blackguard | b0ef37465f4bfd44ac7f62e3e0243788bbfeb437e485df5b85e17c9d1ee3b7fb

Analysis

max time kernel
35s
max time network
39s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2023 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v2.exe
Size

271KB
MD5

b28df9eedaccce71166a5b689b145f43
SHA1

530a22fca9f46f727400c40ba1a241c96c258d25
SHA256

b0ef37465f4bfd44ac7f62e3e0243788bbfeb437e485df5b85e17c9d1ee3b7fb
SHA512

ce1ede97a8a1adb88a6aa94647336bd395b81f9970188016014725ffacb23ad428db3c5ccbd565ed8ed6af13ea2938f73af8cf395b41a80f2e8deb1edc826a4a
SSDEEP

6144:JmYKJMVRp9hnmy0UYU9B93YUnLbBa2X3Rb36h3jQ:6J0Rp9hzL82ghTQ

Score

10^/10

blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6354695103:AAHubIE_CU7KQ2I2dTWhfqBUvp-pN_3WX8s/sendMessage?chat_id=6277797798

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	freegeoip.app
5	freegeoip.app

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1580	1008	WerFault.exe	81

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1008	v2.exe
1008	v2.exe
1008	v2.exe
1008	v2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	v2.exe

C:\Users\Admin\AppData\Local\Temp\v2.exe
"C:\Users\Admin\AppData\Local\Temp\v2.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 2284
  2⤵
  - Program crash
  PID:1580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1008 -ip 1008
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\VTFyPPDLBQNDLEKG.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\VTFyPPDLBQNDLEKG.Admin\Process.txt

Filesize
1KB

MD5
d7a4121df0139433641c3ed26129ec6f

SHA1
7eb076d289a4ed29607e28f25cf0384687baf401

SHA256
61cd5f3d35e2d734a1b67c9f0eabf7697ac3cc55eb391d88429113b198899205

SHA512
a6cf2066983ebf6d4514a5157b7ae2243c31a05e695a10d216a2240677b75007f356a68ffd5d17e596663d87b72e7f9f9ee633109f6ea8ae47e8c157b72805d8

Download Submit
C:\Users\Admin\AppData\Roaming\VTFyPPDLBQNDLEKG.Admin\Process.txt

Filesize
192B

MD5
7633f1ad2f445d1082670d067b44df0b

SHA1
5fbab752915b268e6eb8876ed47832f947052cd3

SHA256
24a5f96e7bde850612d3539d14cb5ea17d0b5f06018e97d73e528c0ff5cf2a4f

SHA512
308943e0897d2f747677531a6c149fcd39ae7e2331716860332f153b1e30583909ca3b023ae8a999af435935709bb56585b09df22604eac2fcca1ad29a98924c

Download Submit
C:\Users\Admin\AppData\Roaming\VTFyPPDLBQNDLEKG.Admin\Process.txt

Filesize
1KB

MD5
d7a4121df0139433641c3ed26129ec6f

SHA1
7eb076d289a4ed29607e28f25cf0384687baf401

SHA256
61cd5f3d35e2d734a1b67c9f0eabf7697ac3cc55eb391d88429113b198899205

SHA512
a6cf2066983ebf6d4514a5157b7ae2243c31a05e695a10d216a2240677b75007f356a68ffd5d17e596663d87b72e7f9f9ee633109f6ea8ae47e8c157b72805d8

Download Submit
memory/1008-0-0x00000000000D0000-0x000000000011A000-memory.dmp

Filesize
296KB

Download
memory/1008-1-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download
memory/1008-2-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1008-3-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/1008-50-0x0000000005E00000-0x0000000005FC2000-memory.dmp

Filesize
1.8MB

Download
memory/1008-51-0x0000000006580000-0x0000000006B24000-memory.dmp

Filesize
5.6MB

Download
memory/1008-135-0x00000000063C0000-0x0000000006426000-memory.dmp

Filesize
408KB

Download
memory/1008-136-0x0000000074F00000-0x00000000756B0000-memory.dmp

Filesize
7.7MB

Download