Overview

overview

10

Static

static

1

URLScan

urlscan

1

http://92.18.218.116

windows10-2004-x64

10

Resubmissions

14-06-2023 17:56

230614-wh19macb9t 10

14-06-2023 17:55

230614-whq4nacb28 7

14-06-2023 17:15

230614-vsxthsbg45 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://92.18.218.116

  • Sample

    230614-vsxthsbg45

Score
10/10
blacknet[id]trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

[ID]

C2

[HOST]

Mutex

[MUTEX]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    [Install_Name]

  • splitter

    [Splitter]

  • start_name

    [StartupName]

  • startup

    false

  • usb_spread

    false

aes.plain

Targets

    • Target

      http://92.18.218.116

    Score
    10/10
    blacknet[id]trojan

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

      trojanblacknet

    • BlackNET payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks