blacknet

General

Target

GXPhmnNRPG_wynmove.js
Size

38KB
Sample

221025-ltrt8accb6
MD5

3dff90e5de574801e0a812ed337429eb
SHA1

1e0187f461e12cdc313640af5d5a82402f1fc121
SHA256

869125ed76969ba80597b88176721fe581d331a114f94e9906c8d152f7388ee3
SHA512

b77867ed63406be2a6c084141062bec420e37ea3862efa363cd460f098cb7a7faf83bf3d76a3abb9fbd7a595bf4a5b45913d0774d6cb982af60db713c25e42fb
SSDEEP

768:j3hbrMfo56OPGgF7aM4gF8wsZ1va/a9zcHEdYHzePb:7tRsS7aMPCwsZ14a9zcH+IzePb

Score

10^/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Extracted

Family

redline

Botnet

Test123ND

C2

0.tcp.ngrok.io:11252

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Extracted

Family

wshrat

C2

http://45.139.105.174:7670

Targets

- Target
  
  GXPhmnNRPG_wynmove.js
- Size
  
  38KB
- MD5
  
  3dff90e5de574801e0a812ed337429eb
- SHA1
  
  1e0187f461e12cdc313640af5d5a82402f1fc121
- SHA256
  
  869125ed76969ba80597b88176721fe581d331a114f94e9906c8d152f7388ee3
- SHA512
  
  b77867ed63406be2a6c084141062bec420e37ea3862efa363cd460f098cb7a7faf83bf3d76a3abb9fbd7a595bf4a5b45913d0774d6cb982af60db713c25e42fb
- SSDEEP
  
  768:j3hbrMfo56OPGgF7aM4gF8wsZ1va/a9zcHEdYHzePb:7tRsS7aMPCwsZ14a9zcH+IzePb
Score

10^/10

blacknet darkcomet redline vjw0rm wannacry wshrat guest16 test123nd discovery evasion infostealer persistence ransomware rat themida trojan upx worm
- BlackNET
  BlackNET is an open source remote access tool written in VB.NET.
  trojan blacknet
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Vjw0rm
  Vjw0rm is a remote access trojan written in JavaScript.
  trojan worm vjw0rm
- WSHRAT
  WSHRAT is a variant of Houdini worm and has vbs and js variants.
  trojan wshrat
- Wannacry
  WannaCry is a ransomware cryptoworm.
  ransomware worm wannacry
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Blocklisted process makes network request
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Modifies file permissions
  discovery
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Adds Run key to start application
  persistence
- Sets desktop wallpaper using registry
  ransomware
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1