Overview

overview

10

Static

static

10

Leane.exe

windows7_x64

10

Leane.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    06-03-2022 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Leane.exe

  • Size

    3.9MB

  • MD5

    f2466bd74f1fd75ffc8289ec1120f24c

  • SHA1

    2041c34d882cd97d0006b6b17f464e71ae7abd67

  • SHA256

    ba2bc430c4661aab84cf7e8fedf2684e5fc106f7797af4553aef7490193b00a6

  • SHA512

    331c106326175840a3e595309434ab1c45f09173067bb612fb82b5bdc42fa1edffb57c3ac39758f3613170938e39cf9bcdc44bee149aa331637e7c9a5b611c45

Score
10/10
blackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1840568117:AAGlvKQeSfXkObSE7__yYc5jM9o8qSrkFUw/sendMessage?chat_id=1039923904

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Leane.exe
    "C:\Users\Admin\AppData\Local\Temp\Leane.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3968
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3968 -s 1552
      2⤵
      • Program crash
      PID:2252
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 428 -p 3968 -ip 3968
    1⤵
      PID:1356

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3968-130-0x00000217DCA90000-0x00000217DCE88000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/3968-131-0x00007FFE676E0000-0x00007FFE681A1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3968-132-0x00000217F8B50000-0x00000217F8B52000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3968-133-0x00000217FAC20000-0x00000217FAC70000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3968-134-0x00000217F8EC0000-0x00000217F8EE2000-memory.dmp

      Filesize

      136KB

      Download