f

  • startup

    false

  • usb_spread

    false

Targets

    • Target

      4B71D55F16C4A497FB2457C340D5A8A6.exe

    • Size

      4.2MB

    • MD5

      4b71d55f16c4a497fb2457c340d5a8a6

    • SHA1

      b8d17306aa1c757e6329bb69d976c224e585838a

    • SHA256

      4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364

    • SHA512

      93f66aca97affda90dee4631069255800ccf40a5ab912f77814f526df95ac5a8c6a1e63f74d2ba38b147b53a8f7d258f636db9cefd9a98ebb5ac869eb79ae79f

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET Payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Discovery

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Tasks