A forum for reverse engineering, OS internals and malware analysis 

Backdoor Blackshades NET

Forum for analysis and discussion about malware.

Re: Malware/MSIL-BA

 #6472  by EP_X0FF
 Sun May 22, 2011 5:31 am
markusg wrote:unrar.exe
http://www.virustotal.com/file-scan/rep ... 1305990757
Multi crypted Backdoor Blackshades NET. First layer provided by N0$crypter (some video about this crap http://www.youtube.com/watch?v=hZOwxmN-oQg).
In attached unpacked.

http://www.virustotal.com/file-scan/rep ... 1306042066

Posts moved.
Attachments
pass: malware
(157.03 KiB) Downloaded 75 times

Re: MSIL/Turkobz.A

 #7874  by EP_X0FF
 Sat Aug 06, 2011 12:38 am
This is MSIL dropper for Blackshades NET backdoor. As target for injection it uses Task Manager.
C:\Users\Admin\Desktop_old\Blackshadesproject\BlackshadesNET\server\server.vbp
Thread merged.

Re: Malware/Not classified

 #8053  by EP_X0FF
 Tue Aug 16, 2011 12:35 pm
markusg wrote:trrr.exe
http://www.virustotal.com/file-scan/rep ... 1313492095
Backdoor Blackshades NET (C:\Users\Admin\Desktop_old\Blackshades project\Blackshades NET\server\server.vbp) crypted by something called DarkEye crypter and additionally few times packed with UPX.

Posts moved.

Re: Backdoor Blackshades NET

 #14412  by rkhunter
 Mon Jul 02, 2012 1:07 pm
Blackshades dropper

SHA1: 69afd3f4baa1a5630fd2bf0ea988d5a93c4dc57f
MD5: 2d6864fab2d34e908fef51fad5055b9a

Unpacked
SHA1: 9e6b282ab5c761df99178f70275998d2feb6e82a
MD5: 68977b34ae1c089cd28d95769badd67a
*\AH:\Blackshades Project\Blackshades NET\server\server.vbp
bss_server.usrRelay
bss_server.usrReverseRelay
2c49f800-c2dd-11cf-9ad6-0080c7e7b78d
mswinsck.ocx
MSWinsockLib.Winsock
Winsock
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1) Gecko/20090612 Firefox/3.5
SHDocVw
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
{00020404-0000-0000-C000-000000000046}
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
C:\Windows\SysWOW64\ieframe.dll
set CDAudio door closed
\nir_cmd.bss speak text
\nir_cmd.bss setsysvolume 65535
\nir_cmd.bss mutesysvolume 1
\nir_cmd.bss mutesysvolume 0
\nir_cmd.bss screensaver
\nir_cmd.bss monitor off
\nir_cmd.bss monitor on
HOST
DNS
PORT
TRANSFERPORT
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\
SOFTWARE\Microsoft\Active Setup\Installed Components\
HKEY_CLASSES_ROOT\HTTP\shell\open\command\
\winlogon.exe
iexplore.exe
\Vuze\Azureus.exe
\LimeWire\LimeWire.exe
LimeWire
Torrent Download
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe /HIDE
\BitTorrent\bittorrent.exe
BitTorrent
\system32\drivers\etc\hosts
C:\Program Files (x86)\Microsoft Visual Studio\VB98\mswinsck.oca
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Select * from Win32_LogicalDisk
\ -
Size
GiB
MiB
KiB
0 B
winmgmts:\\.\root\SecurityCenter
Select * from AntiVirusProduct
CompanyName
(Version
versionnumber
IsWow64Process
abcdefghijklmnopqrstuvwxyz0123456789
\wallpaper.bmp
\wallpaper.jpg
Copies itself to:
%appdata%\S8FRKQM7K2.exe
Runs from:
HKCU\Software\Microsoft\Active Setup\Installed Components\{A0EAAA05-D3A2-4AEF-CF07-ACBC6959F15F}\StubPath
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
HKLM\Software\Microsoft\Active Setup\Installed Components\{A0EAAA05-D3A2-4AEF-CF07-ACBC6959F15F}\StubPath
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\run\Windows Defender
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
Attachments
pass:infected
(176.45 KiB) Downloaded 76 times
pass:infected
(171.34 KiB) Downloaded 71 times

Re: Backdoor Blackshades NET

 #15290  by Flamef
 Wed Aug 22, 2012 12:40 am
Hi all,
Blackshades/DarkComet bundled with Fraps installation lol .
https://www.virustotal.com/file/76dd89d ... /analysis/
Main payload is Cacao.dll
Script-kiddie high as f*** disabling Taskmanager/Regedit/CMD/System-restore with batch commands.
It either runs as MSconfig.exe(didn't write down the registry location,sry) or runs through vbc.exe,if you check vbc.exe,you'll see an established connection.See it yourself as i might be wrong since i didn't spend more than 5 minutes on this masterpiece.
Here is the interesting part:
Unique and first-seen spreading method via YouTube http://www.youtube.com/watch?v=lgRwWN8RFxs&feature=plcp :D .
Anyway,warned him that if he won't delete the vid,i will report him straight to the police with his real credentials.

P.S:Too much 9gag hurts,found refences like trololol etc . :lol: :lol:
Attachments
Forgot to add password,sorry.
(2.85 MiB) Downloaded 83 times
 Return to “Malware”