Overview

overview

10

Static

static

10

dce3c6ed04...3d.exe

windows7-x64

10

dce3c6ed04...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    02-04-2023 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dce3c6ed046018eac08f82942401123d.exe

  • Size

    3.2MB

  • MD5

    dce3c6ed046018eac08f82942401123d

  • SHA1

    a2556fd4c7bbd8cd3b30c2eaa6aad272e52a858d

  • SHA256

    6e178c0fb8198d21b85f9179c731a2e203e2c112bc017848c4b2361ef1411619

  • SHA512

    ce5ca34369629fe66fafcd2b94018464ecc3bdb08c2ee83c517921997975a75ae57720824abd23bca92ad664d1bd2ea3065ae248ffe9a0f6affc77156c90d88c

  • SSDEEP

    98304:sTdsIG91TVghsRfyX4hmE01E7oQWOq4+iPx:kWIk5RciR7cv

Score
10/10
blackguardstealer

Malware Config

Extracted

Family

blackguard

C2

https://ritmflow.online/

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Program crash 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dce3c6ed046018eac08f82942401123d.exe
    "C:\Users\Admin\AppData\Local\Temp\dce3c6ed046018eac08f82942401123d.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1196 -s 1824
      2⤵
      • Program crash
      PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar29F6.tmp
    Filesize

    161KB

    MD5

    be2bec6e8c5653136d3e72fe53c98aa3

    SHA1

    a8182d6db17c14671c3d5766c72e58d87c0810de

    SHA256

    1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

    SHA512

    0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

    Download Submit

  • memory/1196-54-0x00000000011A0000-0x00000000014D6000-memory.dmp

    Filesize

    3.2MB

    Download

  • memory/1196-55-0x000000001B2E0000-0x000000001B360000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1196-93-0x000000001B2E0000-0x000000001B360000-memory.dmp

    Filesize

    512KB

    Download