General

  • Target

    dadsroots.exe

  • Size

    391KB

  • Sample

    230525-mdm2rshc87

  • MD5

    964a8c4317b2449ce3b1ba42806e00ff

  • SHA1

    1bc9d7cc8dff6a6d3e9c46ff1c9966521e012b38

  • SHA256

    12acc28c683190195fccfea230f47491c084d01f5d5fa975ba82135e1d0c8fa7

  • SHA512

    73ab80afdee2a9d753d7a30bc8da25f28310451fdc7f4f510a7d32b9d999825205604f04e665290e17cd146892635750a16e3f6f7ae45cd509de3a0996569c45

  • SSDEEP

    12288:NozV+S8l6vJGRaIUyVVtERhJhY0YO60nz:Na+S3MMDJXeQz

Score
10/10

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

HacKed

C2

http://bankslip.info/dadsroots/

Mutex

BN[ZrDroiBx-5245469]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    a5b002eacf54590ec8401ff6d3f920ee

  • startup

    false

  • usb_spread

    false

Targets

    • Target

      dadsroots.exe

    • Size

      391KB

    • MD5

      964a8c4317b2449ce3b1ba42806e00ff

    • SHA1

      1bc9d7cc8dff6a6d3e9c46ff1c9966521e012b38

    • SHA256

      12acc28c683190195fccfea230f47491c084d01f5d5fa975ba82135e1d0c8fa7

    • SHA512

      73ab80afdee2a9d753d7a30bc8da25f28310451fdc7f4f510a7d32b9d999825205604f04e665290e17cd146892635750a16e3f6f7ae45cd509de3a0996569c45

    • SSDEEP

      12288:NozV+S8l6vJGRaIUyVVtERhJhY0YO60nz:Na+S3MMDJXeQz

    Score
    10/10
    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks