General
-
Target
91c23be6780cd10b2f46371601701182302a0f214f8b01028def69aadee0410a
-
Size
873KB
-
Sample
230129-x7le5scd2w
-
MD5
42b8b74ec77a26c89389fa1846b14ebc
-
SHA1
53ee3acd6146cb982c0f5aa583d93ba961bd4d07
-
SHA256
91c23be6780cd10b2f46371601701182302a0f214f8b01028def69aadee0410a
-
SHA512
9572cb51e9d0b8a2175bfdcf603856d2951fc7c188ec0922b487b314cf6598a1421484338a3d0187ea0eca3a491ccd6ed19fcffea5ff553ac3119e096b9b2769
-
SSDEEP
12288:GDJFGJ1MBqv6KOtAr7ClNpHaNGIr8QTBcRG8k6QDH:GDJFDw0hlNpH05r8KBcRK6YH
Malware Config
Extracted
blacknet
v3.7.0 Public
WF6Fo4
http://185.239.242.77/fucku/getwrecked/fockbot/
BN[98f274ee7dffa0a483bf6aae80c1bed1]
-
antivm
false
-
elevate_uac
false
-
install_name
WindowsUpdate.exe
-
splitter
|BN|
-
start_name
e162b1333458a713bc6916cc8ac4110c
-
startup
false
-
usb_spread
true
Targets
-
-
Target
91c23be6780cd10b2f46371601701182302a0f214f8b01028def69aadee0410a
-
Size
873KB
-
MD5
42b8b74ec77a26c89389fa1846b14ebc
-
SHA1
53ee3acd6146cb982c0f5aa583d93ba961bd4d07
-
SHA256
91c23be6780cd10b2f46371601701182302a0f214f8b01028def69aadee0410a
-
SHA512
9572cb51e9d0b8a2175bfdcf603856d2951fc7c188ec0922b487b314cf6598a1421484338a3d0187ea0eca3a491ccd6ed19fcffea5ff553ac3119e096b9b2769
-
SSDEEP
12288:GDJFGJ1MBqv6KOtAr7ClNpHaNGIr8QTBcRG8k6QDH:GDJFDw0hlNpH05r8KBcRK6YH
Score10/10-
BlackNET
BlackNET is an open source remote access tool written in VB.NET.
-
BlackNET payload
-
Contains code to disable Windows Defender
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-