Overview

overview

10

Static

static

10

f2d25cb96d...4d.exe

windows7_x64

10

f2d25cb96d...4d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    14-02-2022 15:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe

  • Size

    1.9MB

  • MD5

    2d28df44857d0be0b1ca1e5b4987894e

  • SHA1

    a442fa9d272cfdbbcb406c8ef02c9a5d669c6fed

  • SHA256

    f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d

  • SHA512

    7a6b19655597832c7c75518fe7f01f9916b30d70b61b0d617e93fb3209aafc2ce99687e0dcbaea3d46ac68f315a43a8fd7308dfd215854f706c7ebe9c0518d5a

Score
10/10
blackguardcollectionspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://onetwostep.at/

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe
    "C:\Users\Admin\AppData\Local\Temp\f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe"
    1⤵
    • Loads dropped DLL
    • Accesses Microsoft Outlook profiles
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\x64\SQLite.Interop.dll
    Filesize

    1.6MB

    MD5

    616827a61d7a49ce5389c5d96443e35d

    SHA1

    d522ee5607e122e775d77641dba09711146db739

    SHA256

    54d4025bc175de5367d0ace1a78fec7edf06b642892691cf85afb02b8ab166d5

    SHA512

    fd6a53cb9851e56b8dc6a40627058852f2949688b73dacf6f3e0fcf932453b8c52a3bfefb12c80c38397a89f1038ad8fad329ea2798b86457ce5d8fe7ba87312

    Download Submit
  • memory/1552-55-0x000007FEF4AF3000-0x000007FEF4AF4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1552-56-0x0000000000C50000-0x0000000000E40000-memory.dmp
    Filesize

    1.9MB

    Download
  • memory/1552-57-0x000000001AF40000-0x000000001AF42000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1552-58-0x000000001A970000-0x000000001AA20000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1552-59-0x000000001AAA0000-0x000000001AB02000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1552-61-0x000000001AED0000-0x000000001AEF5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1552-62-0x000000001AFC0000-0x000000001B036000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1552-63-0x000000001AF42000-0x000000001AF44000-memory.dmp
    Filesize

    8KB

    Download