Overview

overview

10

Static

static

3

97cb3fda3c...8f.exe

windows7-x64

10

97cb3fda3c...8f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    97cb3fda3cff430377a866d6b437de8f

  • Size

    220KB

  • Sample

    231227-abpflagdar

  • MD5

    97cb3fda3cff430377a866d6b437de8f

  • SHA1

    2359c8459c1e1dd133c2842b51d2982e63016f92

  • SHA256

    e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

  • SHA512

    e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f

  • SSDEEP

    3072:alaJEgEXbfa9K4Em8wNBiXMhDJv7WehI2135eDRCyqTp0FUSVBOHfHAXTRsPCgfr:BEg4S9KqiSJvthI25ebqqBOKTRsaj2e

Score
10/10
blacknetbotevasionpersistencetrojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Bot

C2

http://furyx.de/panel

Mutex

BN[c1916af6f3a468e5b6f5c7f6b9c78982]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    e162b1333458a713bc6916cc8ac4110c

  • startup

    false

  • usb_spread

    true

aes.plain

Targets

    • Target

      97cb3fda3cff430377a866d6b437de8f

    • Size

      220KB

    • MD5

      97cb3fda3cff430377a866d6b437de8f

    • SHA1

      2359c8459c1e1dd133c2842b51d2982e63016f92

    • SHA256

      e6507f36045c13dee736bea44d61e90169ea69de61e9dc50b5743960c5b8f85a

    • SHA512

      e192d3afaa093b5b11643aafefa8192cfeb79e5f284e6c757532fd3e2a4a93970f5f8d54b0e983b4c406ced46aee04a99c186f31ff321f9292c51587603c630f

    • SSDEEP

      3072:alaJEgEXbfa9K4Em8wNBiXMhDJv7WehI2135eDRCyqTp0FUSVBOHfHAXTRsPCgfr:BEg4S9KqiSJvthI25ebqqBOKTRsaj2e

    Score
    10/10
    blacknetbotevasionpersistencetrojan

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

      trojanblacknet

    • BlackNET payload

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • UAC bypass

      evasiontrojan

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

5
T1112

Impair Defenses

3
T1562

Disable or Modify Tools

3
T1562.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks