blackguard | 216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8

Analysis

Target

bilds.exe
Size

628KB
MD5

f5ba22891326912d8f47c4fb5575d33b
SHA1

7c237b720304f76362ea66f0d37ab502daf22b30
SHA256

216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8
SHA512

b77eb3cd6e920e554bdb052e4bfc44e3f23358a29297cb37685ed9ba76aa3452d3eaf284b2542379a6770bfa84fd5fa1f702aff8714b64859c1b4ebb7906b4de

Score

10^/10

Family

blackguard

https://api.telegram.org/bot1840568117:AAGlvKQeSfXkObSE7__yYc5jM9o8qSrkFUw/sendMessage?chat_id=1039923904

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	bilds.exe

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

memory/1476-130-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1476-131-0x00000000005D0000-0x0000000000672000-memory.dmp

Filesize
648KB

Download
memory/1476-132-0x0000000005040000-0x00000000050A6000-memory.dmp

Filesize
408KB

Download
memory/1476-133-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/1476-134-0x00000000064D0000-0x0000000006562000-memory.dmp

Filesize
584KB

Download