SVCHOST MALWARE recruits you into a botnet | BlackNET RAT deep dive malware analysis

Deep dive analysis of the BlackNET RAT malware which recruits your system into a botnet that can be controlled from a centralised PHP web interface.

** Find me at **
Twitter/X -   / cyberraiju  
Blog - https://www.jaiminton.com/
Mastodon - https://infosec.exchange/@CyberRaiju

** Timestamps **
00:00 - Intro
00:25 - Covid 19 malware lures
00:57 - BlackNet RAT Sample
01:10 - SFX Archive Identification
01:35 - Examining Updater.exe
01:50 - Dumping archive from SFX Overlay
02:06 - Decompression Stub
02:45 - 2nd stage SFX
03:06 - Masquerading as Adobe Photoshop CS12
03:17 - Using DIE to determine file type
03:30 - Decompiling with DnSpy
03:40 - Masquerading as svchost
04:03 - Methods at a glance
04:40 - RAT configuration
05:14 - RAT anti-VM methods
05:50 - Self-destruct methods
06:00 - RAT anti-debugging
06:43 - RAT disable AV methods
07:40 - DDOS methods
09:08 - HTTP support methods
09:20 - "BN" C2 delimeter
09:42 - Main malware 'Form'
09:58 - Blacklist and settings
10:14 - Other methods
10:33 - Keylogger methods
11:00 - Special keys and keyloggers
11:47 - Remote Desktop and screenshots
12:04 - Persistence methods
12:45 - Worming modules
13:15 - "BN" Mutex creation
13:50 - Uninstall and update commands
14:06 - General flow
14:50 - Attack commands
15:12 - Commands which can be run
18:45 - BlackNET RAT Builder
19:35 - Icons for masquerading
19:45 - Running the builder
21:00 - Compiling built malware
21:30 - BlackNET RAT C2 Panel
22:33 - Outro

** Tools **
https://github.com/horsicq/Detect-It-...
https://github.com/dnSpyEx/dnSpy
https://www.winitor.com/download

** Sample **
https://bazaar.abuse.ch/sample/662344...

** Further Reading **
https://malpedia.caad.fkie.fraunhofer...
https://www.cisa.gov/news-events/cybe...

Credits:
SFX by Pixabay
Music by Pixabay, teodholina