Extracted

• • Target

    Build1.exe

  • Size

    115KB

  • MD5

    bfaa027a645e567824a10a26fb8dbefd

  • SHA1

    4ab52a0b1cc105a5462c2255ef84be9af431b82e

  • SHA256

    c67b6f45d0beb461838f87ca2ad4774b52d7ccf9b0fa36652e8642dc72f43302

  • SHA512

    2f7ab0e4451cfeec017ba294cfcbc6f02d85c756bebce1cf9b3c69f6c77386fe9a21897734c44f4aa32dcaf3a1b7fbaaf0c4639edab1c8961761767a656b4569

  • SSDEEP

    1536:ztCbuEYE+9z2wpuFavGmhMnDIhzZtz20tnh/:5CbuAsEFNmhMnDIhNI0tnh/

  Score

  10^/10

  blackguardcollectionpersistencespywarestealerevasionupx

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Allows Network login with blank passwords

    Allows local user accounts with blank passwords to access device from the network.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence

  • Drops file in System32 directory

  behavioral1behavioral2