blacknet | 7319656b4c5c0f3c42526657e96c0732322806d7824e992baa4b816a525aae98

Sharing

Copy URL

Twitter E-mail

General

Target

Botnets_PACK.rar
Size

27.5MB
Sample

240809-yh5m6axcpj
MD5

7f67e9cf1dcc327ad7e803a3dd231240
SHA1

07299577a233926f05ffe631ccc406169d61d422
SHA256

7319656b4c5c0f3c42526657e96c0732322806d7824e992baa4b816a525aae98
SHA512

ba8bd26f94a93e6d60e291c7fab25e86c8a06b7b9e97ed6ce4395f18023bf28019cc4e214b575098682ee03ce79e0f8779f8a1c119baecd4d0d660fd39228611
SSDEEP

786432:GZEVR+Fvw+e0pq8+wlWEm0/xkpHQfkklf:/qvw5F8+wlbCokE

Score

10^/10

blacknet [id]defense_evasion discovery execution persistence upx

Malware Config

Extracted

Family

blacknet

Botnet

[ID]

[HOST]

Mutex

[MUTEX]

Attributes

antivm
false
elevate_uac
false
install_name
[Install_Name]
splitter
|BN|
start_name
[StartupName]
startup
false
usb_spread
false

Targets

- Target
  
  Botnets PACK/Botnets PACK/Amadey Cracked/Amadey Cracked [XakFor.Net].exe
- Size
  
  190KB
- MD5
  
  d180c2e26b269d60a7cb1152f69c96bf
- SHA1
  
  16d0b057534d3cb3e8d64f52a8494a6aed7de8f0
- SHA256
  
  e1a950457b39e3a5f3db736dfc035fbe8a14c297427c39b384877dd6dde65498
- SHA512
  
  ee097c198e784960c8da9e6ae1c72ce1be92bf2487cfa2465757f77828dc398e067773488c46b761fd08faa701e73437fda55dcef594d54bf44c371dc6696548
- SSDEEP
  
  1536:M4lvePmo1wWjlJ3X74/xopu/DnvjL0Cp/n0ams0T:M4lv4wWjlJ3rIxoWvj5x0ams0T
Score

8^/10

discovery execution persistence defense_evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Botnets PACK/Botnets PACK/Amadey Cracked/d3d9.dll
- Size
  
  1.8MB
- MD5
  
  00a77dc70009944164236c684ef2f5a2
- SHA1
  
  500a78419f1b5c108a7fb0100541788bad7cf872
- SHA256
  
  e155998af14b356811ad66def369c44a10c63125df140ed45489117a8f111246
- SHA512
  
  ebf2e40fbc7f6123a5cf8582c3442f050c1c8991f48c6e3aabb0ec281dcb88c94427876d1c18aa75828dce20a200d2737c393c9d2d470a376145921d75da9036
- SSDEEP
  
  49152:yDeYbaNLwXTVZHq84Vuq1A2jezQ9byloL+R1pMg:o6UXTVZvsu/0u
Score

1^/10
behavioral3
- Target
  
  Botnets PACK/Botnets PACK/Amadey Cracked/xpti/Ionic.Zip.dll
- Size
  
  480KB
- MD5
  
  f6933bf7cee0fd6c80cdf207ff15a523
- SHA1
  
  039eeb1169e1defe387c7d4ca4021bce9d11786d
- SHA256
  
  17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
- SHA512
  
  88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
- SSDEEP
  
  6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score

1^/10
behavioral4 behavioral5
- Target
  
  Botnets PACK/Botnets PACK/Amadey Cracked/xpti/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral6 behavioral7
- Target
  
  Botnets PACK/Botnets PACK/Amadey Cracked/xpti/svg.exe
- Size
  
  2.5MB
- MD5
  
  3168a31552404661098af0156860f0c0
- SHA1
  
  9c10beb703314d0c8843ba7a3c988f793d55e422
- SHA256
  
  2a0546c07c3831073b3b1b83866c63150d56638358e20d8a5247417de1efa4ff
- SHA512
  
  3a3c93f4ccf441c7b86d2aae33ba636c975fb38ce14c62653f2c4606312a1259aba21d11a44ad5164d36fbc6ad136e12f9158971c26866568582111b95a98f6c
- SSDEEP
  
  49152:p7inIOY/BoiU2oyNiAbnblJwSinj+BxpEiixfXuwlp:ATF0LDjwSkgxeXv
Score

3^/10

discovery
behavioral8 behavioral9
- Target
  
  Botnets PACK/Botnets PACK/Atmos BOTNET Builder/NetUtil.jsm
- Size
  
  7KB
- MD5
  
  b458d001855cafbfa1357dd5f78522e3
- SHA1
  
  f1a9733823ea847b034d6a5dccc5576c5099b9c3
- SHA256
  
  27e0d54b541e1085e762c1f6ff2a6afedb168e413e31225c400084a1d6bd48aa
- SHA512
  
  d3ac098ae78ab6ac2084c4c3e3e4925ed2237998c0c7d67aeca193cab6b494afc56a066596b47e1e571aeda3c7392cc385eeb1241251da761b987c6012d32e65
- SSDEEP
  
  192:qHETb7SFt9yumwhDaZZm+l3O54CWbKJPXL1fR:Ut9yumwhD6Dl3OebO1R
Score

3^/10

execution
behavioral10 behavioral11
- Target
  
  Botnets PACK/Botnets PACK/Atmos BOTNET Builder/RuriLib.dll
- Size
  
  213KB
- MD5
  
  8b12cb7b76e7bd1f7589dab6d872efc8
- SHA1
  
  2228815cb7f0e457c0e9f90660abcd932024b3e5
- SHA256
  
  8ad36063949e5beb89b713c53ab696a6c4f83ca8e4dcc7c5da4a2397287cfe28
- SHA512
  
  8c8200a565a7fc233cf3461971507e0481ca80f9940593f16c64aceb1328173877de4d1436864934e70a4b9695ed9271d6891f56a444fac2d93b16718c66552a
- SSDEEP
  
  3072:C1I/+gDDlavmvEkZRiK6Q1xOnPsEn2td0CpBZzQXX9/MeUd27VLTX:6kfvEuRiK9C8d0MZUH9/X
Score

1^/10
behavioral12 behavioral13
- Target
  
  Botnets PACK/Botnets PACK/Atmos BOTNET Builder/atmos_weber.exe
- Size
  
  186KB
- MD5
  
  1a75f15752788e96744795be74f8714f
- SHA1
  
  0d96e1ce4d84f28929561115993c4c3224099e3b
- SHA256
  
  814a2d9eed0b7f6a34f278a667b93cf2f44f311e60b5c2a95a2fe0cc78145e32
- SHA512
  
  2ca652f26710a7f2ca771683b28e5470e6ccf328cab5a2053b9c0ee262e19e810d6a9ecf29e91808ca653d20bb6244baa1912c2d92da362485db0c076d1332c9
- SSDEEP
  
  1536:jX4l1eP8Y/e9i2WRDx39kGDkzXJEDIUlKv:jX4l1Hi63XKDIgi
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral14 behavioral15
- Target
  
  Botnets PACK/Botnets PACK/Atmos BOTNET Builder/forms/Ionic.Zip.dll
- Size
  
  480KB
- MD5
  
  f6933bf7cee0fd6c80cdf207ff15a523
- SHA1
  
  039eeb1169e1defe387c7d4ca4021bce9d11786d
- SHA256
  
  17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
- SHA512
  
  88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
- SSDEEP
  
  6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score

1^/10
behavioral16 behavioral17
- Target
  
  Botnets PACK/Botnets PACK/Atmos BOTNET Builder/forms/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral18 behavioral19
- Target
  
  Botnets PACK/Botnets PACK/Atmos BOTNET Builder/forms/comm.exe
- Size
  
  1.4MB
- MD5
  
  804bd73023a433fc644ee17397a14693
- SHA1
  
  d866a20f930b708816f0980caba721664769991b
- SHA256
  
  0ae4e1b5a7301f7ff730ede4908a6faa8b065ead19d34633f1310c78efb2a39b
- SHA512
  
  56f4f6bc4fd76da1529c34425ebef49d491ed0ed9141423c216dd2bd01bb4c84009c568d5d2ac922b4afffd667279621ca5616aaf1d584917716bb6b51d6eb5e
- SSDEEP
  
  24576:os4vBHuqC+nLz4mHkHlgV0qTDTvdpXYxOnq+EKUA3H+so:oLvwynLzZIgvD7d2oqA3H+/
Score

3^/10

discovery
behavioral20 behavioral21
- Target
  
  Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/BetaBotBuilderGUI.exe
- Size
  
  205KB
- MD5
  
  8b247c25f5f7f68899a4c0b43b94df07
- SHA1
  
  9600a4b143310575459af77c37ad0d4a1ed0c67f
- SHA256
  
  dc7d7fbd02ffa98bfd0956d490228e8497000055407e4f2d2438329205f4170b
- SHA512
  
  4e1f7dbe2eb6c0e14a3306bd7a8772d40f09c39ab6289c6424f5293252475f2dec1cfd58b4031b846890639a2441e80638e8bc378fca3eb242546662743d75a8
- SSDEEP
  
  3072:74lFJeofDM5GQHebTHle2O/fLrzfqJbQKGk3:76Fsofo5VHebTHlZavfwbM
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral22 behavioral23
- Target
  
  Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/RDXService.dll
- Size
  
  725KB
- MD5
  
  51304725ca84c6d40082a6fb0c29afe9
- SHA1
  
  50088804c291fa76599ea380f5be02744356e33f
- SHA256
  
  bf6eec43e5c2493ba0e67d8b4b43154d82f32916e378484b9d0cef1df1681458
- SHA512
  
  d6d725b90cdb51b8095bf22f37561c5a970196aeb51ea71672aa59806439424fa626afe098b5ccc5e70fc03d5f759c0e861be747e7d9501d828eee2b7d226942
- SSDEEP
  
  12288:arHgF1VGckTmFCTbhf0u3rIRb5oPPN3y44GpOQJGmp2kRWlK:egnVGckTmUTbhflr6Y5BwpkW
Score

1^/10
behavioral24
- Target
  
  Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/npnul32/Ionic.Zip.dll
- Size
  
  480KB
- MD5
  
  f6933bf7cee0fd6c80cdf207ff15a523
- SHA1
  
  039eeb1169e1defe387c7d4ca4021bce9d11786d
- SHA256
  
  17bb0c9be45289a2be56a5f5a68ec9891d7792b886e0054bc86d57fe84d01c89
- SHA512
  
  88675512daa41e17ce4daf6ca764ccb17cd9633a7c2b7545875089cae60f6918909a947f3b1692d16ec5fa209e18e84bc0ff3594f72c3e677a6cca9f3a70b8d6
- SSDEEP
  
  6144:OhagC/Mq25o9sXGtSV41OJDsTDDVUMle6ZjxLV/kHu4Bht79I9:iagxWS4msNUCe65fkHdBf9
Score

1^/10
behavioral25 behavioral26
- Target
  
  Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/npnul32/Launcher.exe
- Size
  
  53KB
- MD5
  
  c6d4c881112022eb30725978ecd7c6ec
- SHA1
  
  ba4f96dc374195d873b3eebdb28b633d9a1c5bf5
- SHA256
  
  0d87b9b141a592711c52e7409ec64de3ab296cddc890be761d9af57cea381b32
- SHA512
  
  3bece10b65dfda69b6defbf50d067a59d1cd1db403547fdf28a4cbc87c4985a4636acfcff8300bd77fb91f2693084634d940a91517c33b5425258835ab990981
- SSDEEP
  
  768:FKtnBTTQi/YqMFlVt52ftDhKeoNzZq8OujxUu5XEAb4b9yvMzUV5:qBTUgYFveDRuFEAb4b99QV5
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral27 behavioral28
- Target
  
  Botnets PACK/Botnets PACK/BetaBotBuilder Leaked by Bull/npnul32/secur32.exe
- Size
  
  2.1MB
- MD5
  
  5cd9a43e3c6cc8f399aa315b7599c370
- SHA1
  
  f2a143f0f2cb5a8a6681b42b857597f53df177bf
- SHA256
  
  56436ae6f5093a83f858b3d641041cff9d1bb8ee7f2ee539b880491875f71d4e
- SHA512
  
  05e1c27d3201b12cd0b0be10ebf09fff059a58ae75856bbc23fb0577db54b4a925736385db98c4e86c475fb3c01ce9ca66a008cacec2c234915b7a2a1a4f584e
- SSDEEP
  
  49152:nlYeWDDNj+6l2Zq6Wl7wBfDlr1wB6h/92I52stZeDyDNmggXGYJU1YG:2eEDdll6tvOBi/8I52st8DyDNZYK+G
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Botnets PACK/Botnets PACK/BlackNET - Compiled/BlackNET Builder.exe
- Size
  
  176KB
- MD5
  
  4e548a7c6eab54dd088499693ec80de0
- SHA1
  
  14dc314730672cdcc0d149dbc394457a729f477d
- SHA256
  
  3eef584ad9c9cee94f1e5a9950baa4b9b68d628e6d3ad9e02b2eb53e88d9293b
- SHA512
  
  e0539f8a6fbdf621578c6365e87749b055c5d61a816a28cc6c77fe59bc7aaa2ceac9f86861df4c25f1c8600a408e8ae892886359b78cb15907153cdddec517a2
- SSDEEP
  
  768:4ec4lj/7ePn43diJmBah5xoaJUQiVfKvMi:Y4lHePIdkmW5xomjefKvMi
Score

8^/10

discovery execution persistence
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29