blackguard | f47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b | Triage

Resubmissions

31-03-2022 16:03

220331-thnx7aedd2 10

03-02-2022 08:05

220203-jyw9dsedhp 3

Analysis

max time kernel
4294183s
max time network
129s
platform
windows7_x64
resource
win7-20220310-en
submitted
31-03-2022 16:03

Sharing

Report Analysis Logs

General

Target

d2f181221ba9049c02ed7283c9144c7c.exe
Size

1.7MB
MD5

d2f181221ba9049c02ed7283c9144c7c
SHA1

b4ed1b4714112d5fc3c7b4673e19ed26ae4c6e85
SHA256

f47db48129530cf19f3c42f0c9f38ce1915f403469483661999dc2b19e12650b
SHA512

ab0b9a029489f6b3a091c7823b5523ea3cfd8677b32eddd48ba7e64694e4146c3292589d9d09bd0cc5908c9d86c830ee21e75f8712e6f3a2cba2cfd853f372a1

Score

10^/10

blackguard stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 1628 WerFault.exe d2f181221ba9049c02ed7283c9144c7c.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

d2f181221ba9049c02ed7283c9144c7c.exe

description pid process

Token: SeDebugPrivilege 1628 d2f181221ba9049c02ed7283c9144c7c.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d2f181221ba9049c02ed7283c9144c7c.exe

description	pid	process	target process
PID 1628 wrote to memory of 1996	1628	d2f181221ba9049c02ed7283c9144c7c.exe	WerFault.exe
PID 1628 wrote to memory of 1996	1628	d2f181221ba9049c02ed7283c9144c7c.exe	WerFault.exe
PID 1628 wrote to memory of 1996	1628	d2f181221ba9049c02ed7283c9144c7c.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\d2f181221ba9049c02ed7283c9144c7c.exe
"C:\Users\Admin\AppData\Local\Temp\d2f181221ba9049c02ed7283c9144c7c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1628 -s 1268
2⤵
- Program crash
PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-54-0x0000000000160000-0x0000000000322000-memory.dmp

Filesize
1.8MB

Download
memory/1628-55-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

Filesize
8KB

Download
memory/1996-56-0x0000000000000000-mapping.dmp

Download