Resubmissions

27-11-2022 13:36

221127-qwjzlsbd92 10

27-11-2022 12:53

221127-p4mj2ahd68 10

General

  • Target

    1732-89-0x0000000010560000-0x00000000105B1000-memory.dmp

  • Size

    324KB

  • Sample

    221127-qwjzlsbd92

  • MD5

    502f23821a675b1eeef88072cd7539e9

  • SHA1

    2b48a14d21a1184444f583234b7dbd5aa9f525b1

  • SHA256

    6be7c3ecbf8b4f6f80324c4238e6f78fd42a44087a5232f6e0f0a058b9cfa8cf

  • SHA512

    2d641a94b0295051ee96bac581d48c920296ba66afcdda33fd043b7fc5c89dbcef39bdcd017f7271837c799f06b3ead7a87cd1959051b680c3c7e2ddf5200373

  • SSDEEP

    6144:ucCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD95Ix:ucXiQfipPrb08rTj6+pGWqYx

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

C2

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes
  • antivm

    true

  • elevate_uac

    false

  • install_name

    jusched.exe

  • splitter

    |BN|

  • start_name

    a5b002eacf54590ec8401ff6d3f920ee

  • startup

    true

  • usb_spread

    true

Extracted

Family

darkcomet

Botnet

Guest16

C2

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes
  • InstallPath

    AudioDriver\taskhost.exe

  • gencode

    EWSsWwgyJrUD

  • install

    true

  • offline_keylogger

    true

  • persistence

    false

  • reg_key

    AudioDriver

Targets

    • Target

      1732-89-0x0000000010560000-0x00000000105B1000-memory.dmp

    • Size

      324KB

    • MD5

      502f23821a675b1eeef88072cd7539e9

    • SHA1

      2b48a14d21a1184444f583234b7dbd5aa9f525b1

    • SHA256

      6be7c3ecbf8b4f6f80324c4238e6f78fd42a44087a5232f6e0f0a058b9cfa8cf

    • SHA512

      2d641a94b0295051ee96bac581d48c920296ba66afcdda33fd043b7fc5c89dbcef39bdcd017f7271837c799f06b3ead7a87cd1959051b680c3c7e2ddf5200373

    • SSDEEP

      6144:ucCmiQfipBKWzkeHrb08rTj6aBpSYdS1wjzcoeqqD95Ix:ucXiQfipPrb08rTj6+pGWqYx

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET payload

    • Darkcomet

      DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

    • Modifies WinLogon for persistence

    • NetWire RAT payload

    • Netwire

      Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Stops running service(s)

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks