blackguard | bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74

General

Target

AYReport_EN.exe
Size

9.6MB
MD5

ec333982af0977d8af5a4984792a4385
SHA1

d5b7e49c6476766d45a18cdd150d0679a9529a5a
SHA256

bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74
SHA512

1446ecc9ca6f193796cdbaf1b9f291b85a36279659254e6cbf286dba8a0e5f233c889b459b799a0d18462f1210841a61a207f76bc90db4365a43e7d967761cfc
SSDEEP

49152:LLLjKXCrX+hMesdq40bf95X9K5NRcSJDg/u/fiGhG6E7/6bp1pBt0zKkevwN/+j:

Score

10^/10

blackguard stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1859779917-101786662-3680946609-1000\Control Panel\International\Geo\Nation	AYReport_EN.exe

Executes dropped EXE 2 IoCs

pid	Process
392	QCWIGX5R.exe
3812	ZP96FKE3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
960	392	WerFault.exe	87

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	392	QCWIGX5R.exe
Token: SeDebugPrivilege	3812	ZP96FKE3.exe
Token: SeTakeOwnershipPrivilege	3812	ZP96FKE3.exe
Token: SeRestorePrivilege	3812	ZP96FKE3.exe
Token: SeTcbPrivilege	3812	ZP96FKE3.exe
Token: SeBackupPrivilege	3812	ZP96FKE3.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3812	ZP96FKE3.exe
3812	ZP96FKE3.exe
3812	ZP96FKE3.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 392	1332	AYReport_EN.exe	87
PID 1332 wrote to memory of 392	1332	AYReport_EN.exe	87
PID 1332 wrote to memory of 3812	1332	AYReport_EN.exe	88
PID 1332 wrote to memory of 3812	1332	AYReport_EN.exe	88
PID 1332 wrote to memory of 3812	1332	AYReport_EN.exe	88

C:\Users\Admin\AppData\Local\Temp\AYReport_EN.exe
"C:\Users\Admin\AppData\Local\Temp\AYReport_EN.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Roaming\Adobe\QCWIGX5R.exe
  "C:\Users\Admin\AppData\Roaming\Adobe\QCWIGX5R.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:392
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 392 -s 1688
    3⤵
    - Program crash
    PID:960
- C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZP96FKE3.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZP96FKE3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 392 -ip 392
1⤵
PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZP96FKE3.exe

Filesize
1.8MB

MD5
cdb983e76d6fc15c5eaef54a063f0091

SHA1
ff22a165f86cf929727fa12d8e787e69d24bb19c

SHA256
0d9e31079d1626252be3d0241e9559e975a0ccf94648d4f41219119136f361f1

SHA512
a665a3c222a4fb218dca8af4e10582e493e4aec146e6e5bbf1091d482ea3081528e77fc9b176f892d5ba04fe442991947acc20242b3e4885fd37a614a963f3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZP96FKE3.exe

Filesize
1.8MB

MD5
cdb983e76d6fc15c5eaef54a063f0091

SHA1
ff22a165f86cf929727fa12d8e787e69d24bb19c

SHA256
0d9e31079d1626252be3d0241e9559e975a0ccf94648d4f41219119136f361f1

SHA512
a665a3c222a4fb218dca8af4e10582e493e4aec146e6e5bbf1091d482ea3081528e77fc9b176f892d5ba04fe442991947acc20242b3e4885fd37a614a963f3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\ZP96FKE3.exe

Filesize
1.8MB

MD5
cdb983e76d6fc15c5eaef54a063f0091

SHA1
ff22a165f86cf929727fa12d8e787e69d24bb19c

SHA256
0d9e31079d1626252be3d0241e9559e975a0ccf94648d4f41219119136f361f1

SHA512
a665a3c222a4fb218dca8af4e10582e493e4aec146e6e5bbf1091d482ea3081528e77fc9b176f892d5ba04fe442991947acc20242b3e4885fd37a614a963f3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\QCWIGX5R.exe

Filesize
1.8MB

MD5
8bbaf95337912b8a1d36594e5bb2f5e6

SHA1
5db26a00543868b7f7bc88ec6597a17cf0dc71ae

SHA256
c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

SHA512
3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\QCWIGX5R.exe

Filesize
1.8MB

MD5
8bbaf95337912b8a1d36594e5bb2f5e6

SHA1
5db26a00543868b7f7bc88ec6597a17cf0dc71ae

SHA256
c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

SHA512
3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\QCWIGX5R.exe

Filesize
1.8MB

MD5
8bbaf95337912b8a1d36594e5bb2f5e6

SHA1
5db26a00543868b7f7bc88ec6597a17cf0dc71ae

SHA256
c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

SHA512
3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620

Download Submit
memory/392-14-0x0000024D5B910000-0x0000024D5BAEC000-memory.dmp

Filesize
1.9MB

Download
memory/392-16-0x00007FFF0C550000-0x00007FFF0D011000-memory.dmp

Filesize
10.8MB

Download
memory/392-23-0x0000024D75FB0000-0x0000024D75FC0000-memory.dmp

Filesize
64KB

Download
memory/392-29-0x00007FFF0C550000-0x00007FFF0D011000-memory.dmp

Filesize
10.8MB

Download
memory/1332-0-0x0000000000370000-0x0000000000D0A000-memory.dmp

Filesize
9.6MB

Download
memory/1332-1-0x00007FFF0C550000-0x00007FFF0D011000-memory.dmp

Filesize
10.8MB

Download
memory/1332-28-0x00007FFF0C550000-0x00007FFF0D011000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing