Overview

overview

10

Static

static

10

yhjkjkgrgj.exe

windows7-x64

10

yhjkjkgrgj.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    74s
  • max time network
    38s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    31-03-2023 21:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yhjkjkgrgj.exe

  • Size

    3.2MB

  • MD5

    dce3c6ed046018eac08f82942401123d

  • SHA1

    a2556fd4c7bbd8cd3b30c2eaa6aad272e52a858d

  • SHA256

    6e178c0fb8198d21b85f9179c731a2e203e2c112bc017848c4b2361ef1411619

  • SHA512

    ce5ca34369629fe66fafcd2b94018464ecc3bdb08c2ee83c517921997975a75ae57720824abd23bca92ad664d1bd2ea3065ae248ffe9a0f6affc77156c90d88c

  • SSDEEP

    98304:sTdsIG91TVghsRfyX4hmE01E7oQWOq4+iPx:kWIk5RciR7cv

Score
10/10
blackguardstealer

Malware Config

Extracted

Family

blackguard

C2

https://ritmflow.online/

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yhjkjkgrgj.exe
    "C:\Users\Admin\AppData\Local\Temp\yhjkjkgrgj.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:920
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 920 -s 1840
      2⤵
      • Program crash
      PID:1616
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:376
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x568
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1740

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      61KB

      MD5

      e71c8443ae0bc2e282c73faead0a6dd3

      SHA1

      0c110c1b01e68edfacaeae64781a37b1995fa94b

      SHA256

      95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

      SHA512

      b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar4BF6.tmp
      Filesize

      161KB

      MD5

      be2bec6e8c5653136d3e72fe53c98aa3

      SHA1

      a8182d6db17c14671c3d5766c72e58d87c0810de

      SHA256

      1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

      SHA512

      0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

      Download Submit

    • memory/920-54-0x0000000000120000-0x0000000000456000-memory.dmp

      Filesize

      3.2MB

      Download

    • memory/920-55-0x000000001B5A0000-0x000000001B620000-memory.dmp

      Filesize

      512KB

      Download

    • memory/920-93-0x000000001B5A0000-0x000000001B620000-memory.dmp

      Filesize

      512KB

      Download