blacknet | 72982e83206930e2da3f4887ef09520fbf6937f9475f34620c6a78843c640a65

General

Target

svchost.exe
Size

116KB
MD5

67289188208c899195083547187789c9
SHA1

bb8893801bd0b9ff3abc2e3280b6b0cad479bec9
SHA256

72982e83206930e2da3f4887ef09520fbf6937f9475f34620c6a78843c640a65
SHA512

78e77f8163f4d3bc636c4ea5a1df61c63f0aa01088039c50a5bd31a410568c4aa1b8c744bf0d52c0e906de0df4b2f05c9953fac6596caaf33464136ca3680040
SSDEEP

3072:hAohOst+5w1h5w/oV9wRKyfKW63beFEKymFnaa:yGJ71oRPfKWybiQ

Score

10^/10

blacknet ydt6vl evasion trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Ydt6Vl

C2

http://91.92.242.16/Panel/

Mutex

BN[]

Attributes

antivm
true
elevate_uac
true
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
true
usb_spread
true

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2976-1-0x0000000000EF0000-0x0000000000F12000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral1/memory/2976-1-0x0000000000EF0000-0x0000000000F12000-memory.dmp	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

svchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	svchost.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exepowershell.exe

pid	Process
2976	svchost.exe
2976	svchost.exe
2976	svchost.exe
2492	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2976	svchost.exe
Token: SeDebugPrivilege	2492	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exe

pid	Process
2976	svchost.exe
2976	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

svchost.exe

description	pid	Process	procid_target
PID 2976 wrote to memory of 2492	2976	svchost.exe	31
PID 2976 wrote to memory of 2492	2976	svchost.exe	31
PID 2976 wrote to memory of 2492	2976	svchost.exe	31
PID 2976 wrote to memory of 2076	2976	svchost.exe	33
PID 2976 wrote to memory of 2076	2976	svchost.exe	33
PID 2976 wrote to memory of 2076	2976	svchost.exe	33

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2976 -s 976
  2⤵
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2492-9-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2492-10-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2976-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2976-1-0x0000000000EF0000-0x0000000000F12000-memory.dmp

Filesize
136KB

Download
memory/2976-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-3-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-4-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-11-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2976-12-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads