Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
22-12-2023 16:24
Behavioral task
behavioral1
Sample
edda982bfd8986d01a3b5e005e5755ca.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
edda982bfd8986d01a3b5e005e5755ca.exe
Resource
win10v2004-20231215-en
General
-
Target
edda982bfd8986d01a3b5e005e5755ca.exe
-
Size
246KB
-
MD5
edda982bfd8986d01a3b5e005e5755ca
-
SHA1
68cbb8e9965fae9da6afba41dd600190755efe35
-
SHA256
10b86a89f56513268e5094837990648fec44b1ddf3f2f2c959dc23f6a4d8c630
-
SHA512
1309b7096e7e4733a036e4093ec28c9477ced09da85fffb838998a50354d9742b5cdef3b785ed1f74c107d51d0fc8d5e3b0160251cb14b54bd78aab696c91df1
-
SSDEEP
6144:vKSTkgWAlEC9R9+EWj2JH/OkNfKjbvWCeQWJ:zYgWAl7AjEfXKmCVWJ
Malware Config
Extracted
blackguard
https://api.telegram.org/bot1711224512:AAG22Nlr-jO4MyOqR-e8u_WyFQ4Bw7rDtVw/sendMessage?chat_id=1640241476
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app 3 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 edda982bfd8986d01a3b5e005e5755ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier edda982bfd8986d01a3b5e005e5755ca.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 2004 edda982bfd8986d01a3b5e005e5755ca.exe 2004 edda982bfd8986d01a3b5e005e5755ca.exe 2004 edda982bfd8986d01a3b5e005e5755ca.exe 2004 edda982bfd8986d01a3b5e005e5755ca.exe 2004 edda982bfd8986d01a3b5e005e5755ca.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2004 edda982bfd8986d01a3b5e005e5755ca.exe