blackguard | 05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433 | Triage

Submit
Reports

Overview

overview

Static

static

05c2991a5e...33.exe

windows7-x64

05c2991a5e...33.exe

windows10-2004-x64

Sharing

General

Target

05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433
Size

7.6MB
Sample

230107-a5brlacd34
MD5

4ecc21c7a2aadaf74dfac9e52723d41e
SHA1

1e39e52aefb0b5c7fa16aaf9c9d870150482a4eb
SHA256

05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433
SHA512

9273eed9eaea2638bfb310fa5ed84a0586512b7b85396fb5658e2eb06b7ab81b63cf615674cc4e32130d16a3e173e97b213b8423a5c0c025c36c04d274e85265
SSDEEP

196608:Z0Xi4ZgUmPjE+Agbk9fcGVN8iNISGK71:yXiMgbj7AsGXiw

Score

10^/10

blackguard collection evasion persistence spyware stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433.exe

Resource

win7-20221111-en

blackguard collection evasion persistence spyware stealer

windows7-x64

19 signatures

150 seconds

Behavioral task

behavioral2

Sample

05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433.exe

Resource

win10v2004-20221111-en

blackguard collection evasion persistence spyware stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Family

blackguard

C2

http://45.15.156.9

Targets

- Target
  
  05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433
- Size
  
  7.6MB
- MD5
  
  4ecc21c7a2aadaf74dfac9e52723d41e
- SHA1
  
  1e39e52aefb0b5c7fa16aaf9c9d870150482a4eb
- SHA256
  
  05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433
- SHA512
  
  9273eed9eaea2638bfb310fa5ed84a0586512b7b85396fb5658e2eb06b7ab81b63cf615674cc4e32130d16a3e173e97b213b8423a5c0c025c36c04d274e85265
- SSDEEP
  
  196608:Z0Xi4ZgUmPjE+Agbk9fcGVN8iNISGK71:yXiMgbj7AsGXiw
Score

10^/10

blackguard collection evasion persistence spyware stealer
- BlackGuard
  Infostealer first seen in Late 2021.
  stealer blackguard
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Sets DLL path for service in the registry
  persistence
- Sets file execution options in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses Microsoft Outlook profiles
  collection
- Adds Run key to start application
  persistence
- Modifies WinLogon
  persistence
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackguardcollectionevasionpersistencespywarestealer

behavioral2

blackguardcollectionevasionpersistencespywarestealer

© 2018-2025

Terms | Privacy