Resubmissions

14-06-2023 17:56

230614-wh19macb9t 10

14-06-2023 17:55

230614-whq4nacb28 7

14-06-2023 17:15

230614-vsxthsbg45 10

General

  • Target

    http://92.18.218.116

  • Sample

    230614-vsxthsbg45

Score
10/10

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

[ID]

C2

[HOST]

Mutex

[MUTEX]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    [Install_Name]

  • splitter

    [Splitter]

  • start_name

    [StartupName]

  • startup

    false

  • usb_spread

    false

aes.plain

Targets

    • Target

      http://92.18.218.116

    Score
    10/10
    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v6

Tasks