blackguard | 47054077fb2dbdbb6727f69af4547ebeb333736ae3656156f572bf3cd08df38f

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2023 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LUDOMAN.exe
Size

10.3MB
MD5

1440a945528a8b6a1040fadf6209ca3f
SHA1

7bbac2ff658c58f3e84acc137ae482096692e230
SHA256

47054077fb2dbdbb6727f69af4547ebeb333736ae3656156f572bf3cd08df38f
SHA512

854f64cad9a0f85a70599439b89692a7e8e7d19f08b9d9cb5bc0a1f17f1b4f835046367c4e0cb2cf7f74538a548f9d1d1d442987d2ab4af5895fe330be6c7e53
SSDEEP

196608:+iHmim2+3DvpLgNEoZiD689QijlQjQ65n44Sv76x2p2h:Tmim2QbBgNr0HZQ/vy6

Score

10^/10

blackguard spyware stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	LUDOMAN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	VegaStealer_v1.exe

Executes dropped EXE 2 IoCs

pid	Process
4664	VegaStealer_v1.exe
2880	v1.exe

Loads dropped DLL 1 IoCs

pid	Process
2880	v1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	freegeoip.app
19	freegeoip.app
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v1.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	LUDOMAN.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2880	v1.exe
2880	v1.exe
2880	v1.exe
2880	v1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	v1.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 4664	2184	LUDOMAN.exe	84
PID 2184 wrote to memory of 4664	2184	LUDOMAN.exe	84
PID 2184 wrote to memory of 4664	2184	LUDOMAN.exe	84
PID 4664 wrote to memory of 2880	4664	VegaStealer_v1.exe	85
PID 4664 wrote to memory of 2880	4664	VegaStealer_v1.exe	85

C:\Users\Admin\AppData\Local\Temp\LUDOMAN.exe
"C:\Users\Admin\AppData\Local\Temp\LUDOMAN.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\VegaStealer_v1.exe
  "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\v1.exe
    "C:\Users\Admin\AppData\Local\Temp\v1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemFiles\Process.txt

Filesize
624B

MD5
18a8c296987f05c72575719b3305c81e

SHA1
9a71a016fdfc998409daa6f57dc141b481133dd7

SHA256
1cf753fa7437295d04ac26ddacb2772485d493bd68584ed7831bfa8505d5abd2

SHA512
be2746cbeed6ffd02df457a9dbdf72eeaecafa5ab40d50b0cbe1c830597b2cc9e453df90a937b40cefe3e5a9d817a5966a601935d03bc730ec619bc5f88d198d

Download Submit
C:\ProgramData\SystemFiles\Process.txt

Filesize
624B

MD5
18a8c296987f05c72575719b3305c81e

SHA1
9a71a016fdfc998409daa6f57dc141b481133dd7

SHA256
1cf753fa7437295d04ac26ddacb2772485d493bd68584ed7831bfa8505d5abd2

SHA512
be2746cbeed6ffd02df457a9dbdf72eeaecafa5ab40d50b0cbe1c830597b2cc9e453df90a937b40cefe3e5a9d817a5966a601935d03bc730ec619bc5f88d198d

Download Submit
C:\ProgramData\SystemFiles\Process.txt

Filesize
739B

MD5
946f40a69e9741d7eab46a9641522789

SHA1
3484c21bede56ce3dd1af6b2339bd2b962e5b538

SHA256
22c9cdebf906c90ae0291e0fc9fbbc97026fae67d56abf6409c73407ddbccb0f

SHA512
d37402fad012829fc6b8374116f39ddbe11ab5b41c39f46cec620429b555ea180ddef33bd61f3bcb14034d6b3684509bc1878868e8fd0ce97e76bf190141461c

Download Submit
C:\ProgramData\SystemFiles\Process.txt

Filesize
1KB

MD5
1177c094266c426e1a67f7fa01007538

SHA1
ee613d8ef2fdeea8ff3847f6202176179431ced3

SHA256
954850fee29ca646ecc92162f94631215a270a0479b9af80434623fddb05ba00

SHA512
0354a8e8014591844c01bd5643c97779434f0769c0da109bc11c5fe12ed44292f2f05495cb271dcf3dc639ea23170c09a6a742ac07419a1f8e70babd0ce66f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v1.exe

Filesize
6.7MB

MD5
e9c7d4bf51f7cb3cebef7cef43b16dc0

SHA1
125ce22c0b3b4b9da534b475385651dff4ef804e

SHA256
fa33d76c36399c1c2a351670407208625e8ea621e04d6290a42af55c59d70181

SHA512
5e7ac797143f94c489d2b1d878dfa1445966096a62d831c2389232db14cfb7b92ff05feddfb1c0f0380773e3ff9783b5770411e01c302e9505a48da49bb41885

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v1.exe

Filesize
6.7MB

MD5
e9c7d4bf51f7cb3cebef7cef43b16dc0

SHA1
125ce22c0b3b4b9da534b475385651dff4ef804e

SHA256
fa33d76c36399c1c2a351670407208625e8ea621e04d6290a42af55c59d70181

SHA512
5e7ac797143f94c489d2b1d878dfa1445966096a62d831c2389232db14cfb7b92ff05feddfb1c0f0380773e3ff9783b5770411e01c302e9505a48da49bb41885

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v1.exe

Filesize
6.7MB

MD5
e9c7d4bf51f7cb3cebef7cef43b16dc0

SHA1
125ce22c0b3b4b9da534b475385651dff4ef804e

SHA256
fa33d76c36399c1c2a351670407208625e8ea621e04d6290a42af55c59d70181

SHA512
5e7ac797143f94c489d2b1d878dfa1445966096a62d831c2389232db14cfb7b92ff05feddfb1c0f0380773e3ff9783b5770411e01c302e9505a48da49bb41885

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1.exe

Filesize
4.6MB

MD5
dcd019a82bdeebdb987f17d483e0b681

SHA1
53f3e681bc2c29b0f6f290a79e8fb68fe0bbd164

SHA256
267d1fe22ac34393b370f892a1fd9a428c4ad15085b9ae3956d7180762ea19a1

SHA512
4120ffe0c751dba94cbbbc2de2d126e3e64d14d3a2ca73548dd4cadbac507d81b9480fad36158b89ed4f8c6d7c2fc8bfc05560f781bdbf5441ae0f537eabe524

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1.exe

Filesize
4.6MB

MD5
dcd019a82bdeebdb987f17d483e0b681

SHA1
53f3e681bc2c29b0f6f290a79e8fb68fe0bbd164

SHA256
267d1fe22ac34393b370f892a1fd9a428c4ad15085b9ae3956d7180762ea19a1

SHA512
4120ffe0c751dba94cbbbc2de2d126e3e64d14d3a2ca73548dd4cadbac507d81b9480fad36158b89ed4f8c6d7c2fc8bfc05560f781bdbf5441ae0f537eabe524

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1.exe

Filesize
4.6MB

MD5
dcd019a82bdeebdb987f17d483e0b681

SHA1
53f3e681bc2c29b0f6f290a79e8fb68fe0bbd164

SHA256
267d1fe22ac34393b370f892a1fd9a428c4ad15085b9ae3956d7180762ea19a1

SHA512
4120ffe0c751dba94cbbbc2de2d126e3e64d14d3a2ca73548dd4cadbac507d81b9480fad36158b89ed4f8c6d7c2fc8bfc05560f781bdbf5441ae0f537eabe524

Download Submit
memory/2184-133-0x0000000000400000-0x0000000000E51000-memory.dmp

Filesize
10.3MB

Download
memory/2880-188-0x000001CAB53E0000-0x000001CAB53FA000-memory.dmp

Filesize
104KB

Download
memory/2880-191-0x000001CAB5DA0000-0x000001CAB5DF0000-memory.dmp

Filesize
320KB

Download
memory/2880-187-0x000001CA9B260000-0x000001CA9B27E000-memory.dmp

Filesize
120KB

Download
memory/2880-186-0x000001CA9B280000-0x000001CA9B290000-memory.dmp

Filesize
64KB

Download
memory/2880-222-0x000001CAB5AA0000-0x000001CAB5ADA000-memory.dmp

Filesize
232KB

Download
memory/2880-227-0x000001CAB6F70000-0x000001CAB7132000-memory.dmp

Filesize
1.8MB

Download
memory/2880-185-0x000001CAB53B0000-0x000001CAB53D2000-memory.dmp

Filesize
136KB

Download
memory/2880-271-0x000001CA9B280000-0x000001CA9B290000-memory.dmp

Filesize
64KB

Download
memory/2880-184-0x000001CAB5430000-0x000001CAB54A6000-memory.dmp

Filesize
472KB

Download
memory/2880-183-0x000001CA9AA00000-0x000001CA9AE98000-memory.dmp

Filesize
4.6MB

Download