Overview

overview

10

Static

static

1

3b4c449beb...b1.exe

windows7-x64

10

3b4c449beb...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    235s
  • max time network
    261s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2023 20:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b4c449beb189f0825e16754103a4ab1.exe

  • Size

    1.7MB

  • MD5

    3b4c449beb189f0825e16754103a4ab1

  • SHA1

    53405948ae32606096dfce7ab63e9aa2c26c4f0a

  • SHA256

    02aad493c8daaca9ac8ebe11f072d1dc500aeb72ee2e3fcdd1ec4b1fc2a40bb1

  • SHA512

    092525e85563de7abeb55d4b728d488a2890c255363063e0c94b83c21f776978369334a541579b16f985801d8e280c8ce962fb805b387a9ed4dcfe580cc6f549

  • SSDEEP

    49152:65Paa0OScMGQg1Fsm+3GSky9kY/pKVYWuHiEc7J:CPa9OSRvmwky9kY/JHi7l

Score
10/10
44caliberblackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1938169884:AAGbfbPPFVakdCHJgp_PIDvE8jD7mA52LB0/sendMessage?chat_id=1143386592

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b4c449beb189f0825e16754103a4ab1.exe
    "C:\Users\Admin\AppData\Local\Temp\3b4c449beb189f0825e16754103a4ab1.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:5116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    a0148b469f0b4df2e0f8baae3e9cfa30

    SHA1

    2cf07e74eb64a17e9fedfcf44725a73267808afa

    SHA256

    a6f714485209de5346584333a7bca5e13ebc293a0046ab278c027dcf281313df

    SHA512

    876db281c266c630a6b6373e645593eca400abc4ecf50793feffb1429524261d63c916841278784a6698ef2c92daab3864374702c9b40fe742db7515d18def15

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    442B

    MD5

    9955928d00ad394915961138cf70516c

    SHA1

    7ce8528b0808899752c53b27a81235fd5009e62d

    SHA256

    e1e0bf032926d717812ea01aa5c9100d7c28df93ee9f4df0510708c7169ad8c4

    SHA512

    f611d7492c6837bbca78162a4e019b8e9abc141fdf0276040bd8643de33f9c19c671c774e2d9333fac95716a9870117ca1cf42f461a394cb611a23f50ecf981f

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    707B

    MD5

    0c0e2601599128fb90b47d8a2f55404b

    SHA1

    970b0602f077a069a9b3071885cd78aac2ef4b2b

    SHA256

    8b654507d8b72a2952dac1428c1bf9e745c355aef136311ca1db34c3d0b7c2a4

    SHA512

    cd7956050491188a7ce5ccac53a30901e46e35319fafe2c701ac45bb1f7ec705f912c8aece8fc66bef88f491bcf20e55423cc19943c4be9111fea85c0511e973

    Download Submit

  • memory/5116-42-0x0000000007A40000-0x0000000007FE4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5116-3-0x0000000074690000-0x0000000074E40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5116-40-0x0000000000F80000-0x0000000001462000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/5116-41-0x00000000073F0000-0x0000000007482000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5116-0-0x0000000000F80000-0x0000000001462000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/5116-4-0x0000000000F80000-0x0000000001462000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/5116-2-0x0000000000F80000-0x0000000001462000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/5116-5-0x00000000066C0000-0x00000000066D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-134-0x0000000007880000-0x00000000078E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5116-136-0x0000000074690000-0x0000000074E40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5116-137-0x00000000066C0000-0x00000000066D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5116-155-0x0000000000F60000-0x0000000000F6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5116-156-0x0000000000F70000-0x0000000000F78000-memory.dmp

    Filesize

    32KB

    Download

  • memory/5116-157-0x00000000015C0000-0x00000000015E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/5116-158-0x00000000080F0000-0x0000000008444000-memory.dmp

    Filesize

    3.3MB

    Download