blacknet | 51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

Analysis

max time kernel
17s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220715-en
resource tags

arch:x64arch:x86image:win10v2004-20220715-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2022, 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinlockerBuilderV5.exe
Size

11.0MB
MD5

5891817266ffedc10d4a84a3bd483239
SHA1

b59d365a91b50ec55ccc1c1b2a70cbf858382aa3
SHA256

51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465
SHA512

517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Score

10^/10

blacknet darkcomet bot guest16 persistence rat trojan

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes

antivm
true
elevate_uac
false
install_name
jusched.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
true
usb_spread
true

Extracted

Family

darkcomet

Botnet

Guest16

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e1e-136.dat	family_blacknet
behavioral2/files/0x0006000000022e1e-135.dat	family_blacknet
behavioral2/files/0x0006000000022e19-142.dat	family_blacknet
behavioral2/files/0x0006000000022e19-155.dat	family_blacknet

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Executes dropped EXE 2 IoCs

pid	Process
1500	svshost.exe
1788	jusched.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\Control Panel\International\Geo\Nation	WinlockerBuilderV5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinlockerBuilderV5.exe"	WinlockerBuilderV5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2280897447-3291712302-3137480060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderV5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	WinlockerBuilderV5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4980	WinlockerBuilderV5.exe
4980	WinlockerBuilderV5.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 1500	4980	WinlockerBuilderV5.exe	82
PID 4980 wrote to memory of 1500	4980	WinlockerBuilderV5.exe	82
PID 4980 wrote to memory of 1500	4980	WinlockerBuilderV5.exe	82
PID 4980 wrote to memory of 1788	4980	WinlockerBuilderV5.exe	83
PID 4980 wrote to memory of 1788	4980	WinlockerBuilderV5.exe	83

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderV5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderV5.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Users\Admin\AppData\Local\Temp\svshost.exe
  "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
  2⤵
  - Executes dropped EXE
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
    "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
    3⤵
    PID:988
- - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
    "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
    3⤵
    PID:3524
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      PID:4232
    - - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        5⤵
        
        PID:2604
      - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        6⤵
        
        PID:4804
- C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
      "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
      4⤵
      PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      PID:3252
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        
        PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\WinlockerBuilderv5.exe.log

Filesize
866B

MD5
d7d09fe4ff702ba9f25d5f48923708b6

SHA1
85ce2b7a1c9a4c3252fc9f471cf13ad50ad2cf65

SHA256
ae5b9b53869ba7b6bf99b07cb09c9ce9ff11d4abbbb626570390f9fba4f6f462

SHA512
500a313cc36a23302763d6957516640c981da2fbab691c8b66518f5b0051e25dfb1b09449efff526eab707fa1be36ef9362286869c82b3800e42d2d8287ef1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe

Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe

Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderV5.exe

Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderV5.exe

Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
C:\Users\Admin\Documents\AudioDriver\taskhost.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
memory/988-144-0x00007FFC830D0000-0x00007FFC83B06000-memory.dmp

Filesize
10.2MB

Download
memory/988-166-0x0000000001B1A000-0x0000000001B1F000-memory.dmp

Filesize
20KB

Download
memory/988-159-0x0000000001B1A000-0x0000000001B1F000-memory.dmp

Filesize
20KB

Download
memory/1600-173-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1600-162-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1788-137-0x00007FFC830D0000-0x00007FFC83B06000-memory.dmp

Filesize
10.2MB

Download
memory/1788-167-0x0000000001B3A000-0x0000000001B3F000-memory.dmp

Filesize
20KB

Download
memory/1788-140-0x0000000001B3A000-0x0000000001B3F000-memory.dmp

Filesize
20KB

Download
memory/3524-150-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/3852-156-0x00007FFC830D0000-0x00007FFC83B06000-memory.dmp

Filesize
10.2MB

Download
memory/3852-171-0x0000000001E7A000-0x0000000001E7F000-memory.dmp

Filesize
20KB

Download
memory/3852-172-0x0000000001E7A000-0x0000000001E7F000-memory.dmp

Filesize
20KB

Download
memory/4232-151-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4804-170-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4980-139-0x000000000206A000-0x000000000206F000-memory.dmp

Filesize
20KB

Download
memory/4980-130-0x00007FFC830D0000-0x00007FFC83B06000-memory.dmp

Filesize
10.2MB

Download
memory/4980-131-0x000000000206A000-0x000000000206F000-memory.dmp

Filesize
20KB

Download