General

  • Target

    d78f6a0f8ce350f9ce330c31a6c0e26e11b166cfd9315a3f49a409d8ca54b330

  • Size

    135KB

  • Sample

    220307-qb6ymshfcl

  • MD5

    c740a87df97df23491f66ec3496ccc01

  • SHA1

    002cd30c235be15f3d71885677900e7560acaec2

  • SHA256

    d78f6a0f8ce350f9ce330c31a6c0e26e11b166cfd9315a3f49a409d8ca54b330

  • SHA512

    2fc2e41fc59e5c8faff5d59a54d45e9ce5545e8e8e6e35d72d29cf44a60b09dcc731aeed10a6ef0199a4d839c57a12c23489591d33735671be04fa5c796fc46b

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://www.minpic.de/k/b7mx/17dz0k/

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

C2

https://furyx.de/panel

Mutex

BN[rYrxGuaj-8783562]

Attributes
  • antivm

    false

  • elevate_uac

    true

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    a5b002eacf54590ec8401ff6d3f920ee

  • startup

    false

  • usb_spread

    true

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

dontreachme3.ddns.net:3601

dontreachme1.ddns.net:3601

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    true

  • delay

    3

  • install

    true

  • install_file

    WindowsSecurityTaskfender.exe

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Targets

    • Target

      d78f6a0f8ce350f9ce330c31a6c0e26e11b166cfd9315a3f49a409d8ca54b330

    • Size

      135KB

    • MD5

      c740a87df97df23491f66ec3496ccc01

    • SHA1

      002cd30c235be15f3d71885677900e7560acaec2

    • SHA256

      d78f6a0f8ce350f9ce330c31a6c0e26e11b166cfd9315a3f49a409d8ca54b330

    • SHA512

      2fc2e41fc59e5c8faff5d59a54d45e9ce5545e8e8e6e35d72d29cf44a60b09dcc731aeed10a6ef0199a4d839c57a12c23489591d33735671be04fa5c796fc46b

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers.

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET Payload

    • suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

      suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

    • Async RAT payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

1
T1082

Tasks