blackguard | 0d1cae55df38fd37663fa74a1840201ea190a6d333075bf686e0475e9e354cba

General

Target

bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe
Size

9.6MB
MD5

ec333982af0977d8af5a4984792a4385
SHA1

d5b7e49c6476766d45a18cdd150d0679a9529a5a
SHA256

bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74
SHA512

1446ecc9ca6f193796cdbaf1b9f291b85a36279659254e6cbf286dba8a0e5f233c889b459b799a0d18462f1210841a61a207f76bc90db4365a43e7d967761cfc
SSDEEP

49152:LLLjKXCrX+hMesdq40bf95X9K5NRcSJDg/u/fiGhG6E7/6bp1pBt0zKkevwN/+j:

Score

10^/10

blackguard stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe

Executes dropped EXE 2 IoCs

pid	Process
3204	NB93YZEH.exe
4952	0VJH6091.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3204	NB93YZEH.exe
Token: SeDebugPrivilege	4952	0VJH6091.exe
Token: SeTakeOwnershipPrivilege	4952	0VJH6091.exe
Token: SeRestorePrivilege	4952	0VJH6091.exe
Token: SeTcbPrivilege	4952	0VJH6091.exe
Token: SeBackupPrivilege	4952	0VJH6091.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4952	0VJH6091.exe
4952	0VJH6091.exe
4952	0VJH6091.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 3204	1668	bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe	84
PID 1668 wrote to memory of 3204	1668	bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe	84
PID 1668 wrote to memory of 4952	1668	bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe	85
PID 1668 wrote to memory of 4952	1668	bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe	85
PID 1668 wrote to memory of 4952	1668	bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe	85

C:\Users\Admin\AppData\Local\Temp\bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe
"C:\Users\Admin\AppData\Local\Temp\bde2b977cdd7c086a35825a9ba7f2307341a3917f40cc193ed316dde106a6c74.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Roaming\Adobe\NB93YZEH.exe
  "C:\Users\Admin\AppData\Roaming\Adobe\NB93YZEH.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3204
- C:\Users\Admin\AppData\Local\Temp\Low\0VJH6091.exe
  "C:\Users\Admin\AppData\Local\Temp\Low\0VJH6091.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Low\0VJH6091.exe

Filesize
1.8MB

MD5
cdb983e76d6fc15c5eaef54a063f0091

SHA1
ff22a165f86cf929727fa12d8e787e69d24bb19c

SHA256
0d9e31079d1626252be3d0241e9559e975a0ccf94648d4f41219119136f361f1

SHA512
a665a3c222a4fb218dca8af4e10582e493e4aec146e6e5bbf1091d482ea3081528e77fc9b176f892d5ba04fe442991947acc20242b3e4885fd37a614a963f3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\0VJH6091.exe

Filesize
1.8MB

MD5
cdb983e76d6fc15c5eaef54a063f0091

SHA1
ff22a165f86cf929727fa12d8e787e69d24bb19c

SHA256
0d9e31079d1626252be3d0241e9559e975a0ccf94648d4f41219119136f361f1

SHA512
a665a3c222a4fb218dca8af4e10582e493e4aec146e6e5bbf1091d482ea3081528e77fc9b176f892d5ba04fe442991947acc20242b3e4885fd37a614a963f3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low\0VJH6091.exe

Filesize
1.8MB

MD5
cdb983e76d6fc15c5eaef54a063f0091

SHA1
ff22a165f86cf929727fa12d8e787e69d24bb19c

SHA256
0d9e31079d1626252be3d0241e9559e975a0ccf94648d4f41219119136f361f1

SHA512
a665a3c222a4fb218dca8af4e10582e493e4aec146e6e5bbf1091d482ea3081528e77fc9b176f892d5ba04fe442991947acc20242b3e4885fd37a614a963f3c6

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\NB93YZEH.exe

Filesize
1.8MB

MD5
8bbaf95337912b8a1d36594e5bb2f5e6

SHA1
5db26a00543868b7f7bc88ec6597a17cf0dc71ae

SHA256
c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

SHA512
3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\NB93YZEH.exe

Filesize
1.8MB

MD5
8bbaf95337912b8a1d36594e5bb2f5e6

SHA1
5db26a00543868b7f7bc88ec6597a17cf0dc71ae

SHA256
c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

SHA512
3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\NB93YZEH.exe

Filesize
1.8MB

MD5
8bbaf95337912b8a1d36594e5bb2f5e6

SHA1
5db26a00543868b7f7bc88ec6597a17cf0dc71ae

SHA256
c50a943a78dc0049438b810fae2973ade0350c6ad76f924348fd56daff9fdf3a

SHA512
3665bbbfced55b369c0a3926fbe1682c3dc80e669d33fc523b4e23c2bbbb38f34b50d04bf369d0104d71ff99c73e9cb3d525408f0f137d7e870d7dded4196620

Download Submit
memory/1668-29-0x00007FFCB82E0000-0x00007FFCB8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-0-0x0000000000220000-0x0000000000BBA000-memory.dmp

Filesize
9.6MB

Download
memory/1668-27-0x00007FFCB82E0000-0x00007FFCB8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/1668-1-0x00007FFCB82E0000-0x00007FFCB8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-23-0x000001CEE89F0000-0x000001CEE8BCC000-memory.dmp

Filesize
1.9MB

Download
memory/3204-21-0x00007FFCB82E0000-0x00007FFCB8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-26-0x000001CEEB540000-0x000001CEEB550000-memory.dmp

Filesize
64KB

Download
memory/3204-30-0x00007FFCB82E0000-0x00007FFCB8DA1000-memory.dmp

Filesize
10.8MB

Download
memory/3204-31-0x000001CEEB540000-0x000001CEEB550000-memory.dmp

Filesize
64KB

Download
memory/3204-32-0x00007FFCB82E0000-0x00007FFCB8DA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing