blackguard | d977d952f6008c5eefeffb1eea129a8b274b3ae2ef3629fcca6994b283665509

Analysis

max time kernel
90s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01/06/2022, 07:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

285f589cd4f3b4167b73302217555b93.exe
Size

262KB
MD5

285f589cd4f3b4167b73302217555b93
SHA1

458de3a4ff0834382b68a0f7d4957af85e5c0587
SHA256

d977d952f6008c5eefeffb1eea129a8b274b3ae2ef3629fcca6994b283665509
SHA512

358883cc51bec4e670a84f0aff479d25ace16144666958551268326b898855c56375ba2bbcadd65f40f22be72818833546842a290de1c5b6f41243fc94dd15d3

Score

10^/10

blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot5113210249:AAHdcRaqv7siBKm-_on8TiZJf_y0XMKlF7I/sendMessage?chat_id=909175584

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\FRBLFDHTFJLXDVLJVJHUWZP.Admin\Files\desktop.ini	285f589cd4f3b4167b73302217555b93.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	freegeoip.app
7	freegeoip.app

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1512	332	WerFault.exe	81

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
332	285f589cd4f3b4167b73302217555b93.exe
332	285f589cd4f3b4167b73302217555b93.exe
332	285f589cd4f3b4167b73302217555b93.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	332	285f589cd4f3b4167b73302217555b93.exe

C:\Users\Admin\AppData\Local\Temp\285f589cd4f3b4167b73302217555b93.exe
"C:\Users\Admin\AppData\Local\Temp\285f589cd4f3b4167b73302217555b93.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 332 -s 1484
  2⤵
  - Program crash
  PID:1512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 176 -p 332 -ip 332
1⤵
PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/332-130-0x0000000000570000-0x00000000005B8000-memory.dmp

Filesize
288KB

Download
memory/332-131-0x00007FFEACCE0000-0x00007FFEAD7A1000-memory.dmp

Filesize
10.8MB

Download
memory/332-132-0x00007FFEACCE0000-0x00007FFEAD7A1000-memory.dmp

Filesize
10.8MB

Download