blackguard | 69fd483a470bb9964807d5a4f950904fba94240db50ebaf55173afadb5808d4b

General

Target

EarchClient.exe
Size

271KB
MD5

5da1556702cf95395110889546f98886
SHA1

569150086d2c8de41c3dee34f0f174eed6323af4
SHA256

69fd483a470bb9964807d5a4f950904fba94240db50ebaf55173afadb5808d4b
SHA512

ea51c6ffeb31977f81644b501973368568cc8d033b45b5317ec61d9064495cd081d779362cbc4be4bf3244a7ab57d8e83f0531a40e7e67863fa7080d4d8cc3c3
SSDEEP

6144:fmYKOMivp9hnmy0UYU9C93YUnLbBazwF3ab36h3KE:oODvp9hiL8KLhaE

Score

10^/10

blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot6278429099:AAEhx_7evnIrGcJ8BJVLnAHouu09FtlHjyQ/sendMessage?chat_id=1061483843

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	freegeoip.app
2	freegeoip.app

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4116	3944	WerFault.exe	77

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	EarchClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	EarchClient.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3944	EarchClient.exe
3944	EarchClient.exe
3944	EarchClient.exe
3944	EarchClient.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	EarchClient.exe

C:\Users\Admin\AppData\Local\Temp\EarchClient.exe
"C:\Users\Admin\AppData\Local\Temp\EarchClient.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 2328
  2⤵
  - Program crash
  PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3944 -ip 3944
1⤵
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wNDuNVNVJISJ.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\wNDuNVNVJISJ.Admin\Process.txt

Filesize
1KB

MD5
2046de17e5c997d770ef87c7c2bcfb9d

SHA1
deeef2064c1a94b4c127d6f4750146e575f726bf

SHA256
f853695fc96f84a9ccb83f080e37bd9de02b1456e42d84f08a18c722550eb621

SHA512
82cb9ddb1b8ec7801afff80019491382e32302aac7d3c6319c3e8e758319e5176b1fbcd67dc68f00dd3a7abebf426f4d2a271263409088f17225cda8f4a2fd5e

Download Submit
C:\Users\Admin\AppData\Roaming\wNDuNVNVJISJ.Admin\Process.txt

Filesize
406B

MD5
c95ea7cd739914cd2c95b045c17d9963

SHA1
0f899d1b845c4cb36d622e4244dbdacc3ceec954

SHA256
d4e2b3853574645ea67fe416bc5466c57c414e0d57102f6183c6fe08cb214461

SHA512
0dc2cb4aeb41bfd85d5d3685783a62168b5a99ec3da173c3ef58920ddab329506c5347034dfcc81dced805bbc891ef7a3640605e8244b15caedf5821db6b971f

Download Submit
C:\Users\Admin\AppData\Roaming\wNDuNVNVJISJ.Admin\Process.txt

Filesize
737B

MD5
36f0d8e60dd2e24c4ea63ac29559cb80

SHA1
6d34056bc25e210c271bf4b16132cc0e73714c91

SHA256
dc00763777bcd7f2879195186382bf6a9e856b0e24c12dbc9e197ba7b5eb1881

SHA512
89f701b1ec14f6f54e141f294c20d0d1e11f04d54f432b0640c2199fcde55b5b116859777274543add95cdffd3ea9425242b8ae0260d67eac4ecbe1cd7a8646c

Download Submit
C:\Users\Admin\AppData\Roaming\wNDuNVNVJISJ.Admin\Process.txt

Filesize
765B

MD5
35311b40b63e8331ba97f6c0072b8bfd

SHA1
dcb590bf9ec76bacf5f74f31ac71556b74093616

SHA256
0341fdb4663c47d0c2255bb7b34166839254a4702779ad185b7aec6d3221a364

SHA512
2b0de1d2dceb13789b34cfde154475cf62131920cce04279422a90f912fdc018d8fac6a6308b8fde146c0c203636026a6dc3e726f7020b9dd5ae4b6e60439f31

Download Submit
memory/3944-49-0x00000000068F0000-0x0000000006E96000-memory.dmp

Filesize
5.6MB

Download
memory/3944-1-0x0000000074A70000-0x0000000075221000-memory.dmp

Filesize
7.7MB

Download
memory/3944-48-0x0000000005F70000-0x0000000006132000-memory.dmp

Filesize
1.8MB

Download
memory/3944-7-0x00000000058B0000-0x0000000005942000-memory.dmp

Filesize
584KB

Download
memory/3944-130-0x00000000066E0000-0x0000000006746000-memory.dmp

Filesize
408KB

Download
memory/3944-2-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/3944-0-0x0000000000530000-0x000000000057A000-memory.dmp

Filesize
296KB

Download
memory/3944-131-0x0000000074A70000-0x0000000075221000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing