General

  • Target

    0213f005cf32cff9224d571e17b464ffcb2da574d25969d302fb26d8ff90afdf

  • Size

    1.2MB

  • Sample

    220502-wppt6scdh2

  • MD5

    3f764a1fd47d9b5e8b63300cc9aa1983

  • SHA1

    9760a40a721ac70181e20d587bdd5d60372f7196

  • SHA256

    0213f005cf32cff9224d571e17b464ffcb2da574d25969d302fb26d8ff90afdf

  • SHA512

    1fcaf9a7fd7bb868cae03593bcc23ab1b45f195a36d7da160f923b050f557cb9111a51fbf1ff01f1bffa943280ecd9f24f71f6cc6b446d6e2d2ebcd671626d7c

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Roma

C2

https://otkidnye-ramki.ru/bt

Mutex

BN[656c88c0a6e7d9e3ea66eb83bcb2888b]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    false

  • usb_spread

    false

Targets

    • Target

      0213f005cf32cff9224d571e17b464ffcb2da574d25969d302fb26d8ff90afdf

    • Size

      1.2MB

    • MD5

      3f764a1fd47d9b5e8b63300cc9aa1983

    • SHA1

      9760a40a721ac70181e20d587bdd5d60372f7196

    • SHA256

      0213f005cf32cff9224d571e17b464ffcb2da574d25969d302fb26d8ff90afdf

    • SHA512

      1fcaf9a7fd7bb868cae03593bcc23ab1b45f195a36d7da160f923b050f557cb9111a51fbf1ff01f1bffa943280ecd9f24f71f6cc6b446d6e2d2ebcd671626d7c

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET Payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

      suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks