Analysis
-
max time kernel
539s -
max time network
541s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
02-01-2024 23:31
General
-
Target
Domashka.exe
-
Size
7.7MB
-
MD5
86e863875266e8345097c29d15741a8b
-
SHA1
ab5524d7f698de5928397f3506645ba952103e4a
-
SHA256
bb5d7edc909a7ea29836a501dddd5244d33d342ec6f75c1cf201f14ed55802ac
-
SHA512
22528bbe743825dbfb09743d2824ad5220125e3240bd4d0bd2f87bdc7d46a259aebc08a6fc2e75d6119d881742348fcde90e05142eaa4f29d9c2bbe88f2ae8d5
-
SSDEEP
196608:lX5lladq1hZvawTVNi1Fg6rTSGRzyEjNoi5d7nWO7:lHq6vFTIFg63R5j2E7nWG
Malware Config
Extracted
blackguard
https://api.telegram.org/bot6694446290:AAHhatGdMQTZc2j8T6IAfes0OfC6QMBYYSg/sendMessage?chat_id=6485360129
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Domashka.exe"C:\Users\Admin\AppData\Local\Temp\Domashka.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
381KB
MD5b89601705aef62ff3691811efc464928
SHA1f40f8b943e40eac5163374bc25058fd5f83d7baa
SHA25665e8bd60af0c7e09a2cd7447f6faf041e4be82247a9d935fbc1dbdaa535ea560
SHA51285dc4081f033a85edec19a21503283205670044a8e05a3ba8182a2c60d3e176f89726c97b675d7c0579d4be0af45a4d180cbbb3df3e6e444eb37a8a947a96c87
-
Filesize
92KB
MD50fc6ebc6aaa52312cd251009fcc12902
SHA182319415cee327b0135a02abf96d3e6f01a9bc90
SHA2560c54d100b047b218f5328752192e7f2cea3f900a587591db1275b83bf6d70387
SHA51212843934a36fae3e0f04d9cd1e75ec1fab475cd6d8a21260081fd2160524e2f736ee1b45610bf296ce15c9e9f4af2377ca7b59791b4895dbc90d45899c1d33e0
-
Filesize
271KB
MD585a93044109a70f1bb119d78966a2e4d
SHA17ecf238e536cf12fa3ff3e57b984f8f147c21266
SHA256433b73b437ad4dd138d5a6a8cea12a4ff7bf93c2c9dc11844ab635b83638ebb8
SHA51230656d405995e5dfc38bd6504463b7290b72f635b6773c1d58b116ee43f3afe0d14eae118139e43448446b6a0ffa4098bbec77ff8580b8df210b32ef1f522691
-
Filesize
92KB
MD55cd219f313c5655850066f66f8451da8
SHA16a3d16e34eb530929fed337599c2703367fb9168
SHA256170162f0dbe0e1f4b30f5683a23cd933b945fbbf0a0739921af426fd662d11e9
SHA51267b7175dad7abf3113c992de2483ab7208542eb7c50294797cf7cb1224048b48f64dd34ce8a018ff5a9be178d72a145524557d608feff15815c21f52448b6fba
-
Filesize
584KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
416KB
-
Filesize
304KB
-
Filesize
132KB
-
Filesize
1.8MB
-
Filesize
240KB
-
Filesize
320KB
-
Filesize
7.7MB
-
Filesize
296KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
7.7MB