Extracted

• • Target

    file.exe

  • Size

    6.9MB

  • MD5

    146ffe4774086772bb8dc8af417d1bee

  • SHA1

    a6ba1bfd326034d363f003def9600e4b3f8a3c99

  • SHA256

    feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de

  • SHA512

    332272905c5d85c226fcaa74ad60bf6bdd9544809b4dff4cedba42b42b8aa005c0cf7a9224a3c9070858a7311a640eedfeb1e5c19296b286e3ba5952584f99cb

  • SSDEEP

    98304:5iyaKXumYgc4UC0td7fAYMQSlV4AnEjdGS1YVrsk9N8ivyhAdsPSQxNU3r:o5KmgfUCEvyVN8iNISeU7

  Score

  10^/10

  blackguardcollectionevasionpersistencespywarestealer

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Executes dropped EXE

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2