SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blacknet_rat (Back to overview)

BlackNET RAT


Advanced and modern Windows botnet with PHP panel developed using VB.NET. It has a lot of functionalities including: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. It is open source and emerged at the end of 2019.

References
2021-08-26Minerva LabsMinerva Labs
@online{labs:20210826:become:f38fe74, author = {Minerva Labs}, title = {{Become A VIP Victim With New Discord Distributed Malware}}, date = {2021-08-26}, organization = {Minerva Labs}, url = {https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware}, language = {English}, urldate = {2021-09-12} } Become A VIP Victim With New Discord Distributed Malware
BlackNET RAT RedLine Stealer
2021-01-13Github (Mave12)Mave12
@online{mave12:20210113:github:efbd925, author = {Mave12}, title = {{Github Repository: BlackNET 3.7.0.1}}, date = {2021-01-13}, organization = {Github (Mave12)}, url = {https://github.com/mave12/BlackNET-3.7.0.1}, language = {English}, urldate = {2022-01-12} } Github Repository: BlackNET 3.7.0.1
BlackNET RAT
2020-12-24K7 SecurityK7 Labs, Partheeban J
@online{labs:20201224:dark:302e061, author = {K7 Labs and Partheeban J}, title = {{Dark Side Of BlackNET RAT}}, date = {2020-12-24}, organization = {K7 Security}, url = {https://labs.k7computing.com/?p=21365}, language = {English}, urldate = {2020-12-26} } Dark Side Of BlackNET RAT
BlackNET RAT
2020-03-23MalwarebytesThreat Intelligence Team
@online{team:20200323:fake:f3a2cbc, author = {Threat Intelligence Team}, title = {{Fake “Corona Antivirus” distributes BlackNET remote administration tool}}, date = {2020-03-23}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/}, language = {English}, urldate = {2020-07-13} } Fake “Corona Antivirus” distributes BlackNET remote administration tool
BlackNET RAT
2019-12-25pwncode.io blogc0d3inj3cT
@online{c0d3inj3ct:20191225:blacknet:80468eb, author = {c0d3inj3cT}, title = {{BlackNet RAT - When you leave the Panel unprotected}}, date = {2019-12-25}, organization = {pwncode.io blog}, url = {http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html}, language = {English}, urldate = {2020-03-11} } BlackNet RAT - When you leave the Panel unprotected
BlackNET RAT
2019-01-04Github (BlackHacker511)BlackHacker511
@online{blackhacker511:20190104:github:e7e5d16, author = {BlackHacker511}, title = {{Github Repository: BlackNET}}, date = {2019-01-04}, organization = {Github (BlackHacker511)}, url = {https://github.com/FarisCode511/BlackNET/}, language = {English}, urldate = {2020-07-13} } Github Repository: BlackNET
BlackNET RAT
Yara Rules
[TLP:WHITE] win_blacknet_rat_w0 (20201216 | BlackNet Payload)
rule win_blacknet_rat_w0 { 
    meta: 
        author = "K7 Security Labs"
        date = "2020-12-16"
        version = "1"
        description = "BlackNet Payload"
        source = "https://labs.k7computing.com/index.php/anti-analysis-techniques/dark-side-of-blacknet-rat-part-2/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat"
        malpedia_rule_date = "20201216"
        malpedia_hash = ""
        malpedia_version = "20201216"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings: 
        $fun1 = "MAINWINDOWTITLE" nocase 
        $fun2 = "getkeystate" nocase 
        $fun3 = "getkeyboardstate" nocase 
        $fun4 = "mapvirtualkey" nocase 
        $fun5 = "copyfromscreen" nocase 
        $fun6 = "uploadfile" nocase 
        $filename1 = "Windows_update.exe" nocase wide 
        $filename2 = "Adobe Photoshop CS.exe" nocase wide 
        $filename3 = "updatedpayload.exe" nocase wide 
    condition: 
            (uint16(0) == 0x5A4D
        and 
            (3 of ($fun*)
        and
            (1 of ($filename*))))
}
Download all Yara Rules