blacknet | 2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02

Analysis

max time kernel
30s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

stub.exe
Size

102KB
MD5

e162b1333458a713bc6916cc8ac4110c
SHA1

7053e1ae3e60b42f9fb8850f8a727099530c8fcd
SHA256

2b3b8c1083bb3e4524b758a755cf17fbb352aa92d272912997bd0674365d6d02
SHA512

9a508117a757e4fcf192916641c77e26769e5939b6c3fa078fedad9a2821e24e69de0da74dd0cbff0309aa28cd813599dc261ded932a711dfdbb80c7ea3b353a
SSDEEP

3072:BW8APjq+thIi0nPFhBbxCTomsVQYcU363K75rVzQgWzeuyb1X4Lt/VYLl4ECizQh:A8APwPFhBbxCTomsVQYc463K75rVzNW1

Score

10^/10

blacknet [id]trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

[ID]

[HOST]

Mutex

[MUTEX]

Attributes

antivm
false
elevate_uac
false
install_name
[Install_Name]
splitter
[Splitter]
start_name
[StartupName]
startup
false
usb_spread
false

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

resource	yara_rule
behavioral1/memory/1124-54-0x0000000001090000-0x00000000010B0000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1124-54-0x0000000001090000-0x00000000010B0000-memory.dmp	disable_win_def

Program crash 1 IoCs

pid	pid_target	Process	procid_target
336	1124	WerFault.exe	26

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 336	1124	stub.exe	27
PID 1124 wrote to memory of 336	1124	stub.exe	27
PID 1124 wrote to memory of 336	1124	stub.exe	27

C:\Users\Admin\AppData\Local\Temp\stub.exe
"C:\Users\Admin\AppData\Local\Temp\stub.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1124 -s 612
  2⤵
  - Program crash
  PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1124-54-0x0000000001090000-0x00000000010B0000-memory.dmp

Filesize
128KB

Download
memory/1124-55-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download