blacknet | 51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

Analysis

max time kernel
5s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
22-06-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinlockerBuilderv5.exe
Size

11.0MB
MD5

5891817266ffedc10d4a84a3bd483239
SHA1

b59d365a91b50ec55ccc1c1b2a70cbf858382aa3
SHA256

51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465
SHA512

517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23
SSDEEP

49152:VEdISABBHJtTPSfon8ElC8exQ5ekWtoy/WnwTua+V1ISCezf/rs6kLrHKOWHWq6r:VEd9

Score

10^/10

blacknet darkcomet bot guest16 persistence rat trojan upx

Malware Config

Extracted

Family

blacknet

Version

v3.6.0 Public

Botnet

Bot

http://f0483357.xsph.ru/

Mutex

BN[PHfunXGI-6235724]

Attributes

antivm
true
elevate_uac
false
install_name
jusched.exe
splitter
|BN|
start_name
a5b002eacf54590ec8401ff6d3f920ee
startup
true
usb_spread
true

Extracted

Family

darkcomet

Botnet

Guest16

gameservice.ddns.net:4320

Mutex

DC_MUTEX-WBUNVXD

Attributes

InstallPath
AudioDriver\taskhost.exe
gencode
EWSsWwgyJrUD
install
true
offline_keylogger
true
persistence
false
reg_key
AudioDriver

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023458-32.dat	family_blacknet

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinlockerBuilderv5.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	WinlockerBuilderv5.exe

Executes dropped EXE 1 IoCs

Processes:

svshost.exe

pid	Process
4788	svshost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0007000000023452-156.dat	upx
behavioral1/memory/4940-171-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4940-183-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4940-186-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/4940-188-0x0000000000400000-0x0000000000C89000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WinlockerBuilderv5.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinlockerBuilderv5.exe"	WinlockerBuilderv5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a5b002eacf54590ec8401ff6d3f920ee = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\jusched.exe"	WinlockerBuilderv5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

WinlockerBuilderv5.exe

pid	Process
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WinlockerBuilderv5.exe

description	pid	Process
Token: SeDebugPrivilege	3068	WinlockerBuilderv5.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WinlockerBuilderv5.exe

pid	Process
3068	WinlockerBuilderv5.exe
3068	WinlockerBuilderv5.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WinlockerBuilderv5.exe

description	pid	Process	procid_target
PID 3068 wrote to memory of 4788	3068	WinlockerBuilderv5.exe	90
PID 3068 wrote to memory of 4788	3068	WinlockerBuilderv5.exe	90
PID 3068 wrote to memory of 4788	3068	WinlockerBuilderv5.exe	90

C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
"C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\svshost.exe
  "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
  2⤵
  - Executes dropped EXE
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
    "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
    3⤵
    PID:4220
- - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
    "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
    3⤵
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      PID:4088
    - - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        5⤵
        
        PID:988
      - C:\Users\Admin\Documents\AudioDriver\taskhost.exe
        
        "C:\Users\Admin\Documents\AudioDriver\taskhost.exe"
        6⤵
        
        PID:2588
- C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe"
  2⤵
  PID:1084
- - C:\Users\Admin\AppData\Local\Temp\svshost.exe
    "C:\Users\Admin\AppData\Local\Temp\svshost.exe"
    3⤵
    PID:3948
  - - C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe
      "C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe"
      4⤵
      PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
      "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
      4⤵
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe
        
        "C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe"
        5⤵
        
        PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\WinlockerBuilderv5.exe.log

Filesize
866B

MD5
d7d09fe4ff702ba9f25d5f48923708b6

SHA1
85ce2b7a1c9a4c3252fc9f471cf13ad50ad2cf65

SHA256
ae5b9b53869ba7b6bf99b07cb09c9ce9ff11d4abbbb626570390f9fba4f6f462

SHA512
500a313cc36a23302763d6957516640c981da2fbab691c8b66518f5b0051e25dfb1b09449efff526eab707fa1be36ef9362286869c82b3800e42d2d8287ef1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\jusched.exe

Filesize
11.0MB

MD5
5891817266ffedc10d4a84a3bd483239

SHA1
b59d365a91b50ec55ccc1c1b2a70cbf858382aa3

SHA256
51c45fb238881bd25fd7435d8b8e44eee9cc56887a56a7e5f5bdef8ec8392465

SHA512
517c5d785f069ce566c1d89fcc998968a5cdfc6d85bcc7e42cc2e720b4be9b543065cc1c7967635948595fdbb4af3fc7714c8b90aa6035953bca40cba7272c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinlockerBuilderv5.exe

Filesize
3.0MB

MD5
0df533cb9a581de63e3522954a681603

SHA1
be46afa245289e0d9a84bd1fd1faea8d8c96da5e

SHA256
e3570b276e526f6fb6a289da32583b36cfbd98ec2f59d09c0243fbd0fc0805a3

SHA512
c973e3a8476879dad79f8b37f476d379b90f27cf64ecd359256df94fb811d69226dc50d1e8168d34787cc2d6abf407d8097e37cd60155650dad007a68263661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svshost.exe

Filesize
4.0MB

MD5
2df0daacf8be5126ddbaa7ba9a83be58

SHA1
0889fcd78f5bf71ca04280fe97b7507b6b114ba3

SHA256
0936e508e142466b6d83e49b27513be2207822f91ac2d038023a86d6ccd29b2a

SHA512
0348f7511803198d5d81b10bac08b9e9e79bfd1d193c9a72b1bf3883bd49d18ec21a998e4a056206fac539c73843b31c10437838eb38746bd062e682f2df120e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx_compresser.exe

Filesize
1.1MB

MD5
0d833c6509f350e0a15492597df2bda6

SHA1
1f77b7eb4410f6e1c0e0f7b971a3c98b3f0a5f9f

SHA256
d280fdf95c57cba365c15fc9c6371ada79734480812497c2244246cfdac52ca7

SHA512
9e7ec8f4a756a2546c64850e0ca390788b9817984c1a91af55ffddfd3a010d7629478c2665c03a8a15d46377d66223f6937ac9d8d3d6bda5f9a1ee549ef16118

Download Submit
memory/988-138-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/1084-193-0x00007FFC3D100000-0x00007FFC3DAA1000-memory.dmp

Filesize
9.6MB

Download
memory/1084-35-0x00007FFC3D100000-0x00007FFC3DAA1000-memory.dmp

Filesize
9.6MB

Download
memory/1152-56-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/1624-178-0x0000000000400000-0x000000000052A000-memory.dmp

Filesize
1.2MB

Download
memory/1820-180-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-187-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-182-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-208-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-206-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-202-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-200-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-198-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-196-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-194-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-189-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-184-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-141-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2588-140-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3068-2-0x00007FFC3D100000-0x00007FFC3DAA1000-memory.dmp

Filesize
9.6MB

Download
memory/3068-52-0x00007FFC3D100000-0x00007FFC3DAA1000-memory.dmp

Filesize
9.6MB

Download
memory/3068-10-0x00007FFC3D100000-0x00007FFC3DAA1000-memory.dmp

Filesize
9.6MB

Download
memory/3068-3-0x000000001CCC0000-0x000000001D18E000-memory.dmp

Filesize
4.8MB

Download
memory/3068-11-0x000000001E850000-0x000000001E8B2000-memory.dmp

Filesize
392KB

Download
memory/3068-9-0x00007FFC3D100000-0x00007FFC3DAA1000-memory.dmp

Filesize
9.6MB

Download
memory/3068-8-0x00007FFC3D100000-0x00007FFC3DAA1000-memory.dmp

Filesize
9.6MB

Download
memory/3068-5-0x00007FFC3D100000-0x00007FFC3DAA1000-memory.dmp

Filesize
9.6MB

Download
memory/3068-7-0x000000001D300000-0x000000001D34C000-memory.dmp

Filesize
304KB

Download
memory/3068-0-0x00007FFC3D3B5000-0x00007FFC3D3B6000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x000000001D230000-0x000000001D2CC000-memory.dmp

Filesize
624KB

Download
memory/3068-6-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/3068-1-0x000000001C6A0000-0x000000001C746000-memory.dmp

Filesize
664KB

Download
memory/4088-53-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4088-55-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4088-142-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/4940-188-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4940-186-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4940-183-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4940-171-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download