blackguard | 818990fafe6019b9d39d7d3cc5514c1451de5474e73b570d4405f63554055e1c

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VegaStealer_v1.exe
Size

6.7MB
MD5

41b8caca7e2c1ec36c2528fcd6a3f334
SHA1

45ef2451a4916cf5c88e90eb1e4360f04ba3549e
SHA256

c59fdd5b90add682937cc8dfccfb84d460ea9f14c3dc9df895a0b8596877fb16
SHA512

f160616571478eb55fb6a61c94961c7c47b0db56f03638918641fdfbc505e929921b88a9059d44554edee6e6a1c4e73127c0db0fe9df0df8d69ac73f9fa4599f
SSDEEP

196608:Rrp3ECTkyi+4l72FW1aq3BzV+gSYyPO6GEkhQAp6UFj4:VHw/lqFWYq3lV+gSYyP3GEkmJ

Score

10^/10

blackguard spyware stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	VegaStealer_v1.exe

Executes dropped EXE 1 IoCs

pid	Process
3240	v1.exe

Loads dropped DLL 1 IoCs

pid	Process
3240	v1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com
34	freegeoip.app
35	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v1.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3240	v1.exe
3240	v1.exe
3240	v1.exe
3240	v1.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	v1.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 3240	2804	VegaStealer_v1.exe	87
PID 2804 wrote to memory of 3240	2804	VegaStealer_v1.exe	87

C:\Users\Admin\AppData\Local\Temp\VegaStealer_v1.exe
"C:\Users\Admin\AppData\Local\Temp\VegaStealer_v1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\v1.exe
  "C:\Users\Admin\AppData\Local\Temp\v1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.7MB

MD5
a73fdfb6815b151848257eca042a42ef

SHA1
73f18e6b4d1f638e7ce2a7ad36635018482f2c55

SHA256
10c9ccec863ed80850c7b7080e4f2e34b133ce259d1ae3ea7a305cebf6e2940d

SHA512
111f5a7bd916ab317fc127cbf49a2a81c2a614ce3a655a0446f2ebf3c2e61509db5633a391bef06c4ba0b58a71c752262ec2467a09abc56827263c647b08a09d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1.exe

Filesize
4.6MB

MD5
eb7f803cbace4fbc19716180481fbbe1

SHA1
9525001f6f88209d76baeba2eaf7a4d9325240dd

SHA256
bc79161f2093625fe17b17337979ccfdcedd18ff473ec008999f21f2b77bb081

SHA512
4d9cac839c2cacbfe3ff9c6a74ce22b2a68e8929dd3d89982dd6ea4640dad0e3215c6291cd0734b87c29ddf6880f8efec0bce43eb701492c6c2fe42dd0fdc886

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1.exe

Filesize
4.6MB

MD5
eb7f803cbace4fbc19716180481fbbe1

SHA1
9525001f6f88209d76baeba2eaf7a4d9325240dd

SHA256
bc79161f2093625fe17b17337979ccfdcedd18ff473ec008999f21f2b77bb081

SHA512
4d9cac839c2cacbfe3ff9c6a74ce22b2a68e8929dd3d89982dd6ea4640dad0e3215c6291cd0734b87c29ddf6880f8efec0bce43eb701492c6c2fe42dd0fdc886

Download Submit
C:\Users\Admin\AppData\Local\Temp\v1.exe

Filesize
4.6MB

MD5
eb7f803cbace4fbc19716180481fbbe1

SHA1
9525001f6f88209d76baeba2eaf7a4d9325240dd

SHA256
bc79161f2093625fe17b17337979ccfdcedd18ff473ec008999f21f2b77bb081

SHA512
4d9cac839c2cacbfe3ff9c6a74ce22b2a68e8929dd3d89982dd6ea4640dad0e3215c6291cd0734b87c29ddf6880f8efec0bce43eb701492c6c2fe42dd0fdc886

Download Submit
C:\Users\Admin\AppData\Roaming\SystemFiles\Process.txt

Filesize
1KB

MD5
39e28d577f60e82b7f808a1476f23ac4

SHA1
2dc6b0fe3f86daca3866e81486b8cdc54a8a3e00

SHA256
2accce97f1bd003fbdbfb66cc634eb6a76f2bded1961fe96322a6f8f71aae00d

SHA512
c29a65ea2e2ae4a9c92e1d5b34e24086b9850e588889a197bbc3f80f3582cf182eaa1df0b32fe74d182070f7ba2f81f5ffa20d1c386ec221072b0ef432ca4e4e

Download Submit
C:\Users\Admin\AppData\Roaming\SystemFiles\Process.txt

Filesize
1KB

MD5
39e28d577f60e82b7f808a1476f23ac4

SHA1
2dc6b0fe3f86daca3866e81486b8cdc54a8a3e00

SHA256
2accce97f1bd003fbdbfb66cc634eb6a76f2bded1961fe96322a6f8f71aae00d

SHA512
c29a65ea2e2ae4a9c92e1d5b34e24086b9850e588889a197bbc3f80f3582cf182eaa1df0b32fe74d182070f7ba2f81f5ffa20d1c386ec221072b0ef432ca4e4e

Download Submit
C:\Users\Admin\AppData\Roaming\SystemFiles\Process.txt

Filesize
230B

MD5
9e7f1384892de4b4c71d630b5413e832

SHA1
29cf10ae7b72193462436f188d75f575fb9869f2

SHA256
c71e94fb1c8e53aca3ddd38e2df2eb37cde2a4a7d021425dbcd69872b0a280e7

SHA512
81b3c85d572a32c03a3050327cc7bb95cb7f9a6135d6dd00a0b6e0eb555663b7b0022778137fb336e99205f2ab5d45fd19168caa64ffdc1e5fd355acc593a369

Download Submit
C:\Users\Admin\AppData\Roaming\SystemFiles\Process.txt

Filesize
1KB

MD5
39e28d577f60e82b7f808a1476f23ac4

SHA1
2dc6b0fe3f86daca3866e81486b8cdc54a8a3e00

SHA256
2accce97f1bd003fbdbfb66cc634eb6a76f2bded1961fe96322a6f8f71aae00d

SHA512
c29a65ea2e2ae4a9c92e1d5b34e24086b9850e588889a197bbc3f80f3582cf182eaa1df0b32fe74d182070f7ba2f81f5ffa20d1c386ec221072b0ef432ca4e4e

Download Submit
memory/3240-37-0x000001F55EBA0000-0x000001F55EC06000-memory.dmp

Filesize
408KB

Download
memory/3240-65-0x000001F544490000-0x000001F5444B6000-memory.dmp

Filesize
152KB

Download
memory/3240-24-0x000001F55E630000-0x000001F55E64A000-memory.dmp

Filesize
104KB

Download
memory/3240-22-0x000001F545CE0000-0x000001F545CFE000-memory.dmp

Filesize
120KB

Download
memory/3240-46-0x000001F55EC60000-0x000001F55ECB0000-memory.dmp

Filesize
320KB

Download
memory/3240-59-0x000001F55ECB0000-0x000001F55EFDE000-memory.dmp

Filesize
3.2MB

Download
memory/3240-21-0x000001F55E600000-0x000001F55E622000-memory.dmp

Filesize
136KB

Download
memory/3240-20-0x000001F55E680000-0x000001F55E6F6000-memory.dmp

Filesize
472KB

Download
memory/3240-64-0x000001F55F020000-0x000001F55F05A000-memory.dmp

Filesize
232KB

Download
memory/3240-23-0x000001F55E940000-0x000001F55E99A000-memory.dmp

Filesize
360KB

Download
memory/3240-70-0x000001F55FE70000-0x000001F560032000-memory.dmp

Filesize
1.8MB

Download
memory/3240-74-0x000001F545D20000-0x000001F545D30000-memory.dmp

Filesize
64KB

Download
memory/3240-19-0x000001F545E60000-0x000001F545F12000-memory.dmp

Filesize
712KB

Download
memory/3240-18-0x000001F545D20000-0x000001F545D30000-memory.dmp

Filesize
64KB

Download
memory/3240-17-0x00007FF878FE0000-0x00007FF879AA1000-memory.dmp

Filesize
10.8MB

Download
memory/3240-16-0x000001F543BF0000-0x000001F544088000-memory.dmp

Filesize
4.6MB

Download
memory/3240-166-0x00007FF878FE0000-0x00007FF879AA1000-memory.dmp

Filesize
10.8MB

Download