General

  • Target

    f335de99ddd439a9cbdcfed4b0a401806af481b789122df20936b9c00991b7e7

  • Size

    226KB

  • Sample

    221116-nr2mraec5v

  • MD5

    42e00577b163d4c87b0b758871452ff6

  • SHA1

    b829fad325624cba1b1feb07f09cc24d471f47a5

  • SHA256

    f335de99ddd439a9cbdcfed4b0a401806af481b789122df20936b9c00991b7e7

  • SHA512

    6f89abe6076acd36e410cca7817e0bc33d056a2bfead08c5e8a84649b57a53428f2640b6fd026d52895057193af34e249c1dd071d5a781b35be5a62e30285c16

  • SSDEEP

    3072:gXOzkeIaL1sR5Han+zMEJgWYL4BVEu8UwyVCrgW+gvhw4Cg3drRh5h+yKnu:UON/LE5Ow7gWeju8DgBw3ND5h+yc

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Round3

C2

http://zee.zight.ru

Mutex

BN[d396d077ee81b07d64cc8bbff27bbccb]

Attributes
  • antivm

    true

  • elevate_uac

    false

  • install_name

    GPUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    false

  • usb_spread

    false

aes.plain

Targets

    • Target

      f335de99ddd439a9cbdcfed4b0a401806af481b789122df20936b9c00991b7e7

    • Size

      226KB

    • MD5

      42e00577b163d4c87b0b758871452ff6

    • SHA1

      b829fad325624cba1b1feb07f09cc24d471f47a5

    • SHA256

      f335de99ddd439a9cbdcfed4b0a401806af481b789122df20936b9c00991b7e7

    • SHA512

      6f89abe6076acd36e410cca7817e0bc33d056a2bfead08c5e8a84649b57a53428f2640b6fd026d52895057193af34e249c1dd071d5a781b35be5a62e30285c16

    • SSDEEP

      3072:gXOzkeIaL1sR5Han+zMEJgWYL4BVEu8UwyVCrgW+gvhw4Cg3drRh5h+yKnu:UON/LE5Ow7gWeju8DgBw3ND5h+yc

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detects Smokeloader packer

    • Modifies Windows Defender Real-time Protection settings

    • SmokeLoader

      Modular backdoor trojan in use since 2014.

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Disabling Security Tools

2
T1089

Virtualization/Sandbox Evasion

1
T1497

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

2
T1005

Command and Control

Web Service

1
T1102

Tasks