blacknet | e3ad04269f7d5b6be4a0bbdb9d19f0b40bddfce4bc56697596e329903d1bedb3

General

Target

HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe
Size

1.2MB
MD5

2a32b7f3a6f3398219829a798e705b68
SHA1

d1c9d4969239da09173c0c16ab7cc440214de440
SHA256

e3ad04269f7d5b6be4a0bbdb9d19f0b40bddfce4bc56697596e329903d1bedb3
SHA512

7759ac196d05442c0b3d0c93b91eccf5b5a365861c8f257a533dd2ddae3737d0349afdab2bbfe0cd00165367e303228a446468ab703b81a33b2f179a535bcdad
SSDEEP

24576:b4Syx6ara7MIrKxIT6/K/qt2pP/mtl/i6R6qLN0m:IWSAe/

Score

10^/10

blacknet hacked trojan

Malware Config

Extracted

Family

blacknet

Version

v3.5.1 Public

Botnet

HacKed

C2

http://noctorships.ga/BlackNET/Panel/

Mutex

BN[BNcJaNRq-7658837]

Attributes

antivm
true
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
a4f5fc179540a0b155d91b489e6811e2
startup
false
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e10-134.dat	family_blacknet
behavioral2/files/0x0006000000022e10-135.dat	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x0006000000022e10-134.dat	disable_win_def
behavioral2/files/0x0006000000022e10-135.dat	disable_win_def

Executes dropped EXE 2 IoCs

pid	Process
3548	tmp6E01.tmp.exe
3484	svshost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp6E01.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe
Token: SeDebugPrivilege	3548	tmp6E01.tmp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3548	tmp6E01.tmp.exe
3548	tmp6E01.tmp.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 3548	1308	HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe	80
PID 1308 wrote to memory of 3548	1308	HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe	80
PID 3548 wrote to memory of 3484	3548	tmp6E01.tmp.exe	83
PID 3548 wrote to memory of 3484	3548	tmp6E01.tmp.exe	83
PID 3548 wrote to memory of 3484	3548	tmp6E01.tmp.exe	83

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-e3ad04269f7d5b6be4a.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\tmp6E01.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp6E01.tmp.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3548
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    - Executes dropped EXE
    PID:3484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
381KB

MD5
0a499943ccd563c8b7d4bb3c7717a341

SHA1
c08a548c9d68f66feff1ce0bdc2e7ebddd1d5467

SHA256
d8ff47a7e4fc832c9dcafca95990fe8e989aeef493be5dfecca10d9c3228c64b

SHA512
89b0d83d2ea4b1e739c4f8d183670d8684624fb32ee29b22625adddb82a0b1a29c92423906bf3d4461d2efb3b46b717cb5cd742a29ed6b0d89d8735d5deb58f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
381KB

MD5
0a499943ccd563c8b7d4bb3c7717a341

SHA1
c08a548c9d68f66feff1ce0bdc2e7ebddd1d5467

SHA256
d8ff47a7e4fc832c9dcafca95990fe8e989aeef493be5dfecca10d9c3228c64b

SHA512
89b0d83d2ea4b1e739c4f8d183670d8684624fb32ee29b22625adddb82a0b1a29c92423906bf3d4461d2efb3b46b717cb5cd742a29ed6b0d89d8735d5deb58f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E01.tmp.exe

Filesize
1.1MB

MD5
589cac94238870c8fdabc6262e5b3026

SHA1
d0c2fe2913f9a333b1402e42022f80b7d539b933

SHA256
40b022c5ff2ecf2cfa11be4738839dbacafcfff233691256def7a1f2bdcd9060

SHA512
d707e1b36599bd491d5ab29825969b3bfeb2fc1fc1f6fa906a0ad344eeddcef77565c55ad80bbe9a242139c217c0e08b3418ca79d1023bd494bc909e87ca0c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6E01.tmp.exe

Filesize
1.1MB

MD5
589cac94238870c8fdabc6262e5b3026

SHA1
d0c2fe2913f9a333b1402e42022f80b7d539b933

SHA256
40b022c5ff2ecf2cfa11be4738839dbacafcfff233691256def7a1f2bdcd9060

SHA512
d707e1b36599bd491d5ab29825969b3bfeb2fc1fc1f6fa906a0ad344eeddcef77565c55ad80bbe9a242139c217c0e08b3418ca79d1023bd494bc909e87ca0c57

Download Submit
memory/1308-132-0x00007FFAD8540000-0x00007FFAD8F76000-memory.dmp

Filesize
10.2MB

Download
memory/3484-144-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/3484-141-0x0000000000720000-0x0000000000784000-memory.dmp

Filesize
400KB

Download
memory/3484-142-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/3484-143-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/3484-145-0x00000000051E0000-0x00000000051EA000-memory.dmp

Filesize
40KB

Download
memory/3484-146-0x0000000005460000-0x00000000054B6000-memory.dmp

Filesize
344KB

Download
memory/3548-137-0x000000000107A000-0x000000000107F000-memory.dmp

Filesize
20KB

Download
memory/3548-136-0x00007FFAD8540000-0x00007FFAD8F76000-memory.dmp

Filesize
10.2MB

Download
memory/3548-147-0x000000000107A000-0x000000000107F000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing