Overview

overview

10

Static

static

1

3b4c449beb...b1.exe

windows7-x64

10

3b4c449beb...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    7s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3b4c449beb189f0825e16754103a4ab1.exe

  • Size

    1.7MB

  • MD5

    3b4c449beb189f0825e16754103a4ab1

  • SHA1

    53405948ae32606096dfce7ab63e9aa2c26c4f0a

  • SHA256

    02aad493c8daaca9ac8ebe11f072d1dc500aeb72ee2e3fcdd1ec4b1fc2a40bb1

  • SHA512

    092525e85563de7abeb55d4b728d488a2890c255363063e0c94b83c21f776978369334a541579b16f985801d8e280c8ce962fb805b387a9ed4dcfe580cc6f549

  • SSDEEP

    49152:65Paa0OScMGQg1Fsm+3GSky9kY/pKVYWuHiEc7J:CPa9OSRvmwky9kY/JHi7l

Score
10/10
blackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1938169884:AAGbfbPPFVakdCHJgp_PIDvE8jD7mA52LB0/sendMessage?chat_id=1143386592

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b4c449beb189f0825e16754103a4ab1.exe
    "C:\Users\Admin\AppData\Local\Temp\3b4c449beb189f0825e16754103a4ab1.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3704-0-0x0000000000400000-0x00000000008E2000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3704-2-0x00000000740B0000-0x0000000074860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3704-3-0x0000000003700000-0x0000000003710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3704-1-0x0000000000400000-0x00000000008E2000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3704-38-0x0000000006870000-0x0000000006902000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3704-39-0x0000000006EC0000-0x0000000007464000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3704-130-0x0000000006CF0000-0x0000000006D56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3704-149-0x0000000006460000-0x0000000006468000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3704-150-0x00000000076D0000-0x00000000076F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3704-151-0x0000000007700000-0x0000000007A54000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3704-148-0x0000000006450000-0x000000000645A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3704-153-0x0000000000400000-0x00000000008E2000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3704-155-0x00000000740B0000-0x0000000074860000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3704-156-0x0000000003700000-0x0000000003710000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3704-168-0x0000000000400000-0x00000000008E2000-memory.dmp

    Filesize

    4.9MB

    Download

  • memory/3704-169-0x00000000740B0000-0x0000000074860000-memory.dmp

    Filesize

    7.7MB

    Download