Analysis
-
max time kernel
158s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
07-01-2024 19:42
Static task
static1
Behavioral task
behavioral1
Sample
a4849cead4dfa68295a47c5471422ffd.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
a4849cead4dfa68295a47c5471422ffd.exe
Resource
win10v2004-20231215-en
General
-
Target
a4849cead4dfa68295a47c5471422ffd.exe
-
Size
1.5MB
-
MD5
a4849cead4dfa68295a47c5471422ffd
-
SHA1
c6c5e9a0a3c37c583def626f9bc227c0c294fa8a
-
SHA256
49977d7ebceb8b390b44ed50f6447ce0910c9fc73b1bfdd60eef219138d0038e
-
SHA512
df17c9ecc176bae94aeab4bf5ec6733198e6b961baca50465bce6c2d2acf6cf070ad9b3ed4e6efa64d4beec3d5de24f0cfdcd7ac0c7bd8ddabf810cae324b4a4
-
SSDEEP
24576:CGR2feTKmUp6t23c51lT9y+wvfH79MPxvvdvOyoldbUzkvdHXFcTjYu8AlmeX5J5:CGR2fnn/3cV8+wvzCxlvOyovbUkITjhV
Malware Config
Extracted
blackguard
https://api.telegram.org/bot1818730721:AAGgMZz8w6trwd7tHAnNbu0kJSmYFV_IvXk/sendMessage?chat_id=1610877447
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 70 freegeoip.app 71 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
pid Process 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 a4849cead4dfa68295a47c5471422ffd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier a4849cead4dfa68295a47c5471422ffd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe 3800 a4849cead4dfa68295a47c5471422ffd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3800 a4849cead4dfa68295a47c5471422ffd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3800 a4849cead4dfa68295a47c5471422ffd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4849cead4dfa68295a47c5471422ffd.exe"C:\Users\Admin\AppData\Local\Temp\a4849cead4dfa68295a47c5471422ffd.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55b4ff85f015c0515d9cde4995859186c
SHA1e0c8852527f0ef03ecedfa8632e156a9debd1695
SHA256a60abd06140e685e7a9e92e03f71ba7c6fdfae20b3641cdad420d2cef2c510fb
SHA512811a88e8739ab1f66ea1311d56f4f1d726228b83f83033aebd7ec81177ee16f1c55539f93fb839844b87be07c78a415ac58479e5dea85b511e6d296d30b047e8
-
Filesize
1KB
MD56212dc64243ea90b410f6ae11d9f8078
SHA16eadbdd093baf31f51075f0e4817fb6acbd35f8c
SHA256cfd312c6b463e3720dd551734336e2fe23fe1a53f90e92ed2a3edf798e90ef0c
SHA512730875cef93df8bd268c86b147f569c95917ba06161a7eb3f466461f1b0f3c1282b75ef6bc5d44e5762682db012471f7d72be3d7d50de57fd8876b97a519678d
-
Filesize
266B
MD50c52913f81049ac9d92d193d15b51eec
SHA1644fd8293c696322d39deb4d1c8be77670d4b04c
SHA256d2afcadaf9f612009b2c510366fc31a964430aa2238371fe2a42db46634c8094
SHA5121848bbcd9d3bf3579f6267addad8a416c5e183d53a3bb2dc6fa54d341e5fbd86c8660ba89b5b6ac382f8e28067765fa25452e8829274b404a6ebcdd4c9da5c1e
-
Filesize
744B
MD5d74a1134f1d93d4e7cf75dbc837fb39e
SHA1d733a6521599570f0dacc174c18c642e0d64901c
SHA25603b421316ea2b5fc515fd40d647f0b62c2fdb9cc385e19f8911d0d5a616518e0
SHA512dc96574b6f624c817516666d2a25c4b4e023ba21567f33e0973c2881316118040f179c6dee61b70693958c0c63784522b5f02ce1696d8c78c8c72ffe6fa241ec