General
-
Target
882fa492ec0648500be5bc1fac274380bb234bc16689e72f540da54bf1a0845c
-
Size
188KB
-
Sample
221110-c8g4wseba4
-
MD5
7d3c5eb8910223fd46a2544d485506bc
-
SHA1
4d13c0be1fcbdf5d674ca4bf4af64d1044bd6018
-
SHA256
882fa492ec0648500be5bc1fac274380bb234bc16689e72f540da54bf1a0845c
-
SHA512
9ca7db3b8fec1807105f95857f4afe2f4eb19ca2c9744a7096e5e636b46107c8c2691d70d0af5d6d5ff16dbb324fb12f0a0ae68d3c143108f00a0cef1433bd12
-
SSDEEP
3072:8lXOsjCj5iLQ1SOL1JRxLwz5UMiq5LnEyPjK9Chk:kFRLQ1SOXaiqhnEyP29y
Static task
static1
Malware Config
Extracted
blacknet
v3.7.0 Public
VQDbQF
http://1timirwin.online/
BN[c2b186b276dafd778d6e70a89d9083b7]
-
antivm
true
-
elevate_uac
true
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
true
-
usb_spread
false
Targets
-
-
Target
882fa492ec0648500be5bc1fac274380bb234bc16689e72f540da54bf1a0845c
-
Size
188KB
-
MD5
7d3c5eb8910223fd46a2544d485506bc
-
SHA1
4d13c0be1fcbdf5d674ca4bf4af64d1044bd6018
-
SHA256
882fa492ec0648500be5bc1fac274380bb234bc16689e72f540da54bf1a0845c
-
SHA512
9ca7db3b8fec1807105f95857f4afe2f4eb19ca2c9744a7096e5e636b46107c8c2691d70d0af5d6d5ff16dbb324fb12f0a0ae68d3c143108f00a0cef1433bd12
-
SSDEEP
3072:8lXOsjCj5iLQ1SOL1JRxLwz5UMiq5LnEyPjK9Chk:kFRLQ1SOXaiqhnEyP29y
-
BlackNET payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detects Smokeloader packer
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-