MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c9bd849cb30e63f3fa72d83b52303b21f3a880a5e7c6236e38a92dc078467e8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlackNET

Vendor detections: 16

Intelligence 16 IOCs YARA 18 File information Comments

SHA256 hash:	c9bd849cb30e63f3fa72d83b52303b21f3a880a5e7c6236e38a92dc078467e8d
SHA3-384 hash:	00dcc66f6d9245b3d8819e364ba0481de62eab8a4bede36edca1a653a69a3200bc5f54df0474a96a764f05b09189711e
SHA1 hash:	f75cffadf0cb8c7afac041d42d7beb416474e96a
MD5 hash:	d5ea5ec6d3dd740d1d8b6b817a667094
humanhash:	failed-beer-batman-pluto
File name:	D5EA5EC6D3DD740D1D8B6B817A667094.exe
Download:	download sample
Signature	BlackNET Create hunting rule
File size:	77'312 bytes
First seen:	2024-01-27 14:15:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'832 x AgentTesla, 19'769 x Formbook, 12'296 x SnakeKeylogger)
ssdeep	1536:5ZuhD5z28TC2qM/AEc7s1PsYTgbSUPH4Lb0tY4:eNoEc7suugbSKHaboY4
Threatray	6 similar samples on MalwareBazaar
TLSH	T18A73D44237ED6CA2D0BD9AB4BB3363C1C7B5FD1A0912D61D08C410AD5A7A747B981BE3
TrID	60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	414555c0d4d44503 (15 x njrat, 14 x BlackNET, 8 x Lucifer)
Reporter	abuse_ch
Tags:	BlackNet exe

abuse_ch

BlackNET C2:
http://op.mrstealth.pagekite.me/receive.php

Intelligence

File Origin

# of uploads :

# of downloads :

332

Origin country :

Vendor Threat Intelligence

Detection:

BlackNET

Link:

https://www.capesandbox.com/analysis/473187/

Detection(s):

Win.Trojan.BlackNetRAT-7838854-0

Win.Malware.Ursu-9794593-0

ditekSHen.MALWARE.Win.Trojan.BlackNET.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Creating a window

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm blacknet blackworm cmd evasive explorer hook keylogger lolbin lolbin net powershell schtasks winnti worm

Link:

https://www.filescan.io/uploads/65b5102616a447dc38febedb/reports/e594e4e1-23d8-4ffb-b57d-385417542fed/overview

Verdict:

Malicious

Labled as:

Variadic.A.348.Generic

Link:

https://www.hybrid-analysis.com/sample/c9bd849cb30e63f3fa72d83b52303b21f3a880a5e7c6236e38a92dc078467e8d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BlackNet RAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/33577dfc-1911-4b71-a23d-e8f15eceb2bd

Result

Threat name:

BlackNET

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1382108

Signature

.NET source code contains a sample name check

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected BlackNET

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/c9bd849cb30e63f3fa72d83b52303b21f3a880a5e7c6236e38a92dc078467e8d

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c9bd849cb30e63f3fa72d83b52303b21f3a880a5e7c6236e38a92dc078467e8d/

Threat name:

ByteCode-MSIL.Trojan.Variadic

Status:

Malicious

First seen:

2024-01-22 16:43:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 24 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zg6yjhftbzr7h6ts3a5vemb3ehz2raff47dcg3ryvew4a6cgp2gq._file

Verdict:

malicious

BlackNET

c105e8c3286a2589c4bbdaefbd266cd45be414d08854e48b4aa43104cc48c510

BlackNET

c9bd849cb30e63f3fa72d83b52303b21f3a880a5e7c6236e38a92dc078467e8d

BlackNET

d403c9a7f0a68755b906c4890787db30c209c919932155e6cf4f0e944177be66

BlackNET

Result

Malware family:

blacknet

Score:

10/10

Tags:

family:blacknet botnet:hacked trojan

Link:

https://tria.ge/reports/240127-rk5bvadgh9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

BlackNET

Malware Config

C2 Extraction:

http://op.mrstealth.pagekite.me

Unpacked files

SH256 hash:

c9bd849cb30e63f3fa72d83b52303b21f3a880a5e7c6236e38a92dc078467e8d

MD5 hash:

d5ea5ec6d3dd740d1d8b6b817a667094

SHA1 hash:

f75cffadf0cb8c7afac041d42d7beb416474e96a

Detections:

BlackNetRAT

win_blacknet_rat_w0

HKTL_NET_GUID_BlackNET

SUSP_Modified_SystemExeFileName_in_File

INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

CN_disclosed_20180208_c

INDICATOR_SUSPICIOUS_DisableWinDefender

MALWARE_Win_BlackNET

MAL_Winnti_Sample_May18_1

Link:

https://www.unpac.me/results/5b24a564-551b-4482-a08a-60dbb4838aa0/

Malware family:

BlackWorm

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c9bd849cb30e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c9bd849cb30e63f3fa72d83b52303b21f3a880a5e7c6236e38a92dc078467e8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CN_disclosed_20180208_c Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	CN_disclosed_20180208_c_RID2E71 Create hunting rule
Author:	Florian Roth
Description:	Detects malware from disclosed CN malware set
Reference:	https://twitter.com/cyberintproject/status/961714165550342146

Rule name:	d238aea078ca1bb99a80ec2bf5d07acb818d72e7823ea8e767eefde95a038401 Create hunting rule
Author:	H3lium
Description:	MALWARE! - file d238aea078ca1bb99a80ec2bf5d07acb818d72e7823ea8e767eefde95a038401.exe
Reference:	https://github.com/Neo23x0/yarGen

Rule name:	Disable_Defender Create hunting rule
Author:	iam-py-test
Description:	Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen

Rule name:	HKTL_NET_GUID_BlackNET Create hunting rule
Author:	Arnim Rupp (https://github.com/ruppde)
Description:	Detects VB.NET red/black-team tools via typelibguid
Reference:	https://github.com/BlackHacker511/BlackNET

Rule name:	INDICATOR_SUSPICIOUS_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing artifacts associated with disabling Widnows Defender

Rule name:	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender Create hunting rule
Author:	ditekSHen
Description:	Detects executables embedding registry key / value combination indicative of disabling Windows Defender features

Rule name:	MALWARE_Win_BlackNET Create hunting rule
Author:	ditekSHen
Description:	Detects BlackNET RAT

Rule name:	MAL_Winnti_Sample_May18_1 Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Reference:	https://401trg.pw/burning-umbrella/

Rule name:	MAL_Winnti_Sample_May18_1_RID3003 Create hunting rule
Author:	Florian Roth
Description:	Detects malware sample from Burning Umbrella report - Generic Winnti Rule
Reference:	https://401trg.pw/burning-umbrella/

Rule name:	Multifamily_RAT_Detection Create hunting rule
Author:	Lucas Acha (http://www.lukeacha.com)
Description:	Generic Detection for multiple RAT families, PUPs, Packers and suspicious executables

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	SUSP_Modified_SystemExeFileName_in_File Create hunting rule
Author:	Florian Roth (Nextron Systems)
Description:	Detecst a variant of a system file name often used by attackers to cloak their activity
Reference:	https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

Rule name:	SUSP_Modified_SystemExeFileName_in_File_RID35F8 Create hunting rule
Author:	Florian Roth
Description:	Detecst a variant of a system file name often used by attackers to cloak their activity
Reference:	https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

Rule name:	win_blacknet_rat_w0 Create hunting rule
Author:	K7 Security Labs
Description:	BlackNet Payload

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/473187/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample