blackguard | 45d3aaddefc1dff057687f38bbe8124e48a98e5dd053f6f62496f3dc3b48eef0 | Triage

Analysis

max time kernel
236s
max time network
241s
platform
windows7_x64
resource
win7-20220414-en
submitted
13-07-2022 10:11

Sharing

Report Analysis Logs

General

Target

f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe
Size

1.9MB
MD5

2d28df44857d0be0b1ca1e5b4987894e
SHA1

a442fa9d272cfdbbcb406c8ef02c9a5d669c6fed
SHA256

f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d
SHA512

7a6b19655597832c7c75518fe7f01f9916b30d70b61b0d617e93fb3209aafc2ce99687e0dcbaea3d46ac68f315a43a8fd7308dfd215854f706c7ebe9c0518d5a

Score

10^/10

blackguard stealer suricata

Malware Config

Extracted

Family

blackguard

C2

https://onetwostep.at/

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
suricata: ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)
suricata: ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)
suricata

Program crash 1 IoCs

pid	pid_target	Process	procid_target
656	948	WerFault.exe	25

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	948	f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 656	948	f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe	28
PID 948 wrote to memory of 656	948	f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe	28
PID 948 wrote to memory of 656	948	f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe	28

C:\Users\Admin\AppData\Local\Temp\f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe
"C:\Users\Admin\AppData\Local\Temp\f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 948 -s 704
  2⤵
  - Program crash
  PID:656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-54-0x0000000000920000-0x0000000000B10000-memory.dmp

Filesize
1.9MB

Download