A forum for reverse engineering, OS internals and malware analysis 

WinNT/BlackEnergy

Forum for analysis and discussion about malware.

Re: Black Energy 2.1+

 #12837  by R136a1
 Sat Apr 21, 2012 8:28 am
Sine February 2012 there is an increase of uploaded BlackEnergy samples to Online Sandbox ThreatExpert:

5 February 2012: http://www.threatexpert.com/report.aspx ... 01c45dce6e
11 February 2012: http://www.threatexpert.com/report.aspx ... c09e0e1371
14 February 2012: http://www.threatexpert.com/report.aspx ... 67dbdad89f
16 February 2012: http://www.threatexpert.com/report.aspx ... 879f6fdb85
15 March 2012: http://www.threatexpert.com/report.aspx ... eb5839ae1e
17 March 2012: http://www.threatexpert.com/report.aspx ... 1d68c3283d
28 March 2012: http://www.threatexpert.com/report.aspx ... 73aaac5827
10 April 2012: http://www.threatexpert.com/report.aspx ... d95b8bd882
13 April 2012: http://www.threatexpert.com/report.aspx ... 32d72bfe76
18 April 2012: http://www.threatexpert.com/report.aspx ... 0fe3110611
18 April 2012: http://www.threatexpert.com/report.aspx ... 180c95c854

Thanks to leeno we have a sample of this new BlackEnergy version in attach:
Attachments
PW: infected
(36.67 KiB) Downloaded 149 times

Re: Black Energy 2.1+

 #23135  by rkhunter
 Tue Jun 17, 2014 11:34 am
http://www.f-secure.com/weblog/archives/00002715.html

Driver in attach.

MD5: 462860910526904ef8334ee17acbbbe5
SHA1: 26b9816b3f9e2f350cc92ef4c30a097c6fec7798
SHA256: e791718c0141e3829608142fb0f0d35c9af270f78ae0b72fce2edd07a9684568
Attachments
pass:infected
(52.47 KiB) Downloaded 122 times

Re: Black Energy 2.1+

 #23138  by EP_X0FF
 Tue Jun 17, 2014 12:43 pm
A sample of the BlackEnergy family was recently uploaded to VirusTotal from Ukraine
They forgot to add hysterics part about Kremlin hand. Ops.

Re: Black Energy 2.1+

 #23263  by rkhunter
 Wed Jul 02, 2014 7:39 pm
One more sample.

http://www.f-secure.com/weblog/archives/00002721.html

MD5: d98bd7e2ff62ed478ddbd0007831656e
SHA-1: 0d4d3bc51798a4c95ea4dfba8960b9ef948f404c
SHA-256: ffab26134f4c6674a6d0e6d96c11fab5c6dbb2781eedc0ff5ed3226ff56f434e
Attachments
pass:infected
(69.53 KiB) Downloaded 154 times

Re: Black Energy 2.1+

 #24290  by Mad_Dud
 Thu Nov 06, 2014 10:51 am
It seems like there are two new unique observables identified in Black Energy used in Sandworm operation:
  • Bots started to receive "destr" command, which destroys hard disk by overwriting with random data (on application level and driver level) at a certain time.
  • Bots also use Google+ to check if botnet master changed IP address of the CnC server. The bots fetch profile image and decode it in search for the new IP using stenography algorithms.
Source: http://securelist.com/blog/research/673 ... -profiles/
 Return to “Malware”