blackguard | 7f6453437b84cd7518a1e628565a13f76bf09aa376eab94224fc269e3ef804a5 | Triage

Analysis

max time kernel
39s
max time network
34s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
01-07-2023 07:46

Sharing

Report Analysis Logs

General

Target

bld4exe.exe
Size

3.5MB
MD5

296fd972f13fe3f371d16ff2430a3e81
SHA1

056a3fbe0a88a39348e8b99f0cffb3c6e63b5655
SHA256

7f6453437b84cd7518a1e628565a13f76bf09aa376eab94224fc269e3ef804a5
SHA512

35c8a54f60f440333bb282459eb4db7f62f5abfb4c16fa0655df8d5a434f66b49bbb7a49543741462f60439ee6bf8b2b9547b7241954e500687cc06bd226ccb1
SSDEEP

98304:46UJZSh7kjoRtHOrpMsgD+TPzxpCQcYOi:pwQh7kjoihFTZOi

Score

10^/10

blackguard stealer

Malware Config

Extracted

Family

blackguard

C2

http://94.142.138.111

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1696	1496	WerFault.exe	27

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1696	1496	bld4exe.exe	28
PID 1496 wrote to memory of 1696	1496	bld4exe.exe	28
PID 1496 wrote to memory of 1696	1496	bld4exe.exe	28

C:\Users\Admin\AppData\Local\Temp\bld4exe.exe
"C:\Users\Admin\AppData\Local\Temp\bld4exe.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1496 -s 612
  2⤵
  - Program crash
  PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-54-0x0000000000FA0000-0x000000000130C000-memory.dmp

Filesize
3.4MB

Download
memory/1496-55-0x000000001B4B0000-0x000000001B530000-memory.dmp

Filesize
512KB

Download
memory/1496-56-0x000000001BAA0000-0x000000001BDE8000-memory.dmp

Filesize
3.3MB

Download
memory/1496-57-0x000000001B4B0000-0x000000001B530000-memory.dmp

Filesize
512KB

Download