General
-
Target
E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
-
Size
220KB
-
Sample
210801-s8db7vccas
-
MD5
97cb3fda3cff430377a866d6b437de8f
-
SHA1
2359c8459c1e1dd133c2842b51d2982e63016f92
-
SHA256
e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a
-
SHA512
e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f
Malware Config
Extracted
blacknet
v3.7.0 Public
Bot
http://furyx.de/panel
BN[c1916af6f3a468e5b6f5c7f6b9c78982]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
true
Targets
-
-
Target
E6507F36045C13DEE736BEA44D61E90169EA69DE61E9D.exe
-
Size
220KB
-
MD5
97cb3fda3cff430377a866d6b437de8f
-
SHA1
2359c8459c1e1dd133c2842b51d2982e63016f92
-
SHA256
e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a
-
SHA512
e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f
Score10/10-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET Payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Windows security modification
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-