Extracted

• • Target

    Build2sexe.exe

  • Size

    3.3MB

  • MD5

    1c2b15ed1c8897bb466ec6f1a0f3e815

  • SHA1

    b2faf832c9a2e0d7210374560cfff65406659884

  • SHA256

    eb405e175ae16fd8877aa87ffdb39f0d4f41cf7c77351708d84f44dd790c35d2

  • SHA512

    9df20f4a26972e6bbc5ce2e01a139793077781900f5c304a4239f52d73c1b1653a58f21c725b95371fe5ac4106761dae7b90b71722ee32a87c19517a0d4f8961

  • SSDEEP

    98304:4QBNUcwti78OqJ7TPBsHgMWJ0bJpqcV/:/zUcwti7TQlsBWJq1x

  Score

  10^/10

  blackguardcollectionpersistencespywarestealerevasionupx

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard

  • Grants admin privileges

    Uses net.exe to modify the user's privileges.

  • Downloads MZ/PE file

  • Modifies Windows Firewall

    evasion

  • Sets DLL path for service in the registry

    persistence

  • Sets file to hidden

    Modifies file attributes to stop it showing in Explorer etc.

    evasion

  • Allows Network login with blank passwords

    Allows local user accounts with blank passwords to access device from the network.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses Microsoft Outlook profiles

    collection

  • Adds Run key to start application

    persistence

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon

    persistence

  • Drops autorun.inf file

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory

  behavioral1behavioral2