blackguard

Resubmissions

19-10-2023 11:09

231019-m9hf6agh68 10

Sharing

Copy URL

Twitter E-mail

General

Target

Winrar22.rar
Size

23.3MB
Sample

231019-m9hf6agh68
MD5

eadc667fa132bbe41f67c5fb7b2bab40
SHA1

8e2d0875493489136fe2d6b3506e5cbf3f595a82
SHA256

4051d791566f289683ee377effd774a80b7eb2b251e604e3eeabf923d75c0c98
SHA512

94deb9a53e36613e0f55a40bf61293912b7a507d3a02bd4f049e342aab2400fca5f0a3ec8338326e305d79176681c0b2a90f9a38b494d468cbde770dc83a0f96
SSDEEP

393216:knRvBoB04pELrxxB+c/eSCXHmCyLxVwHS4Uvx5Qvpvv/70SgOlxDTvbywGMqVWZ+:6uc/xxB7xMk2y4Uvx4pvvxgOXDrIz5JZ

Score

10^/10

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6354695103:AAHubIE_CU7KQ2I2dTWhfqBUvp-pN_3WX8s/sendMessage?chat_id=6277797798

Targets

- Target
  
  AnyDesk v3.6.3 (аналог TV).exe
- Size
  
  1.7MB
- MD5
  
  212bd731ad0a24112b902219bf5df492
- SHA1
  
  4ee0170e83a9a03fe59c1a18a9b7a8c783fdb000
- SHA256
  
  868b36a2b4061539d6b425fe05f6ee3c53ea3475ddcbdb97c614c8f6c030ba7f
- SHA512
  
  07cf5eaae7346d333d87aad7043bed4a6163a51aac57a72c93dda5c6ba5a1d89094aea349f3ece5a084199badfd4b2beda644c32b9fa86798017eb8ed1beed6d
- SSDEEP
  
  49152:gFxMCRtOW04224cOBAOBK1vA28iTezChqbCN1c2:f44WD2lcOBAOBK1YFpz0qbcH
Score

1^/10
behavioral1
- Target
  
  DLL Explorer 1.2/DLLExplorer32.exe
- Size
  
  598KB
- MD5
  
  326c06ca43356ca2aed1180f1974b4d4
- SHA1
  
  a94c8a92b55c7d5f06258daca70e9397110f389f
- SHA256
  
  4b6cf55e9d62c62f130dc0260f13367bc88113f04a3067eaf753dca5540d12e0
- SHA512
  
  4ef7abad84c51f734965c07a3311ac550b74229185ff9decc14adeb00b4b74aa369326f52da9721d4b189dd50b5d785107d342fb23d9c8e73a2f3d3fd96e6fea
- SSDEEP
  
  12288:tmDAgh1PBYwrWQGIKbB3vibk1tRpcMT6QWOkoSPygJGFz9ms:tQ1P1SQHGl1L55D2GFQs
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral2
- Target
  
  DLL Explorer 1.2/DLLExplorer64.exe
- Size
  
  740KB
- MD5
  
  02ca78b8f497477864191f586504ca9f
- SHA1
  
  c26d56061585f8625a4d27d1ec150b4fc6fcc2b5
- SHA256
  
  ebd5e153a4657c1bfa3c658a0cbff329c20fe0b1eba91cc09a455ecaadd7716f
- SHA512
  
  719cfbaa31a28e36069264e4906e812c4fa77cfe5f4e7026521b40de5759bc74f73a092093910f9870174ae4e3a35de6f398ff22c77d5b04d7f8fc2832a53374
- SSDEEP
  
  12288:XGnZajfA/8Gc7TpG7ZX4hY6TfSJHKOE5dR0XygJGFzq4a:XGQo/NcxGNX4xIE5dR6GF3a
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral3
- Target
  
  DLL UnInjector 1.3/NVTDLLUnInjector.exe
- Size
  
  2.6MB
- MD5
  
  ad332eb68417955b5e5dd8c3f7a0f745
- SHA1
  
  e375dd0dcca0e9a24bda24cc7bf5e4540189e9e9
- SHA256
  
  eb66948d58994945e53babeec0114627049fae34d6e84f743f0b2b3b44675dff
- SHA512
  
  101d2ab837c1ff31254cacb1d251bd7c40c84fcb096801cb7bef195f8aa13936ada748c116f359612f6641b028b9e5aa03009363ebf19a0925dbea7ad69b1963
- SSDEEP
  
  49152:wHoBq1dy7ttwsOrySS0fGDSEQA/o/TVoXsOjc:6oUGsOjc
Score

1^/10
behavioral4
- Target
  
  Everything 1.4.1.877/Everything.exe
- Size
  
  525KB
- MD5
  
  3282378f64196fd1c9dd8d20178fd436
- SHA1
  
  2041bceee6a86f45aa34af27b3d9a7ca686e9a5c
- SHA256
  
  5936bbb1113b1c803ccfb8eb96ff271957ac87db89bc3756ddb20b9caf376d44
- SHA512
  
  a81051cc67460a325c66123dbf5155c9b26d770d42f0771d2a0999b37823762c111ff92687550e7635df6a3c221fd30f70a06cb94d5db56509dcc8081b6980d7
- SSDEEP
  
  12288:Wvq/MdoHbG6A159vqIVL05hxtxmB+cikhoSrbxDu:WddKndIVqxtUB+cD6
Score

7^/10

upx
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral5
- Target
  
  Everything-1.4.1.1022.x86-Setup.exe
- Size
  
  1.7MB
- MD5
  
  f9330358c8250a792b0e80d023d6914e
- SHA1
  
  3a2698d59851b00f80300c2e263208c4783d78b2
- SHA256
  
  3860e524fbfe73d52ed16f762e6ed705cc31a520ac601e4bd8622cd99f93af58
- SHA512
  
  e025793f10e55d35857608e3f5ddc711713045adcc84f9cb9f7d5d78b57842fd3fbef35f7992bcd60c6135fa2ec415afee4bbd56f96b862ef8318ee3561f5a7a
- SSDEEP
  
  49152:RbDl0ZbsA/0biZwx0ihyuU7TdRnm2IMUiOF1rJOOXI:RbOZbpMb1KaSds2Iti2JOT
Score

4^/10
behavioral6
- Target
  
  LastActivityView 1.2.7/LastActivityView.exe
- Size
  
  70KB
- MD5
  
  25d9f5250c1b506f6c55acae76a2401f
- SHA1
  
  180b24e28b9d81c2a9c3777a3d0b7add17e94e6d
- SHA256
  
  5a66c173e3f604aecdcf63e45c8876289679030ec19b531e121c6b42cf064963
- SHA512
  
  c9316d727043f88f9a117226b8218ef988596a478ec5af38d7043f10b5ffc10dccc10d7664b2583e099c2c4a69ab2427006d9404f18a1eedf11bf2e479990f87
- SSDEEP
  
  1536:xZNZOm2wkLTYqzIvMCx6YfhNP4YbPXNCyk9Nvr1HhD6cJ8qbiQ:xXowkLTYNV6YfXhwy858cXX
Score

9^/10

discovery upx
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
behavioral7
- Target
  
  LastActivityView 1.2.7/Сохранить отчет LastActivityView.bat
- Size
  
  100B
- MD5
  
  fee395eb478f2f4e7645d82bf48c3fd8
- SHA1
  
  69fab669e47201d349128648519ab57067d8bd74
- SHA256
  
  f51c87997520b087f73e80a0809352a9824c65406c903b91ee4abb12216b88bb
- SHA512
  
  1197b01afeca3aec71f17278f0a4e7d6a4ba7c859a9f8a14b9cec02dcfbe4daf2e055ab2a81c4f080efd2ecc55c7844459d80cb5462b4eb83332b6866c963c06
Score

9^/10

upx
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral8
- Target
  
  Lastproverka.bat
- Size
  
  149B
- MD5
  
  30cdfb84f2613606baffa3bcbdc72682
- SHA1
  
  8f6b87c87a9f132da316e2e4bf05cd91967d476e
- SHA256
  
  345c8b5860ea468a91816d39bef06290fc324e78a40cf512fc2eaa5762b26cac
- SHA512
  
  639c023ece36247c811abfddaed4ee1e8521a08ddfbfa3d61df4f504238b60e3f0155c3ce9fd56dd7355f0c97d61c9163c6a57a5cd4514273bd0a838c757aa80
Score

3^/10
behavioral9
- Target
  
  NirCMD 2.8.1/nircmd.exe
- Size
  
  43KB
- MD5
  
  84d499f558570c32f4cb100a9124890b
- SHA1
  
  9adfc7ab66348d84ebdd9c1e8093cad4cc8485ef
- SHA256
  
  31b3b228382dc359f22ae97b2602eee81dc743fb21196061eacc6619533881f5
- SHA512
  
  560aaadebcbd425d35fc3a567c987a5f15a5f091962328f0479c1ec2378c732cca892eb3252179c8895413b0f3d08f44fbcf8c9d2375877c81622f42e6549c86
- SSDEEP
  
  768:e4OBw5XDtS0d0xr6xczY6jU19q2T5D8EZdZzaJqn:+wtDtS0yV6B6A19FTiEZXaJqn
Score

9^/10

upx
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral10
- Target
  
  NirCMD 2.8.1/Скриншот hl2.exe.bat
- Size
  
  941B
- MD5
  
  d27cfeabdff3e1dfda4d57473e4b8f0a
- SHA1
  
  a9104297d2f43e9165ed0aa30c08c0278ae45052
- SHA256
  
  5445407d7ef11995daba416811c2c973a31e57fee778f40a3903199a0675b9cb
- SHA512
  
  23f040f038e1854f21b9ee0ea0fa74edf2d096ecf4906be6d308e1017dd7d1bae30797f35b1a0b10da2d22bdc7a08022f5cf39c822600249cbc661e5905f5830
Score

9^/10

upx
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral11
- Target
  
  NirCMD 2.8.1/Скриншот ucp.exe.bat
- Size
  
  945B
- MD5
  
  1da47c1fa8903e1af2cbea2190f32b7a
- SHA1
  
  eeb9ad2dac3697bd92b38398ab0c7c320456bb41
- SHA256
  
  62ef08bf3ff8ad148db0167cb0c301b154b540e5bd794e01c74d70649dbcc2b2
- SHA512
  
  69a0249b0b7f07b4e5178f4f883bccee76ab992310a8dbb98b7168f5d27f0876c7c95c1421e622cd43be61a9438baf8ea60ca9e8e21abe68a6e18c44c197e73c
Score

9^/10

upx
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral12
- Target
  
  OpenedFilesView 1.80/OpenedFilesView_32.exe
- Size
  
  67KB
- MD5
  
  4338ff8ae33b8c6150feebcaa4864129
- SHA1
  
  4294ca4e350a5b67630c369823dc7ee2dd66253c
- SHA256
  
  5b4b9700ad8bbde39b7d597add33587edaaa0a36fabb7c47b642e9d8ff0ca441
- SHA512
  
  a2a460575a7f5d4d55984054c9de7cca6e1a0beec1b0ef39c9bd71e48685fb8b27d0819ec3a56704ee67d254a51185ea567ce94a6fc5124503401e456d22bb88
- SSDEEP
  
  1536:13PmFb9LibbWSonH9/Hbr3BEy08/1cu32YMtgo7biRx:dmFUfWPd/XRbB1v329gkSx
Score

9^/10

persistence upx
- Nirsoft
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral13
- Target
  
  OpenedFilesView 1.80/OpenedFilesView_64.exe
- Size
  
  161KB
- MD5
  
  3a141e17cc040541f41c91954a0d7107
- SHA1
  
  223b2d434945be1737e6293324f70ac356c17820
- SHA256
  
  4b0e6fd66ab11eb0ea8b5f022af6056ba9fe4fbcfe2e2338f1f81cc797907f71
- SHA512
  
  7c69b6c3d73958f722635877548f8862e65af2fe51c3dde895d76d04730d46392312541ceab3d77eb1f53653d951af3fd94ca433c1611bbb1f9490bf03f61a02
- SSDEEP
  
  3072:Hmq9CBOQi2vHXyNI7wEHy7uesh21ekARA8pw:3mGUHiEyKM1e+
Score

8^/10

persistence
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
behavioral14
- Target
  
  Process Hacker 2.lnk
- Size
  
  1KB
- MD5
  
  9b914622a9a3f42ca3ceb0f3a7d4f96e
- SHA1
  
  8770812813e04e2bdab5c4e0e84590be6ab5c436
- SHA256
  
  843aa58ba4bee0a3e0f5f088a07e443d3a7ff408fe4ff61accf58ac8bfab8ba1
- SHA512
  
  13f3c6f8277024f7ad30decffd81397a9f750f6a470e2e56cbeca84505c2a9eb8ac3c9c40c2c46b68a4e6cfc1b5e3fc08359e5ecc46eb4feafa886fdca0ca190
Score

3^/10
behavioral15
- Target
  
  Recuva 1.53.1087 Pro & Portable/Recuva_Portable.exe
- Size
  
  2.9MB
- MD5
  
  68057fa2ef68e7f290c0672e0cc9e308
- SHA1
  
  84a20015b826c76f183818e158e863537d185983
- SHA256
  
  de23b5fa4913b9c81ae719acea754e3d6fa7e7440ad6020b215c43f25d16aec0
- SHA512
  
  8da2641b90605a33240b7110951fc16a7cbabcf00fa25e40202cbe7c173a68c4743295f482ef3ec7d2f81a0f0e61d6f833ea9e356a4f988519a346562231053a
- SSDEEP
  
  49152:qF4QAuRc7ogh7PoxFKj6dCry8y9tqvcxHdjOsapgWXlRxMNZu+rBFkKU:G4oRcnstdCW+kxHNMGW6eIFkKU
Score

7^/10

upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral16
- Target
  
  Shellbag_analyzer_cleaner.exe
- Size
  
  7.7MB
- MD5
  
  3ae04f7a93e7b23687ce6f82063e17ff
- SHA1
  
  f1944f467dfa8df6423fb5ac329df21b3cf24b21
- SHA256
  
  0db0408a30ff4c9548c015c6b6181a709130d4854288120a9cba5e9b14be52f0
- SHA512
  
  f846885d4f0f3ff46510e58f6a1dafbcf29821c35ddb33980a6665ac65eb125f2687a53f80981d0a42c60b63de1d497253f85b887c67ea160f80e7f66576b70a
- SSDEEP
  
  196608:bsKo8WI1AnTcKsYRK47UoZVIdYtXuo3rsEo2vJM980U:bsKo8WI8TcyzxN3rPG9G
Score

10^/10

blackguard spyware stealer
- BlackGuard
  Infostealer first seen in Late 2021.
  stealer blackguard
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral17
- Target
  
  USBDeview 2.73/USBDeview.exe
- Size
  
  69KB
- MD5
  
  d51df163ba66f6a6f73a5c397b77e15e
- SHA1
  
  651cec3a0844fd4b3b33aaec635e377b6adf0832
- SHA256
  
  a24f1bf5738049f87ecefdb0ea9c8cd34ad9fa9400a6ba4bd08543f38f71b01e
- SHA512
  
  cb198fcad6ebddd2feae99bfe977223e9ef39f5b0fd3a92c769c7609b50c9895e491539366c343d3a413c673c09bdbe52bdc0c40aaaeb561d073dcc73b8df12d
- SSDEEP
  
  1536:73YQKaOINUJ37gltDDoWFFBCQvZl9g33iBMm1z5nkGUbiK:7HKaPU6jllgHZmvkhd
Score

9^/10

upx
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
behavioral18
- Target
  
  UserAssistView 1.0.2/UserAssistView.exe
- Size
  
  30KB
- MD5
  
  f36530f46a34516be38521ee9a134d28
- SHA1
  
  47f0553e0a0febbef59fd9a32149497bbdd5229c
- SHA256
  
  bc11c4150bbc6f8b2cf7bc96bedbb183c61d53ab8e4052b15d58bad6b6d1befa
- SHA512
  
  5c1a1282ffc25409d0044770c80e92f7a89fb40567dbb24f64f46750083bb30b842a63ef58b8b9433fa5a5903a5aa7bf71ee941709365c6bc17a9f4d85b1ad5d
- SSDEEP
  
  384:IecsPHRggjhCnMgZas8+oAEqPm63AovtX625wWMPODVDSt/U/BEUxhUp5Erzrbqu:HhCWSrPlX62arODxS1U/Br9nrbqUo
Score

9^/10

upx
- Nirsoft
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral19
- Target
  
  processhacker-2.39-setup.exe
- Size
  
  2.2MB
- MD5
  
  54daad58cce5003bee58b28a4f465f49
- SHA1
  
  162b08b0b11827cc024e6b2eed5887ec86339baa
- SHA256
  
  28042dd4a92a0033b8f1d419b9e989c5b8e32d1d2d881f5c8251d58ce35b9063
- SHA512
  
  8330de722c8800ff64c6b9ea16a4ff7416915cd883e128650c47e5cb446dd3aaa2a9ba5c4ecda781d243be7fb437b054bbcf942ea714479e6cc3cef932390829
- SSDEEP
  
  49152:l9hfV/U5NkLXXzGZjt6kFTCVP6hWE0wvmk/eE+FrAl+NGsOSE6IX8pq:Dh9/ULkjKxtTGP6VZd2rAcvOSE6Nq
Score

7^/10
- Executes dropped EXE
behavioral20

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Tasks

Resubmissions

Sharing

General

Malware Config

Extracted

Targets

UPX packed file

UPX packed file

UPX packed file

Enumerates connected drives

Nirsoft

UPX packed file

Checks installed software on the system

Nirsoft

UPX packed file

Nirsoft

UPX packed file

Nirsoft

UPX packed file

Nirsoft

UPX packed file

Nirsoft

Drops file in Drivers directory

Sets service image path in registry

UPX packed file

Drops file in Drivers directory

Sets service image path in registry

Checks computer location settings

Executes dropped EXE

UPX packed file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Nirsoft

UPX packed file

Enumerates connected drives

Maps connected drives based on registry

Nirsoft

UPX packed file

Executes dropped EXE

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20