Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-03-2022 11:55
Static task
static1
Behavioral task
behavioral1
Sample
Leane.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Leane.exe
Resource
win10v2004-en-20220113
General
-
Target
Leane.exe
-
Size
3.6MB
-
MD5
a7340f408f53e08754a5bc56b835c3bf
-
SHA1
c8b9de345e9c64f319fe427ef0cb8076a57cbf08
-
SHA256
d3b27ba36d01a6ed5492d662c20b38569b0019c29fe065e8f810b369fba76531
-
SHA512
cb44f77081afeb648da5491ce7aef0dbbb365ad1028170638b2081707502e1b7dc679146268837f2ffc1bbfc6b6af67a6d9693b9091b4e528a9d333026105d27
Malware Config
Extracted
blackguard
https://api.telegram.org/bot1840568117:AAGlvKQeSfXkObSE7__yYc5jM9o8qSrkFUw/sendMessage?chat_id=1039923904
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1068 1632 WerFault.exe Leane.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Leane.exepid process 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe 1632 Leane.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Leane.exedescription pid process Token: SeDebugPrivilege 1632 Leane.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Leane.exedescription pid process target process PID 1632 wrote to memory of 1068 1632 Leane.exe WerFault.exe PID 1632 wrote to memory of 1068 1632 Leane.exe WerFault.exe PID 1632 wrote to memory of 1068 1632 Leane.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Leane.exe"C:\Users\Admin\AppData\Local\Temp\Leane.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1632 -s 9762⤵
- Program crash
PID:1068
-