General

  • Target

    51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

  • Size

    11MB

  • Sample

    221112-h6sqhahd8s

  • MD5

    5891817266ffedc10d4a84a3bd483239

  • SHA1

    b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

  • SHA256

    51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

  • SHA512

    517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

  • SSDEEP

    49152:VEdISABBHJtTPSfon8ElC8exQ5ekWtoy/WnwTua+V1ISCezf/rs6kLrHKOWHWq6r:VEd9

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

C2

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes
  • antivm

    true

  • elevate_uac

    false

  • install_name

    jusched.exe

  • splitter

    |BN|

  • start_name

    a5b002eacf54590ec8401ff6d3f920ee

  • startup

    true

  • usb_spread

    true

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes
  • InstallPath

    AudioDriver\taskhost.exe

  • gencode

    EWSsWwgyJrUD

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    AudioDriver

Targets

    • Target

      51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

    • Size

      11MB

    • MD5

      5891817266ffedc10d4a84a3bd483239

    • SHA1

      b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

    • SHA256

      51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

    • SHA512

      517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

    • SSDEEP

      49152:VEdISABBHJtTPSfon8ElC8exQ5ekWtoy/WnwTua+V1ISCezf/rs6kLrHKOWHWq6r:VEd9

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET payload

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks