MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackNET


Vendor detections: 10


Intelligence 10 IOCs 1 YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
SHA3-384 hash: 4e5006b6c2efcd933526f7c29c29b42fe6f7865c9862837734a6b938cbf26b5c6853827cf7cfaef9bc772c2ae73a8b32
SHA1 hash: 02a1cff69f43552c5aa6fea7547e5f68018dbc84
MD5 hash: af711c6269728cc41a4b6cab99dc00d2
humanhash: red-robert-pizza-pennsylvania
File name:af711c6269728cc41a4b6cab99dc00d2.exe
Download: download sample
Signature BlackNET
Create hunting rule
File size:3'340'800 bytes
First seen:2021-07-22 20:00:35 UTC
Last seen:2021-07-22 20:43:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:BNe2ChzmVqX9nVGow7smPofq+4sdvz9rnZ4WqplL+7AF79acVE:BNihoqX9ncoY04CvzBniWq3h7ocV
Threatray 74 similar samples on MalwareBazaar
TLSH T170F5126C764079CFC4278E334994ED71F6A06C6A9307EA0358D37DAFB9BC6478E111A2
dhash icon 7071313ccceccc0c (1 x BlackNET)
Reporter abuse_ch
Tags:BlackNet exe


Avatar
abuse_ch
BlackNET C2:
http://54.237.66.139/receive.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://54.237.66.139/receive.php https://threatfox.abuse.ch/ioc/162036/

Intelligence

File Origin
# of uploads :
2
# of downloads :
192
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af711c6269728cc41a4b6cab99dc00d2.exe
Verdict:
Malicious activity
Analysis date:
2021-07-22 20:03:11 UTC
Tags:
keylogger trojan blacknet
Link:
https://app.any.run/tasks/9a0cca22-fc65-4a4a-8c48-4b9e267b1806

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/173440/
Detection(s):
SecuriteInfo.com.Trojan.Siggen14.44137.1054.25303.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1deb5c65-b901-4171-9789-67f6cc03950e
Result
Threat name:
BlackNET
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/820404
Signature
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AntiVM3
Yara detected BlackNET
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 452815 Sample: 3CYB91lFpn.exe Startdate: 22/07/2021 Architecture: WINDOWS Score: 80 19 Malicious sample detected (through community Yara rule) 2->19 21 Multi AV Scanner detection for submitted file 2->21 23 Yara detected BlackNET 2->23 25 3 other signatures 2->25 6 3CYB91lFpn.exe 3 2->6         started        process3 file4 17 C:\Users\user\AppData\...\3CYB91lFpn.exe.log, ASCII 6->17 dropped 9 vbc.exe 6->9         started        11 vbc.exe 6->11         started        13 vbc.exe 6->13         started        15 2 other processes 6->15 process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-20 03:53:24 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j72dc5uec7dransxwzkusyuzrlz3f6ibqdtpdhtg4zy3j5ygayoa._file
Verdict:
malicious
Similar samples:
06ae265d022abb3efb56a9aaf1b4cbee322817434b6dbebd93afa4e2869a2236
BlackNET
1ed5337566938228ee9afcad29b1f722d55f4f8172a3157af4d4ad913541b2ea
BlackNET
357a1d94af889c7d73ca1a767222066f3550e007c7f52d3f83895fc5bf2e17b6
BlackNET
7c88f9d38fcb9dd17d733e65a8ebee46d6b74700a02ba5a4614b7b6002d5ef0c
BlackNET
a8288077dd8efe988232bbcc8519f636f097795cd34d87963ea61ac712336d1a
BlackNET
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae
BlackNET
f95e19a66cb1e3a612f2c07380376196e856dfefbe1038c4e6fd7d6a03388b5d
BlackNET
f970fb9186f287b64997d76b1d4ddc5121b42e4bf697734ae1855a641e95b923
BlackNET
+ 64 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:blacknet family:xmrig miner suricata trojan
Link:
https://tria.ge/reports/210722-6r1wws339s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Uses the VBS compiler for execution
Blocklisted process makes network request
Executes dropped EXE
XMRig Miner Payload
BlackNET
BlackNET Payload
Contains code to disable Windows Defender
suricata: ET MALWARE Win32/BlackNET CnC Keep-Alive
xmrig
Unpacked files
SH256 hash:
c362729899c5956cfa9fc3bcf9b21ac72066a1b84a497ceb1281f76e2f55c54b
MD5 hash:
0327d1374a5ce015ad9c83c5de76e823
SHA1 hash:
e521349d9e96a4191248747c42c78b6f88fc8f63
Link:
https://www.unpac.me/results/3726acba-849b-4467-a370-9f6ce645b099/
SH256 hash:
2d5e2831e24496bd74a7a2317f824657905cdadaeb00f5c6e33e9b75c5231a2f
MD5 hash:
a18b7cb1fe97912ffc3e38d76ccc0462
SHA1 hash:
c5908c111223d69f532973643381983ba385c1c1
Detections:
win_blacknet_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/3726acba-849b-4467-a370-9f6ce645b099/
Parent samples :
2d5e2831e24496bd74a7a2317f824657905cdadaeb00f5c6e33e9b75c5231a2f
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364
SH256 hash:
c3033ac711a2247331f03a52874b0f98b4726271c6a7ea4017ab2d044a1c6eea
MD5 hash:
116c8d48ed8c34b61adf731a28d66d75
SHA1 hash:
4b6d8bee02b33e7eafe3dbb0a032f992bece96e3
Link:
https://www.unpac.me/results/3726acba-849b-4467-a370-9f6ce645b099/
SH256 hash:
9269e43b4390850e2eb3078a91ccafae52e0ce8addc92bd331772817e770278e
MD5 hash:
99d9dafdf2859bb5a94f95534835fd4d
SHA1 hash:
05aaabbd60dcd89a488a0eecc3d9f6bf4ae79cab
Detections:
win_blacknet_rat_w0
Create hunting rule
Link:
https://www.unpac.me/results/3726acba-849b-4467-a370-9f6ce645b099/
Parent samples :
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
4fcda5517e6673b3233c58d4738b079c6f944ce746dfc3b1dbf87f475f8ff364
SH256 hash:
4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c
MD5 hash:
af711c6269728cc41a4b6cab99dc00d2
SHA1 hash:
02a1cff69f43552c5aa6fea7547e5f68018dbc84
Link:
https://www.unpac.me/results/3726acba-849b-4467-a370-9f6ce645b099/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/4ff431768417c7103657b6554962998af3b2f90180e6f19e66e671b4f706061c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/173440/

Comments