Overview

overview

10

Static

static

3

32595ac793...74.exe

windows7-x64

10

32595ac793...74.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    2s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    32595ac79386e97e05f876c5dd2ab874.exe

  • Size

    1.7MB

  • MD5

    32595ac79386e97e05f876c5dd2ab874

  • SHA1

    c989b9d5095373707323209898e9af47d695b289

  • SHA256

    9935470ff0da61daff7361e3376f0a40401757e4d0ce6c20f07333bc6f041085

  • SHA512

    46a1592acee78ed4104bd68830f23665ac0cbbe8be1734c57d0b393b0a9daeabcfafee13f0083447a842c3578cd3d99cc18dbeb0eff3a0f0582f349b12ca068d

  • SSDEEP

    49152:RTaXfndwbmGJMZeFNOHoabDvhn0TKfurQqlnJfVWncA0xGM:RTkft2NVabD10TKfoFu50/

Score
10/10
blackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1780840566:AAGlajN7Tzg16_1IyBIF3IbdIk9kg_wlmYw/sendMessage?chat_id=397349583

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\32595ac79386e97e05f876c5dd2ab874.exe
    "C:\Users\Admin\AppData\Local\Temp\32595ac79386e97e05f876c5dd2ab874.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3016-0-0x00000000000D0000-0x00000000005B2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3016-2-0x0000000073CD0000-0x0000000074480000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3016-3-0x00000000056F0000-0x0000000005700000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3016-1-0x00000000000D0000-0x00000000005B2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3016-36-0x0000000006620000-0x00000000066B2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3016-37-0x0000000006C70000-0x0000000007214000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3016-128-0x0000000006AF0000-0x0000000006B56000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3016-141-0x0000000006080000-0x0000000006088000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3016-142-0x00000000060E0000-0x0000000006102000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3016-143-0x0000000007220000-0x0000000007574000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3016-140-0x0000000006070000-0x000000000607A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3016-145-0x00000000000D0000-0x00000000005B2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3016-147-0x0000000073CD0000-0x0000000074480000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3016-158-0x00000000000D0000-0x00000000005B2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3016-159-0x0000000073CD0000-0x0000000074480000-memory.dmp
    Filesize

    7.7MB

    Download