SYMBOLCOMMON_NAMEaka. SYNONYMS
win.blacknet_rat (Back to overview)

BlackNET RAT

Advanced and modern Windows botnet with PHP panel developed using VB.NET. It has a lot of functionalities including: stealing/grabbing files and passwords, keylogging, cryptojacking, loading files, executing commands, etc. It is open source and emerged at the end of 2019.

References
2021-08-26Minerva LabsMinerva Labs
Become A VIP Victim With New Discord Distributed Malware
BlackNET RAT RedLine Stealer
2021-01-13Github (Mave12)Mave12
Github Repository: BlackNET 3.7.0.1
BlackNET RAT
2020-12-24K7 SecurityK7 Labs, Partheeban J
Dark Side Of BlackNET RAT
BlackNET RAT
2020-03-23MalwarebytesThreat Intelligence Team
Fake “Corona Antivirus” distributes BlackNET remote administration tool
BlackNET RAT
2019-12-25pwncode.io blogc0d3inj3cT
BlackNet RAT - When you leave the Panel unprotected
BlackNET RAT
2019-01-04Github (BlackHacker511)BlackHacker511
Github Repository: BlackNET
BlackNET RAT
Yara Rules
[TLP:WHITE] win_blacknet_rat_w0 (20201216 | BlackNet Payload)
rule win_blacknet_rat_w0 { 
    meta: 
        author = "K7 Security Labs"
        date = "2020-12-16"
        version = "1"
        description = "BlackNet Payload"
        source = "https://labs.k7computing.com/index.php/anti-analysis-techniques/dark-side-of-blacknet-rat-part-2/"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat"
        malpedia_rule_date = "20201216"
        malpedia_hash = ""
        malpedia_version = "20201216"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings: 
        $fun1 = "MAINWINDOWTITLE" nocase 
        $fun2 = "getkeystate" nocase 
        $fun3 = "getkeyboardstate" nocase 
        $fun4 = "mapvirtualkey" nocase 
        $fun5 = "copyfromscreen" nocase 
        $fun6 = "uploadfile" nocase 
        $filename1 = "Windows_update.exe" nocase wide 
        $filename2 = "Adobe Photoshop CS.exe" nocase wide 
        $filename3 = "updatedpayload.exe" nocase wide 
    condition: 
            (uint16(0) == 0x5A4D
        and 
            (3 of ($fun*)
        and
            (1 of ($filename*))))
}
Download all Yara Rules