Overview

overview

10

Static

static

e6507f3604...5a.exe

windows7_x64

10

Resubmissions

23-12-2021 07:30

211223-jb58sahcb8 10

01-08-2021 06:01

210801-6cpqcbz1gx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe

  • Size

    220KB

  • Sample

    211223-jb58sahcb8

  • MD5

    97cb3fda3cff430377a866d6b437de8f

  • SHA1

    2359c8459c1e1dd133c2842b51d2982e63016f92

  • SHA256

    e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

  • SHA512

    e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f

Score
10/10
blacknetbotevasionpersistencetrojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

C2

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    false

  • usb_spread

    true

aes.plain

Targets

    • Target

      e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a.exe

    • Size

      220KB

    • MD5

      97cb3fda3cff430377a866d6b437de8f

    • SHA1

      2359c8459c1e1dd133c2842b51d2982e63016f92

    • SHA256

      e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

    • SHA512

      e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f

    Score
    10/10
    blacknetbotevasionpersistencetrojan

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

      trojanblacknet

    • BlackNET Payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

5
T1112

Disabling Security Tools

3
T1089

Bypass User Account Control

1
T1088

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks