General

  • Target

    7315ab3fbe785acb4ad597e8a3e00f494dd17aeeb7bb2b0753efb770162054c1

  • Size

    181KB

  • Sample

    221104-fqlk5sdfbq

  • MD5

    a580716c85ddeb8ec54931c0ad936681

  • SHA1

    50a6d64889c3192dbf111cd0d24d46d1cf735177

  • SHA256

    7315ab3fbe785acb4ad597e8a3e00f494dd17aeeb7bb2b0753efb770162054c1

  • SHA512

    9960b9ec8d3819603f83d6a6743b51ed34676a3129d02fcc34179132ddc11358de6602834d95821631cc5682b4a5aaa7dfb1c550d3bb165e35c353484ed76229

  • SSDEEP

    3072:s06SfVcCptVLSM7hBfx5pPrxkmiDsF3dJL29H13k78J:s0bmCpvLSohBFPreWFrL29H+4

Malware Config

Targets

    • Target

      7315ab3fbe785acb4ad597e8a3e00f494dd17aeeb7bb2b0753efb770162054c1

    • Size

      181KB

    • MD5

      a580716c85ddeb8ec54931c0ad936681

    • SHA1

      50a6d64889c3192dbf111cd0d24d46d1cf735177

    • SHA256

      7315ab3fbe785acb4ad597e8a3e00f494dd17aeeb7bb2b0753efb770162054c1

    • SHA512

      9960b9ec8d3819603f83d6a6743b51ed34676a3129d02fcc34179132ddc11358de6602834d95821631cc5682b4a5aaa7dfb1c550d3bb165e35c353484ed76229

    • SSDEEP

      3072:s06SfVcCptVLSM7hBfx5pPrxkmiDsF3dJL29H13k78J:s0bmCpvLSohBFPreWFrL29H+4

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detects Smokeloader packer

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Command and Control

Web Service

1
T1102

Tasks