MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackNET


Vendor detections: 12


Intelligence 12 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364
SHA3-384 hash: 37cbaa1544ba2230af4bccda612772e9e5da2a84881c8f931a59b1207aec65cc3afe890ed2833473cd17e87659749e67
SHA1 hash: b8d17306aa1c757e6329bb69d976c224e585838a
MD5 hash: 4b71d55f16c4a497fb2457c340d5a8a6
humanhash: pennsylvania-virginia-robin-helium
File name:4B71D55F16C4A497FB2457C340D5A8A6.exe
Download: download sample
Signature BlackNET
Create hunting rule
File size:4'404'617 bytes
First seen:2021-07-23 04:15:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep 98304:d1dVjOEK3uU86JKDXO2mljOYvEYAyEWajTBkxV7YJ4lD:pVjXKeyJ0XEOYsYAyzajTBkxTh
Threatray 759 similar samples on MalwareBazaar
TLSH T1BE163342B09164B2D47226301A38D63179BB7D211F18924BA7E57E9FBA305C3AE34F77
dhash icon 0000000000000000 (872 x AgentTesla, 496 x Formbook, 296 x RedLineStealer)
Reporter abuse_ch
Tags:BlackNet exe


Avatar
abuse_ch
BlackNET C2:
http://54.237.66.139/receive.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://54.237.66.139/receive.php https://threatfox.abuse.ch/ioc/162036/

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4B71D55F16C4A497FB2457C340D5A8A6.exe
Verdict:
Malicious activity
Analysis date:
2021-07-23 04:16:59 UTC
Tags:
trojan blacknet keylogger
Link:
https://app.any.run/tasks/bea72230-b2c1-4f37-a63e-b5eeee1d7272

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BlackNET
Create hunting rule
Link:
https://www.capesandbox.com/analysis/173486/
Detection(s):
Win.Malware.Qshell-9875653-0
Create hunting rule

SecuriteInfo.com.BackDoor.SiggenNET.5.27436.8753.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6f57795-b679-41a6-bf3b-a6e59b547bf6
Result
Threat name:
Agent Tesla AgentTesla BlackNET Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/820526
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Connects to a pastebin service (likely for C&C)
Creates files with lurking names (e.g. Crack.exe)
Detected Agent Tesla keylogger
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample is not signed and drops a device driver
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected BlackNET
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 452937 Sample: PShX4jA4HK.exe Startdate: 23/07/2021 Architecture: WINDOWS Score: 100 99 pastebin.com 2->99 101 mine.c3pool.com 2->101 103 geo.c3pool.com 2->103 109 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->109 111 Malicious sample detected (through community Yara rule) 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 12 other signatures 2->115 14 PShX4jA4HK.exe 3 11 2->14         started        18 svchost.exe 2->18         started        20 svchost.exe 9 1 2->20         started        23 9 other processes 2->23 signatures3 process4 dnsIp5 91 C:\Users\user\AppData\Local\...\cracked.exe, PE32 14->91 dropped 93 C:\Users\user\AppData\Local\Temp\...\ATB.exe, PE32 14->93 dropped 95 C:\Users\user\AppData\Local\Temp\...\run.vbs, ASCII 14->95 dropped 147 Creates files with lurking names (e.g. Crack.exe) 14->147 25 wscript.exe 1 14->25         started        149 Changes security center settings (notifications, updates, antivirus, firewall) 18->149 105 127.0.0.1 unknown unknown 20->105 107 192.168.2.1 unknown unknown 23->107 file6 signatures7 process8 process9 27 cracked.exe 3 25->27         started        31 ATB.exe 25->31         started        file10 87 C:\Users\user\AppData\...\cracked.exe.log, ASCII 27->87 dropped 127 Multi AV Scanner detection for dropped file 27->127 129 Machine Learning detection for dropped file 27->129 131 Creates files with lurking names (e.g. Crack.exe) 27->131 135 2 other signatures 27->135 33 vbc.exe 27->33         started        36 vbc.exe 27->36         started        38 vbc.exe 27->38         started        40 vbc.exe 27->40         started        133 Antivirus detection for dropped file 31->133 42 WerFault.exe 23 9 31->42         started        signatures11 process12 file13 79 C:\Users\user\AppData\...\phoneupdate.exe, PE32+ 33->79 dropped 81 C:\Users\user\AppData\Local\Temp\phone.exe, PE32 33->81 dropped 44 phoneupdate.exe 33->44         started        48 phone.exe 33->48         started        process14 dnsIp15 89 C:\Users\user\AppData\...\userupdate.exe, PE32+ 44->89 dropped 137 Multi AV Scanner detection for dropped file 44->137 139 Machine Learning detection for dropped file 44->139 141 Sample is not signed and drops a device driver 44->141 51 userupdate.exe 44->51         started        55 sihost64.exe 44->55         started        57 cmd.exe 44->57         started        97 54.237.66.139, 49732, 49741, 49745 AMAZON-AESUS United States 48->97 143 Antivirus detection for dropped file 48->143 145 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->145 file16 signatures17 process18 file19 83 C:\Users\user\AppData\...\sihost64.exe, PE32+ 51->83 dropped 85 C:\Users\user\AppData\Roaming\...\WR64.sys, PE32+ 51->85 dropped 117 Multi AV Scanner detection for dropped file 51->117 119 Machine Learning detection for dropped file 51->119 121 Modifies the context of a thread in another process (thread injection) 51->121 123 Injects a PE file into a foreign processes 51->123 59 cmd.exe 51->59         started        61 userupdate.exe 55->61         started        63 userupdate.exe 55->63         started        65 userupdate.exe 55->65         started        125 Uses schtasks.exe or at.exe to add and modify task schedules 57->125 67 conhost.exe 57->67         started        69 schtasks.exe 57->69         started        signatures20 process21 process22 71 conhost.exe 59->71         started        73 schtasks.exe 59->73         started        75 cmd.exe 61->75         started        process23 77 conhost.exe 75->77         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364/
Threat name:
ByteCode-MSIL.Exploit.BypassUac
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 06:53:38 UTC
AV detection:
19 of 27 (70.37%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j7g2kul6mzz3giz4ldkhhcyhtrxzithhi3p4hmo37b7uox4p6nsa._file
Verdict:
malicious
Similar samples:
41609e0f1ff71e0b6421e8e3bfbac0307c0f5f80f9e1b3b60de547a54a80de51
BlackNET
4549d36771e2a7b7425b3853a4fcd6a80a926a36df36eec0942199f9aa3d2be7
BlackNET
4b2c39847825cdbc53f5a1afa37f047eeba06b7b490b191967e88cba0706df3e
BlackNET
4c25202298f76f1598a1e169ca435b80541e1db59c542f55e1eb8e3cbf76a419
BlackNET
6624ce134dd16a37d6615483002f24b74c74c55b45259bc5408b7ae804d0fe22
BlackNET
91a63868ca56bae97b954c0ece75ed4f66e18bf2c258a9ed5712e376bae7220c
BlackNET
99612e143d65598f830df1494e16eace445f0904218f3d6335f3cbd29d0378b5
BlackNET
a144d424d0ace63551d67ee67efe8ff6242df2b5c55d8f2494e0731f2d88f711
BlackNET
da58d100900745d6a15113e8b8cb5c2a3252a3c4a063ccc64fd09cc75cfb21ff
BlackNET
e1168abd0c24c43423463607b92547d5a2365d7fcbd8e6264f7a1b2f91328d6c
BlackNET
+ 749 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:blacknet family:xmrig miner suricata trojan
Link:
https://tria.ge/reports/210723-xzalbe75tj/
Behaviour
Creates scheduled task(s)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Uses the VBS compiler for execution
Blocklisted process makes network request
Executes dropped EXE
XMRig Miner Payload
BlackNET
BlackNET Payload
Contains code to disable Windows Defender
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
xmrig
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
SH256 hash:
c3033ac711a2247331f03a52874b0f98b4726271c6a7ea4017ab2d044a1c6eea
MD5 hash:
116c8d48ed8c34b61adf731a28d66d75
SHA1 hash:
4b6d8bee02b33e7eafe3dbb0a032f992bece96e3
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
SH256 hash:
9269e43b4390850e2eb3078a91ccafae52e0ce8addc92bd331772817e770278e
MD5 hash:
99d9dafdf2859bb5a94f95534835fd4d
SHA1 hash:
05aaabbd60dcd89a488a0eecc3d9f6bf4ae79cab
Detections:
win_blacknet_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
Parent samples :
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364
SH256 hash:
7dc0f8b51db9be8635d1e2bacb7eb065931c37e21d7d057b6c2981905821fe5f
MD5 hash:
34c11ed96678b76adc7138c804f6c141
SHA1 hash:
f0c963e035393be463259ff45ad04949d1721a65
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
SH256 hash:
56e2fe0aa7b213e5f366494e20af3f3947c8de349a57e37f31067470d38b44aa
MD5 hash:
bc88ef36254e0d4b16b4b663664a1f44
SHA1 hash:
dbf93ac9c54a7fb76ee98530b5710a289a0830ba
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
SH256 hash:
085b741dcfc91997f31b7c9c5c1834f902326175edd1d7375b0c854f04f8627f
MD5 hash:
681540cf3debb8e43654404566e8cbb9
SHA1 hash:
5a4be94b49fa19d112465df370edd7d28a273540
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
SH256 hash:
9c32870bd9eb8b3d9bb332b3f9ee2c99ecf514000499676141fb504724440d40
MD5 hash:
3c271824b33cc69e11b802f707dc947d
SHA1 hash:
47ccaa9817865edc0fb29311868f7d627bd660a7
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
SH256 hash:
6b123410a31a3f41f69f431bf407e3b6b40864ea71b88945135701f5a4a64f35
MD5 hash:
9f73c2894d9c727e8a797dd3497ab112
SHA1 hash:
bb365d71e89ccd61c708bf7abf40d00688a39be7
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
SH256 hash:
2d5e2831e24496bd74a7a2317f824657905cdadaeb00f5c6e33e9b75c5231a2f
MD5 hash:
a18b7cb1fe97912ffc3e38d76ccc0462
SHA1 hash:
c5908c111223d69f532973643381983ba385c1c1
Detections:
win_blacknet_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
Parent samples :
2d5e2831e24496bd74a7a2317f824657905cdadaeb00f5c6e33e9b75c5231a2f
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364
SH256 hash:
4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364
MD5 hash:
4b71d55f16c4a497fb2457c340d5a8a6
SHA1 hash:
b8d17306aa1c757e6329bb69d976c224e585838a
Link:
https://www.unpac.me/results/5e885397-a1cb-421b-900d-89a6bfa0ff63/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173486/

Comments