General
-
Target
4B71D55F16C4A497FB2457C340D5A8A6.exe
-
Size
4.2MB
-
Sample
210723-5bfl1557bx
-
MD5
4b71d55f16c4a497fb2457c340d5a8a6
-
SHA1
b8d17306aa1c757e6329bb69d976c224e585838a
-
SHA256
4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364
-
SHA512
93f66aca97affda90dee4631069255800ccf40a5ab912f77814f526df95ac5a8c6a1e63f74d2ba38b147b53a8f7d258f636db9cefd9a98ebb5ac869eb79ae79f
Static task
static1
Behavioral task
behavioral1
Sample
4B71D55F16C4A497FB2457C340D5A8A6.exe
Resource
win7v20210408
Malware Config
Extracted
blacknet
v3.7.0 Public
OTwjgZ
http://54.237.66.139
BN[a4bfa882efc194e2bcd370ea]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
19eb68018edbdeae69b26450d3d0915f
-
startup
false
-
usb_spread
false
Targets
-
-
Target
4B71D55F16C4A497FB2457C340D5A8A6.exe
-
Size
4.2MB
-
MD5
4b71d55f16c4a497fb2457c340d5a8a6
-
SHA1
b8d17306aa1c757e6329bb69d976c224e585838a
-
SHA256
4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364
-
SHA512
93f66aca97affda90dee4631069255800ccf40a5ab912f77814f526df95ac5a8c6a1e63f74d2ba38b147b53a8f7d258f636db9cefd9a98ebb5ac869eb79ae79f
-
BlackNET Payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-