blacknet | 14490c9c139e9bc984781f8143a571e1f1f140c69a7cd12c34fc0bf20abb0889

Analysis

max time kernel
90s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-01-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.1MB
MD5

baa73a9b35bf02d8c56a1286bcd2d714
SHA1

a179259548f9e81b65126130342f5b076c8b8a77
SHA256

14490c9c139e9bc984781f8143a571e1f1f140c69a7cd12c34fc0bf20abb0889
SHA512

02f75dafbd6cabc107fd681d0cc65991b0a21b16b713fba77db4928e78f1da23474ddb4535f8280dc56186da90e41adc7ad8b10ffde2d0b18ff494273021d644
SSDEEP

12288:DCwHtUz0qTqcXrwV+XinIBLAx9gKupscZ0PpHTzY8QGWlCL8K7XLlq95ZPFdmUG/:DCwHybsV/IOv6scZ0BzUfCz3+zsw8YS

Score

10^/10

blacknet zgrat hacked persistence rat trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

HacKed

http://190.123.44.240

Mutex

BN[]

Attributes

antivm
false
elevate_uac
false
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
true
usb_spread
false

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 2 IoCs

resource	yara_rule
behavioral1/memory/2528-958-0x0000000000400000-0x000000000041E000-memory.dmp	family_blacknet
behavioral1/memory/2172-1929-0x0000000000430000-0x0000000000470000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/2528-958-0x0000000000400000-0x000000000041E000-memory.dmp	disable_win_def
behavioral1/memory/2172-1929-0x0000000000430000-0x0000000000470000-memory.dmp	disable_win_def

Detect ZGRat V1 34 IoCs

resource	yara_rule
behavioral1/memory/2536-4-0x00000000047F0000-0x000000000488E000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-5-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-6-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-8-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-10-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-12-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-14-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-16-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-18-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-20-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-22-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-24-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-26-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-28-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-30-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-32-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-34-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-36-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-38-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-40-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-42-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-44-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-46-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-48-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-50-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-52-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-54-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-56-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-58-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-60-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-62-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-64-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-66-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1
behavioral1/memory/2536-68-0x00000000047F0000-0x0000000004889000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sksewdjj.vbs	tmp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sksewdjj.vbs	WindowsUpdate.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	WindowsUpdate.exe
2172	WindowsUpdate.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	tmp.exe
2312	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp.exe"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\WindowsUpdate.exe"	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\e162b1333458a713bc6916cc8ac4110c = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\MyClient\\WindowsUpdate.exe"	WindowsUpdate.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2536 set thread context of 2528	2536	tmp.exe	28
PID 2312 set thread context of 2172	2312	WindowsUpdate.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2528	tmp.exe
2528	tmp.exe
2172	WindowsUpdate.exe
2172	WindowsUpdate.exe
2172	WindowsUpdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	tmp.exe
Token: SeDebugPrivilege	2528	tmp.exe
Token: SeDebugPrivilege	2312	WindowsUpdate.exe
Token: SeDebugPrivilege	2172	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2528	tmp.exe
2528	tmp.exe
2172	WindowsUpdate.exe
2172	WindowsUpdate.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2536 wrote to memory of 2528	2536	tmp.exe	28
PID 2528 wrote to memory of 2312	2528	tmp.exe	32
PID 2528 wrote to memory of 2312	2528	tmp.exe	32
PID 2528 wrote to memory of 2312	2528	tmp.exe	32
PID 2528 wrote to memory of 2312	2528	tmp.exe	32
PID 2528 wrote to memory of 2312	2528	tmp.exe	32
PID 2528 wrote to memory of 2312	2528	tmp.exe	32
PID 2528 wrote to memory of 2312	2528	tmp.exe	32
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33
PID 2312 wrote to memory of 2172	2312	WindowsUpdate.exe	33

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  C:\Users\Admin\AppData\Local\Temp\tmp.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sksewdjj.vbs

Filesize
83B

MD5
1bda7ff3ab57ee35f078aeb89c17198b

SHA1
dd1837e07192a78e9d21ec4055dc0dcd1ac9937a

SHA256
13abe05c8ea57d6976dd03a9089c744e1e156e54e4a0377580f5be181be94869

SHA512
f70f52ad8a7693318bb7332dd2c9a22f8707994fe77aeb15a5694b93df33960f4dc3806a32e137c7d1544a534816e75c1b7c8fab317bb04e59c1df6d7d028723

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\MyClient\WindowsUpdate.exe

Filesize
1.1MB

MD5
baa73a9b35bf02d8c56a1286bcd2d714

SHA1
a179259548f9e81b65126130342f5b076c8b8a77

SHA256
14490c9c139e9bc984781f8143a571e1f1f140c69a7cd12c34fc0bf20abb0889

SHA512
02f75dafbd6cabc107fd681d0cc65991b0a21b16b713fba77db4928e78f1da23474ddb4535f8280dc56186da90e41adc7ad8b10ffde2d0b18ff494273021d644

Download Submit
memory/2172-1933-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/2172-1932-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-1931-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/2172-1930-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/2172-1929-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/2172-1928-0x0000000074750000-0x0000000074E3E000-memory.dmp

Filesize
6.9MB

Download
memory/2312-1908-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2312-1909-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2312-974-0x00000000004B0000-0x00000000004F0000-memory.dmp

Filesize
256KB

Download
memory/2312-971-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2312-970-0x00000000010D0000-0x00000000011F8000-memory.dmp

Filesize
1.2MB

Download
memory/2312-1924-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2528-958-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2528-1004-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2528-1002-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2528-972-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2528-961-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2528-960-0x0000000004910000-0x0000000004950000-memory.dmp

Filesize
256KB

Download
memory/2528-959-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-26-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-941-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2536-40-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-42-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-44-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-46-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-48-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-50-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-52-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-54-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-56-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-58-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-60-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-62-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-64-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-66-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-68-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-937-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2536-938-0x0000000004E50000-0x0000000004E86000-memory.dmp

Filesize
216KB

Download
memory/2536-939-0x0000000004E90000-0x0000000004EDC000-memory.dmp

Filesize
304KB

Download
memory/2536-940-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-38-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-954-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download
memory/2536-36-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-34-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-32-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-30-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-28-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-0-0x00000000002C0000-0x00000000003E8000-memory.dmp

Filesize
1.2MB

Download
memory/2536-24-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-22-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-20-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-18-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-16-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-14-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-12-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-10-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-8-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-6-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-5-0x00000000047F0000-0x0000000004889000-memory.dmp

Filesize
612KB

Download
memory/2536-4-0x00000000047F0000-0x000000000488E000-memory.dmp

Filesize
632KB

Download
memory/2536-3-0x0000000004280000-0x000000000431E000-memory.dmp

Filesize
632KB

Download
memory/2536-2-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2536-1-0x00000000747D0000-0x0000000074EBE000-memory.dmp

Filesize
6.9MB

Download