General

  • Target

    https://mini-01-s3.vx-underground.org/samples/Builders/BlackNet/BlackNET%20v3.5.1.0.7z

  • Sample

    250430-p55r1aan3w

Malware Config

Extracted

Family

blacknet

Version

v3.5.1 Public

Botnet

[ID]

C2

[HOST]

Mutex

[MUTEX]

Attributes
  • antivm

    false

  • elevate_uac

    false

  • install_name

    [Install_Name]

  • splitter

    |BN|

  • start_name

    [StartupName]

  • startup

    false

  • usb_spread

    false

aes.plain

Extracted

Family

blacknet

Version

v3.5.1 Public

Botnet

HacKed

C2

http://localhost/blacknet

Mutex

BN[VNmCteMO-8347835]

Attributes
  • antivm

    true

  • elevate_uac

    true

  • install_name

    WindowsUpdate.exe

  • splitter

    |BN|

  • start_name

    a4f5fc179540a0b155d91b489e6811e2

  • startup

    false

  • usb_spread

    true

aes.plain

Targets

    • Target

      https://mini-01-s3.vx-underground.org/samples/Builders/BlackNet/BlackNET%20v3.5.1.0.7z

    • BlackNET

      BlackNET is an open source remote access tool written in VB.NET.

    • BlackNET payload

    • Blacknet family

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

MITRE ATT&CK Enterprise v16

Tasks