{
	"id": "dd976a0e-c555-4405-babf-a3bc0ffb4f50",
	"created_at": "2026-04-06T00:21:38.488208Z",
	"updated_at": "2026-04-10T13:12:21.690295Z",
	"deleted_at": null,
	"sha1_hash": "068f9eaf797d66d3829fdfeea7ea53d49d798483",
	"title": "Dark Side Of BlackNET RAT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 687016,
	"plain_text": "Dark Side Of BlackNET RAT\r\nPublished: 2020-12-24 · Archived: 2026-04-05 18:25:16 UTC\r\nThe global impact of the COVID-19 pandemic on people’s lives has been significant, be it on health, livelihood or\r\nwork life. This has proven advantageous for the threat actors who have begun to look for vulnerabilities,\r\nespecially, in remote access services, thereby exploiting the Work From Home situation of the general public. The\r\npandemic has also created enormous opportunities for n00b malware authors, especially with the Malware-as-a-Service (MaaS) business model taking shape in the cybercrime world.\r\nNowadays, social media applications are being used for interacting within the cybersec community and keeping\r\noneself  updated. Some of the most prevalent social media apps are Telegram and Discord. In this pandemic time,\r\nwe found lots of channels being created in Telegram and Discord that share malware and hacking tools which pose\r\na threat to the users. We, the Threat Intelligence Team at K7 Labs have been monitoring hacker forums and these\r\nkinds of social media applications for possible threats. While monitoring, we noticed a builder version of\r\nBlackNET tool being shared in the channel (as shown in Figure 1) and on the same day we also noticed a\r\ncompiled version of BlackNET RAT in the wild. BlackNET caught our attention because it was advertised as a\r\nRAT with strong lateral movement capabilities.\r\nFigure 1: Telegram Channel\r\nhttps://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nPage 1 of 8\n\nThis BlackNET RAT is not new; there are already a few blogs on the same which have been posted publicly like\r\n“c0d3inj3cT”, “Malwarebytes” , however, this tool is still being updated and the latest version is BlackNet v3.7\r\nwhich is freely available on GitHub and the developer calls himself “BlackHacker511”.\r\nThis is part 1 of our blog on BlackNET RAT that discusses how the compiled malicious executable from this tool\r\npropagates via USB, Dropbox including its Anti-Analyzing, Anti-VM, keylogging and Remote Desktop\r\nfunctionalities. Other interesting techniques used by this malware will be discussed in detail in our upcoming blog\r\nposts.\r\nBlackNET RAT is a Remote Access Trojan that adds devices to the BlackNET botnet. It is a free, advanced and\r\nmodern Windows botnet with a secure PHP panel built using VB.NET. This botnet controller comes with a lot of\r\nfeatures such as:\r\nKeylogger\r\nPassword Stealer\r\nStealing Browser History and Cookies\r\nExecuting Shell Command\r\nUninstalling Client \r\nUSB spread and Dropbox spread\r\nBitcoin wallets\r\nImportant point to be noted is that the developers of this tool update the RAT quite frequently with newer\r\nfunctionalities.\r\nThis tool’s compiled executable output mimics the file version of legitimate svchost.exe so as to operate covertly.\r\nThis malevolent executable is also equipped with Anti-debugging and Anti-VM features that complicates the\r\nreversing process.\r\nThis malware uses multiple techniques such as Anti-detection, DDOS attack, Keylogger, Remote Desktop,\r\nWatchdog, USB spread, Dropbox spread and also persistence techniques as shown in Figure 2.\r\nFigure 2: Malicious functions named after techniques used\r\nhttps://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nPage 2 of 8\n\nAnti-Analyzing\r\nThis malware carries a predefined list of tool names which are typically used by a malware researcher to monitor a\r\nmalware’s behaviour (as shown in Figure 3). The malware checks whether any of the tools from the predefined list\r\nis running in the victim’s system by fetching the active process names using GETPROCESSESBYNAME\r\nmethod and kills the process which are matching in the list. The malware also looks for the main window name of\r\nthe open windows in the system by using PROCESS.MAINWINDOWTITLE method and compares it with the\r\npredefined list of malware analysing tools names as shown in Figure 3.\r\nFigure 3: Predefined list of malware analysis tool names\r\nAnti-VM Technique\r\nThis malware verifies if it is running within a controlled virtual environment by checking for specific dll names\r\nlike “vmguestlib.dll” for VmWare, “vboxmrxnp.dll” for Virtual Box and by using LoadLibrary API it loads\r\n“sbiedll.dll” to check whether the dll is available inside the system to detect Sandboxie VMs (as shown in Figure\r\n4). Once a virtual environment is detected, the malware uses cmd.exe to self delete and exit the environment.\r\nhttps://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nPage 3 of 8\n\nFigure 4: Anti-VM Technique\r\nKeylogger\r\nThe BlackNET RAT developer uses LimeLogger code for logging the key strokes. Since these developers are\r\ngenuine, they have mentioned the use of LimeLogger code in their builder file, and have given credits to the\r\ncreator on their GitHub page as shown in Figure 5.\r\nUsing HookCallback function and KeyboardLayout function they collect all the keystrokes and store them in a\r\ntext file under temp folder as shown in Figure 6 and it  also stores sent information from malware and receives\r\ninformation from C\u0026C server in the same log file.\r\nFigure 6: LimeLogger Code\r\nIn the HookCallback function, the threat actor have used the GetKeyState API to capture the keystrokes and call\r\nthe KeyboardLayout function. Here MapVirtualKey API is used to translate the captured virtual key into scan\r\ncode and ToUnicodeEx API is used to convert scan code to character and stores it in a buffer. Then it returns the\r\nkey character and writes it in the log file as shown in Figure 7 and Figure 8.\r\nhttps://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nPage 4 of 8\n\nFigure 7: Keylogger function\r\nFigure 8: KeyboardLayout function\r\nRemote Desktop\r\nThe main feature for this malware is to capture screenshots of the victim’s system screen and send it to the current\r\nhost domain “hxxp[:]//redbulllogistics[.]online/blackie“ which has been pre-defined in its Form1 function as\r\nshown in Figure 9.\r\nFigure 9: Domain name used by attacker\r\nThe domain “hxxp[:]//redbulllogistics[.]online/blackie” was registered on June 18, 2020 and updated on Dec 5,\r\n2020 which was the day this client malware file was detected in the wild.\r\nhttps://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nPage 5 of 8\n\nThe remote desktop function takes screenshots using Graphics.CopyFromScreen function. Then it saves the file\r\nas company.png in the temp folder and uploads the files to\r\n“hxxp[:]//redbulllogistics[.]online/blackie/upload.php?id=” using socket.uploadfile function as shown in\r\nFigure 10.\r\nFigure 10: Function to take screenshot and send it to the attacker\r\nThe attacker uses mutex in this malware to check whether the file is already running in the system, mutex value\r\nused by this malware is “BN[GRLdNjTe-8793677]”.\r\nDropbox Spread\r\nThe latest feature of BlackNET malware is Dropbox spread, a cloud storage provider. Here the attacker penetrates\r\ninto the userprofile and creates a folder name as dropbox under the victim’s user profile. Then it drops the\r\nmalware and changes the malware file’s name to “Adobe Photoshop CS.exe” as shown in Figure 11.\r\nhttps://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nPage 6 of 8\n\nFigure 11: Dropbox spread\r\nUSB Spread\r\nThis is the most important feature available on this BlackNET RAT where it also shows worm behaviour. Initially,\r\nwhen the malware is installed, it also checks whether the USB Drive is mounted or not. With that information, the\r\nattacker sends instruction via the C\u0026C server to spread through removable drives. In Figure 12, we can see that if\r\nan external drive is available, it checks for availability of free space and whether it is a removable drive or CD-ROM. Then it copies the malware to the removable drive with a link file for the malware with a default text icon\r\nand re-names it as “Windows_update.exe” with a hidden attribute.\r\nFigure 12: Copying the malware to the removable Drive\r\nTo create lnk file in a removable drive it calls lnk function as shown in Figure 13. The malware first deletes the\r\nold file with lnk extensions and using wscript.shell creates a new lnk file and using cmd.exe it executes inside the\r\ndrive to infect another system which uses this removable drive. Through this method it propagates to different\r\nsystems.\r\nhttps://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nPage 7 of 8\n\nFigure 13: Creating lnk File on Removable Drive\r\nIn the upcoming blog we will be discussing how the attacker sends instructions to the botnet along with how the\r\nclient file is updated with newer functionalities and the malware’s persistence techniques to stay stealthy. Next\r\nblog post also throws light on other malicious behaviour of the BlackNET RAT like disabling windows defender,\r\npassword stealing, stealing browser cookies and XMR Mining.\r\nIndicators Of Compromise (IOCs):\r\nMD5 File name K7 Detection Name\r\nd826c6d5d9deef005d705b99cac11016 invoice.exe Trojan (004b9b591)\r\n0e8b2a12d51fe0257ccf231606eda3dd  svchost.exe Trojan ( 005722cc1 )\r\naf54eda77ed2ea3b3ab8b8ed6d2883bf  svchost.exe Trojan ( 0052d5341 )\r\n5abc07a97fa739ba257b4f90bc1464c3 Antidetect7.exe Trojan ( 005721421 )\r\nE426C21445DAE36D36BB5D1CFE9D383B Blacknet Builder Trojan ( 0001140e1 )\r\n35DCBC7EB742DD4F1EDFBCCF7826C724 Stub.exe Trojan (004c54d71)\r\nD13D370C3858C9811E70F95D554D2C6 Watcher.exe Riskware (0040eff71)\r\n15AC279DFAB997846C0BB9441861F0FA Passwordstealer.dll Spyware (004bf6371)\r\nto Part 2…\r\nSource: https://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nhttps://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://labs.k7computing.com/index.php/dark-side-of-blacknet-rat/"
	],
	"report_names": [
		"dark-side-of-blacknet-rat"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434898,
	"ts_updated_at": 1775826741,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/068f9eaf797d66d3829fdfeea7ea53d49d798483.pdf",
		"text": "https://archive.orkl.eu/068f9eaf797d66d3829fdfeea7ea53d49d798483.txt",
		"img": "https://archive.orkl.eu/068f9eaf797d66d3829fdfeea7ea53d49d798483.jpg"
	}
}