blacknet | ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35

General

Target

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
Size

131KB
MD5

40ba4ae347f750e4d71f06f7982c8c67
SHA1

5d6512146cbafb7d2545ca57fb4cbb2e7ec99c98
SHA256

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35
SHA512

8967e67fa7b8d135036d719fa3fb0688da37336d4ec48b07442dbc123454f8c8540d161150ca571795562101c32b05cec061d782f921bcb04b73dea8dfca9240

Score

10^/10

blacknet redengine evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.5.1 Public

Botnet

Redengine

C2

http://boat.salvajesrp.com/

Mutex

BN[yfJZGMfn-6322239]

Attributes

antivm
true
elevate_uac
true
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
a4f5fc179540a0b155d91b489e6811e2
startup
true
usb_spread
false

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4f5fc179540a0b155d91b489e6811e2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe"	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

pid	process
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

description pid process

Token: SeDebugPrivilege 872 ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

description	pid	process
Token: SeDebugPrivilege	872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

pid	process
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe

description	pid	process	target process
PID 872 wrote to memory of 848	872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe	powershell.exe
PID 872 wrote to memory of 848	872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe	powershell.exe
PID 872 wrote to memory of 848	872	ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe
"C:\Users\Admin\AppData\Local\Temp\ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
2⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe"
3⤵
PID:1348

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

2

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
131KB

MD5
40ba4ae347f750e4d71f06f7982c8c67

SHA1
5d6512146cbafb7d2545ca57fb4cbb2e7ec99c98

SHA256
ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35

SHA512
8967e67fa7b8d135036d719fa3fb0688da37336d4ec48b07442dbc123454f8c8540d161150ca571795562101c32b05cec061d782f921bcb04b73dea8dfca9240

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
Filesize
131KB

MD5
40ba4ae347f750e4d71f06f7982c8c67

SHA1
5d6512146cbafb7d2545ca57fb4cbb2e7ec99c98

SHA256
ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35

SHA512
8967e67fa7b8d135036d719fa3fb0688da37336d4ec48b07442dbc123454f8c8540d161150ca571795562101c32b05cec061d782f921bcb04b73dea8dfca9240

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\svchosts.exe
Filesize
17KB

MD5
89dd6e72358a669b7d6e2348307a7af7

SHA1
0db348f3c6114a45d71f4d218e0e088b71c7bb0a

SHA256
ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e

SHA512
93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
f0e25c899f3d824ec714a723e180a2ef

SHA1
5787b58cd6ce4d58a391ac0ff2d9de7df04e1c66

SHA256
14b7b9b721b7d0d9699360b5d39f37c2b183466de7f6f3781b001b3304b35c8c

SHA512
38b8ec15bc709d3eddaf946e6e49ef61df1e7907bb43ad78649f68201b0e556eff5b0e26c89e200866ac15c1e7a7035678bfb746ac6acd003cda45212b7a8526

Download Submit
memory/800-94-0x000000000255B000-0x000000000257A000-memory.dmp

Filesize
124KB

Download
memory/800-93-0x0000000002554000-0x0000000002557000-memory.dmp

Filesize
12KB

Download
memory/800-90-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/800-84-0x000007FEED850000-0x000007FEEE3AD000-memory.dmp

Filesize
11.4MB

Download
memory/800-80-0x000007FEF4200000-0x000007FEF4C23000-memory.dmp

Filesize
10.1MB

Download
memory/800-77-0x0000000000000000-mapping.dmp

Download
memory/848-76-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/848-74-0x00000000028CB000-0x00000000028EA000-memory.dmp

Filesize
124KB

Download
memory/848-60-0x000007FEF4200000-0x000007FEF4C23000-memory.dmp

Filesize
10.1MB

Download
memory/848-58-0x0000000000000000-mapping.dmp

Download
memory/848-61-0x000007FEEE3B0000-0x000007FEEEF0D000-memory.dmp

Filesize
11.4MB

Download
memory/848-64-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/848-72-0x000000001B870000-0x000000001BB6F000-memory.dmp

Filesize
3.0MB

Download
memory/848-75-0x00000000028C4000-0x00000000028C7000-memory.dmp

Filesize
12KB

Download
memory/872-57-0x00000000002F6000-0x0000000000315000-memory.dmp

Filesize
124KB

Download
memory/872-62-0x000000000032A000-0x000000000032E000-memory.dmp

Filesize
16KB

Download
memory/872-54-0x000007FEF4200000-0x000007FEF4C23000-memory.dmp

Filesize
10.1MB

Download
memory/872-71-0x00000000002F6000-0x0000000000315000-memory.dmp

Filesize
124KB

Download
memory/872-63-0x0000000000331000-0x0000000000336000-memory.dmp

Filesize
20KB

Download
memory/872-56-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/872-55-0x000007FEF2F20000-0x000007FEF3FB6000-memory.dmp

Filesize
16.6MB

Download
memory/964-83-0x0000000001F55000-0x0000000001F59000-memory.dmp

Filesize
16KB

Download
memory/964-89-0x0000000001F61000-0x0000000001F64000-memory.dmp

Filesize
12KB

Download
memory/964-85-0x0000000001F59000-0x0000000001F5D000-memory.dmp

Filesize
16KB

Download
memory/964-86-0x0000000001F5D000-0x0000000001F61000-memory.dmp

Filesize
16KB

Download
memory/964-87-0x0000000001F61000-0x0000000001F65000-memory.dmp

Filesize
16KB

Download
memory/964-88-0x0000000001F65000-0x0000000001F68000-memory.dmp

Filesize
12KB

Download
memory/964-82-0x0000000001F51000-0x0000000001F55000-memory.dmp

Filesize
16KB

Download
memory/964-65-0x0000000000000000-mapping.dmp

Download
memory/964-81-0x0000000001F4D000-0x0000000001F51000-memory.dmp

Filesize
16KB

Download
memory/964-97-0x0000000001F51000-0x0000000001F55000-memory.dmp

Filesize
16KB

Download
memory/964-73-0x0000000001F06000-0x0000000001F25000-memory.dmp

Filesize
124KB

Download
memory/964-69-0x000007FEF2F20000-0x000007FEF3FB6000-memory.dmp

Filesize
16.6MB

Download
memory/964-68-0x000007FEF4200000-0x000007FEF4C23000-memory.dmp

Filesize
10.1MB

Download
memory/964-95-0x0000000001F55000-0x0000000001F59000-memory.dmp

Filesize
16KB

Download
memory/964-96-0x0000000001F4D000-0x0000000001F51000-memory.dmp

Filesize
16KB

Download
memory/1348-91-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads