General
-
Target
5857380177444864.zip
-
Size
3.2MB
-
Sample
220117-epqm2agfh8
-
MD5
73bfbaf4a25fdbd48a527230ff2b0bd5
-
SHA1
a00b8b71cbf1f623cd3c4d688baf2ef5cdd1aa3b
-
SHA256
4733a03f0bcebeb9c3b95c9f3108a18a943a7dddf3223f1ec7d38835a4d7f4b0
-
SHA512
3c73002b78162737c90ebf31f16525c8076e85e69ffb28c092bd6b0e9111b9ddbfbbc64737e7bfbb65ade39ac7058af29ffceaff2ce48173a3cab6d7b345dfc2
Static task
static1
Behavioral task
behavioral1
Sample
ea452302e00ded069ac9e67b8c0dfa54ba34035dad966f75f64709fe2cb12f97.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ea452302e00ded069ac9e67b8c0dfa54ba34035dad966f75f64709fe2cb12f97.exe
Resource
win10v2004-en-20220113
Malware Config
Extracted
blacknet
v3.7.0 Public
OTwjgZ
http://54.237.66.139
BN[a4bfa882efc194e2bcd370ea]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
19eb68018edbdeae69b26450d3d0915f
-
startup
false
-
usb_spread
false
Targets
-
-
Target
ea452302e00ded069ac9e67b8c0dfa54ba34035dad966f75f64709fe2cb12f97
-
Size
3.3MB
-
MD5
d53313ca3d886457af452ad1442704fe
-
SHA1
37f1734d5e93476a15b61f0f93ba4f6cb489f6f7
-
SHA256
ea452302e00ded069ac9e67b8c0dfa54ba34035dad966f75f64709fe2cb12f97
-
SHA512
f4d0ee11d4ffd918055535a93d2f717cc87799402305b9b8ff62fea1d0f813e0f87f4f64fbf0a6ff24de18cb8dbdc600379cf5c8c06c9e714cace529bc17f443
-
BlackNET Payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
XMRig Miner Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-