blackguard | d977d952f6008c5eefeffb1eea129a8b274b3ae2ef3629fcca6994b283665509

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
01/06/2022, 07:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

285f589cd4f3b4167b73302217555b93.exe
Size

262KB
MD5

285f589cd4f3b4167b73302217555b93
SHA1

458de3a4ff0834382b68a0f7d4957af85e5c0587
SHA256

d977d952f6008c5eefeffb1eea129a8b274b3ae2ef3629fcca6994b283665509
SHA512

358883cc51bec4e670a84f0aff479d25ace16144666958551268326b898855c56375ba2bbcadd65f40f22be72818833546842a290de1c5b6f41243fc94dd15d3

Score

10^/10

blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot5113210249:AAHdcRaqv7siBKm-_on8TiZJf_y0XMKlF7I/sendMessage?chat_id=909175584

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\WYZSGDWS.Admin\Files\desktop.ini	285f589cd4f3b4167b73302217555b93.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
736	1080	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1080	285f589cd4f3b4167b73302217555b93.exe
1080	285f589cd4f3b4167b73302217555b93.exe
1080	285f589cd4f3b4167b73302217555b93.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1080	285f589cd4f3b4167b73302217555b93.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 736	1080	285f589cd4f3b4167b73302217555b93.exe	28
PID 1080 wrote to memory of 736	1080	285f589cd4f3b4167b73302217555b93.exe	28
PID 1080 wrote to memory of 736	1080	285f589cd4f3b4167b73302217555b93.exe	28

C:\Users\Admin\AppData\Local\Temp\285f589cd4f3b4167b73302217555b93.exe
"C:\Users\Admin\AppData\Local\Temp\285f589cd4f3b4167b73302217555b93.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1080 -s 864
  2⤵
  - Program crash
  PID:736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-54-0x0000000000AF0000-0x0000000000B38000-memory.dmp

Filesize
288KB

Download
memory/1080-56-0x000007FEF45C0000-0x000007FEF5B48000-memory.dmp

Filesize
21.5MB

Download
memory/1080-57-0x000007FEF3980000-0x000007FEF45BF000-memory.dmp

Filesize
12.2MB

Download
memory/1080-58-0x000007FEF30F0000-0x000007FEF397C000-memory.dmp

Filesize
8.5MB

Download
memory/1080-59-0x000007FEF2F00000-0x000007FEF30E8000-memory.dmp

Filesize
1.9MB

Download
memory/1080-60-0x000007FEF1FB0000-0x000007FEF2EFD000-memory.dmp

Filesize
15.3MB

Download
memory/1080-61-0x000007FEEE110000-0x000007FEEEB60000-memory.dmp

Filesize
10.3MB

Download
memory/1080-62-0x000007FEF6620000-0x000007FEF674A000-memory.dmp

Filesize
1.2MB

Download