Overview

overview

10

Static

static

1

063adc7edd...6b.exe

windows7-x64

10

063adc7edd...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    195s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-12-2023 22:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    063adc7edd5785637dff0fe0a606c36b.exe

  • Size

    1.7MB

  • MD5

    063adc7edd5785637dff0fe0a606c36b

  • SHA1

    c2a4fd1c096fbe9cc4347a470355848f597f3af7

  • SHA256

    3ef9b22bb2941ee55af25105b87c675ef1bf6acf8928b339e36e5da08958e852

  • SHA512

    c011c9a11f4dd86ca706a6fae86cc89331b4b6747c29330a79b2c513ac2c5d68dffe0160b8c67e68c4c102002414a7a4675fe2315e3470461fcd889c319b631a

  • SSDEEP

    49152:rFIAvAzZmo08b9N0qmI6pMH6UHP916LSfbqki67bFrp:5IAYzxVb9NR16pMHbHP916aql

Score
10/10
44caliberblackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1932930596:AAGkiZTh1w6VZfvuopWYz6JzBbBOSRI3Ja4/sendMessage?chat_id=1089147415

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\063adc7edd5785637dff0fe0a606c36b.exe
    "C:\Users\Admin\AppData\Local\Temp\063adc7edd5785637dff0fe0a606c36b.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    d089de0a2bece1c4a7f75de417704dc9

    SHA1

    b73ac979d4d0c54ebc8950b9b4b6cd70a709a7dc

    SHA256

    2d6016ea2ab97dfc298a58ef847473072aad6978889371601772827d0898ca58

    SHA512

    7f85eee05c4d5da68a160e3ea857dfb83a069e3056e77d590cb797021d4da722a10bcdf8c0724b946b35018adced0221309d02006746b3fc5582d613a2c2b999

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    4a69f3618baeaee6d8f5b74dd56244b7

    SHA1

    2a6dc0a89c9575060825f28bd08ba636bfabd275

    SHA256

    02b4b4d28f23c154d72b91d6184936af37acc43a72effd22836a600caac53914

    SHA512

    0be42611a72a91ac9d6fe5478954ecd6c1b6c0138e43d13bd37797dffc0717bc7195c2c391c5c216e8a90b21d1599713164bf61bfed39d4769e4084aa76e937d

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    484B

    MD5

    5a05864d8b52c8aba82a06ef5eff745b

    SHA1

    dda1bfb88453f4f0d6af31347d006d733aa51d54

    SHA256

    3581e91284368b4ddd732fac90a8941044d33119401f3b02ef8c89919eec3d60

    SHA512

    187ebb9d9177b8c97da279714c90612c42b5a739578d189b96064baee0be47c89562cbea520a68dab9fd9e063bd14db555e008e2306db5dcab6aa6e31d54c291

    Download Submit

  • memory/2568-4-0x0000000005F20000-0x0000000005F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2568-2-0x0000000074B20000-0x00000000752D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2568-41-0x0000000005F20000-0x0000000005F30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2568-42-0x0000000006DF0000-0x0000000006E82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2568-43-0x0000000007440000-0x00000000079E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2568-0-0x0000000000200000-0x00000000006E2000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-3-0x0000000000200000-0x00000000006E2000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-40-0x0000000074B20000-0x00000000752D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2568-1-0x0000000000200000-0x00000000006E2000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/2568-135-0x00000000073B0000-0x0000000007416000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2568-150-0x00000000014B0000-0x00000000014BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2568-151-0x00000000014C0000-0x00000000014C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2568-152-0x0000000001520000-0x0000000001542000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2568-153-0x0000000008240000-0x0000000008594000-memory.dmp

    Filesize

    3.3MB

    Download