blacknet | 72982e83206930e2da3f4887ef09520fbf6937f9475f34620c6a78843c640a65

Analysis

max time kernel
134s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-08-2024 05:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

116KB
MD5

67289188208c899195083547187789c9
SHA1

bb8893801bd0b9ff3abc2e3280b6b0cad479bec9
SHA256

72982e83206930e2da3f4887ef09520fbf6937f9475f34620c6a78843c640a65
SHA512

78e77f8163f4d3bc636c4ea5a1df61c63f0aa01088039c50a5bd31a410568c4aa1b8c744bf0d52c0e906de0df4b2f05c9953fac6596caaf33464136ca3680040
SSDEEP

3072:hAohOst+5w1h5w/oV9wRKyfKW63beFEKymFnaa:yGJ71oRPfKWybiQ

Score

10^/10

blacknet ydt6vl trojan

Malware Config

Extracted

Family

blacknet

Version

v3.7.0 Public

Botnet

Ydt6Vl

http://91.92.242.16/Panel/

Mutex

BN[]

Attributes

antivm
true
elevate_uac
true
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
e162b1333458a713bc6916cc8ac4110c
startup
true
usb_spread
true

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4740-1-0x0000000000130000-0x0000000000152000-memory.dmp	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/4740-1-0x0000000000130000-0x0000000000152000-memory.dmp	disable_win_def

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

svchost.exepowershell.exe

pid	Process
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
4740	svchost.exe
5028	powershell.exe
5028	powershell.exe
5028	powershell.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

Processes:

svchost.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	4740	svchost.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeIncreaseQuotaPrivilege	5028	powershell.exe
Token: SeSecurityPrivilege	5028	powershell.exe
Token: SeTakeOwnershipPrivilege	5028	powershell.exe
Token: SeLoadDriverPrivilege	5028	powershell.exe
Token: SeSystemProfilePrivilege	5028	powershell.exe
Token: SeSystemtimePrivilege	5028	powershell.exe
Token: SeProfSingleProcessPrivilege	5028	powershell.exe
Token: SeIncBasePriorityPrivilege	5028	powershell.exe
Token: SeCreatePagefilePrivilege	5028	powershell.exe
Token: SeBackupPrivilege	5028	powershell.exe
Token: SeRestorePrivilege	5028	powershell.exe
Token: SeShutdownPrivilege	5028	powershell.exe
Token: SeDebugPrivilege	5028	powershell.exe
Token: SeSystemEnvironmentPrivilege	5028	powershell.exe
Token: SeRemoteShutdownPrivilege	5028	powershell.exe
Token: SeUndockPrivilege	5028	powershell.exe
Token: SeManageVolumePrivilege	5028	powershell.exe
Token: 33	5028	powershell.exe
Token: 34	5028	powershell.exe
Token: 35	5028	powershell.exe
Token: 36	5028	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exe

pid	Process
4740	svchost.exe
4740	svchost.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

svchost.exe

description	pid	Process	procid_target
PID 4740 wrote to memory of 5028	4740	svchost.exe	72
PID 4740 wrote to memory of 5028	4740	svchost.exe	72

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zp1ahm1y.o2y.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/4740-1-0x0000000000130000-0x0000000000152000-memory.dmp

Filesize
136KB

Download
memory/4740-2-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-3-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-4-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-52-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/4740-0-0x00007FFAB0573000-0x00007FFAB0574000-memory.dmp

Filesize
4KB

Download
memory/5028-10-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/5028-12-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/5028-15-0x0000013972260000-0x00000139722D6000-memory.dmp

Filesize
472KB

Download
memory/5028-11-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/5028-51-0x00007FFAB0570000-0x00007FFAB0F5C000-memory.dmp

Filesize
9.9MB

Download
memory/5028-9-0x00000139720B0000-0x00000139720D2000-memory.dmp

Filesize
136KB

Download