Overview

overview

10

Static

static

10

f2d25cb96d...4d.exe

windows7_x64

10

f2d25cb96d...4d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    271s
  • max time network
    274s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    13-07-2022 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe

  • Size

    1.9MB

  • MD5

    2d28df44857d0be0b1ca1e5b4987894e

  • SHA1

    a442fa9d272cfdbbcb406c8ef02c9a5d669c6fed

  • SHA256

    f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d

  • SHA512

    7a6b19655597832c7c75518fe7f01f9916b30d70b61b0d617e93fb3209aafc2ce99687e0dcbaea3d46ac68f315a43a8fd7308dfd215854f706c7ebe9c0518d5a

Score
10/10
blackguardstealersuricata

Malware Config

Extracted

Family

blackguard

C2

https://onetwostep.at/

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • suricata: ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)

    suricata: ET MALWARE Observed BlackGuard_v2 Domain in DNS Lookup (onetwostep .at)

    suricata
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe
    "C:\Users\Admin\AppData\Local\Temp\f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4344
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 4344 -s 1732
      2⤵
      • Program crash
      PID:4184
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 432 -p 4344 -ip 4344
    1⤵
      PID:2020

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4344-130-0x000002493F0E0000-0x000002493F2D0000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/4344-131-0x00007FF8BEA80000-0x00007FF8BF541000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4344-132-0x00007FF8BEA80000-0x00007FF8BF541000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4344-133-0x00007FF8BEA80000-0x00007FF8BF541000-memory.dmp

      Filesize

      10.8MB

      Download