Overview

overview

10

Static

static

10

1732-89-0x...ry.exe

windows10-2004-x64

10

Resubmissions

27-11-2022 13:36

221127-qwjzlsbd92 10

27-11-2022 12:53

221127-p4mj2ahd68 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1732-89-0x0000000010560000-0x00000000105B1000-memory.dmp

  • Size

    324KB

  • Sample

    221127-qwjzlsbd92

  • MD5

    502f23821a675b1eeef88072cd7539e9

  • SHA1

    2b48a14d21a1184444f583234b7dbd5aa9f525b1

  • SHA256

    6be7c3ecbf8b4f6f80324c4238e6f78fd42a44087a5232f6e0f0a058b9cfa8cf

  • SHA512

    2d641a94b0295051ee96bac581d48c920296ba66afcdda33fd043b7fc5c89dbcef39bdcd017f7271837c799f06b3ead7a87cd1959051b680c3c7e2ddf5200373

  • SSDEEP

    6144:ucCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD95Ix:ucXiQfipPrb08rTj6+pGWqYx

Score
10/10
blacknetdarkcometnetwirebotguest16botnetevasionpersistenceratstealertrojanupx

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

C2

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes
  • antivm

    true

  • elevate_uac

    false

  • install_name

    jusched.exe

  • splitter

    |BN|

  • start_name

    a5b002eacf54590ec8401ff6d3f920ee

  • startup

    true

  • usb_spread

    true

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes
  • InstallPath

    AudioDriver\taskhost.exe

  • gencode

    EWSsWwgyJrUD

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    AudioDriver

Targets

    • Target

      1732-89-0x0000000010560000-0x00000000105B1000-memory.dmp

    • Size

      324KB

    • MD5

      502f23821a675b1eeef88072cd7539e9

    • SHA1

      2b48a14d21a1184444f583234b7dbd5aa9f525b1

    • SHA256

      6be7c3ecbf8b4f6f80324c4238e6f78fd42a44087a5232f6e0f0a058b9cfa8cf

    • SHA512

      2d641a94b0295051ee96bac581d48c920296ba66afcdda33fd043b7fc5c89dbcef39bdcd017f7271837c799f06b3ead7a87cd1959051b680c3c7e2ddf5200373

    • SSDEEP

      6144:ucCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD95Ix:ucXiQfipPrb08rTj6+pGWqYx

    Score
    10/10
    blacknetdarkcometnetwirebotguest16botnetevasionpersistenceratstealertrojanupx

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

      trojanblacknet

    • BlackNET payload

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

      trojanratdarkcomet

    • Modifies WinLogon for persistence

      persistence

    • NetWire RAT payload

      rat

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

      botnetstealernetwire

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Stops running service(s)

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Tasks