General
-
Target
1732-89-0x0000000010560000-0x00000000105B1000-memory.dmp
-
Size
324KB
-
Sample
221127-qwjzlsbd92
-
MD5
502f23821a675b1eeef88072cd7539e9
-
SHA1
2b48a14d21a1184444f583234b7dbd5aa9f525b1
-
SHA256
6be7c3ecbf8b4f6f80324c4238e6f78fd42a44087a5232f6e0f0a058b9cfa8cf
-
SHA512
2d641a94b0295051ee96bac581d48c920296ba66afcdda33fd043b7fc5c89dbcef39bdcd017f7271837c799f06b3ead7a87cd1959051b680c3c7e2ddf5200373
-
SSDEEP
6144:ucCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD95Ix:ucXiQfipPrb08rTj6+pGWqYx
Malware Config
Extracted
blacknet
v3.6.0 Public
Bot
http://f0483357.xsph.ru/
BN[PHfunXGI-6235724]
-
antivm
true
-
elevate_uac
false
-
install_name
jusched.exe
-
splitter
|BN|
-
start_name
a5b002eacf54590ec8401ff6d3f920ee
-
startup
true
-
usb_spread
true
Extracted
darkcomet
Guest16
gameservice.ddns.net:4320
DC_MUTEX-WBUNVXD
-
InstallPath
AudioDriver\taskhost.exe
-
gencode
EWSsWwgyJrUD
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
AudioDriver
Targets
-
-
Target
1732-89-0x0000000010560000-0x00000000105B1000-memory.dmp
-
Size
324KB
-
MD5
502f23821a675b1eeef88072cd7539e9
-
SHA1
2b48a14d21a1184444f583234b7dbd5aa9f525b1
-
SHA256
6be7c3ecbf8b4f6f80324c4238e6f78fd42a44087a5232f6e0f0a058b9cfa8cf
-
SHA512
2d641a94b0295051ee96bac581d48c920296ba66afcdda33fd043b7fc5c89dbcef39bdcd017f7271837c799f06b3ead7a87cd1959051b680c3c7e2ddf5200373
-
SSDEEP
6144:ucCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD95Ix:ucXiQfipPrb08rTj6+pGWqYx
-
BlackNET payload
-
Modifies WinLogon for persistence
-
NetWire RAT payload
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-