blackguard | a25f014c881f4e00db371fd0da081542d14d72311c86b7ad908933a9ba3269a0

Analysis

max time kernel
0s
max time network
32s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWormLoader.exe
Size

8.2MB
MD5

b545d6f6bb0ea7b613185e9b6108c54c
SHA1

7228529c2b7527004b34de6406ac1c744f35f434
SHA256

a25f014c881f4e00db371fd0da081542d14d72311c86b7ad908933a9ba3269a0
SHA512

0807e5e73573da08eb562fd73022c7c44d88c3ecf888086ab52257f491c717deb058fae0b0185de5db49de6158783d25c37db2186a61f18059e4070a4abe667c
SSDEEP

196608:C58t3afccVSE+mfkSV6qfwI7fRxzpkhuUgF5ioK:CWt3afccqmfLh7pfdF5iR

Score

10^/10

blackguard xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

5.39.43.50:5060

Mutex

26CtPZOKzqwVA6P2

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

blackguard

https://api.telegram.org/bot6890098459:AAHjv04XcY7xWyP2Vkp5g2wyR9vE4yvtyHs/sendMessage?chat_id=937347419

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/2972-24-0x0000000001040000-0x0000000001090000-memory.dmp	family_xworm
behavioral1/files/0x00300000000146c8-23.dat	family_xworm
behavioral1/files/0x00300000000146c8-22.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe
  "C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"
  2⤵
  PID:2484
- C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe
  "C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe"
  2⤵
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
    3⤵
    PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\v2.exe
      "C:\Users\Admin\AppData\Local\Temp\v2.exe"
      4⤵
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
28KB

MD5
24cc7ef7d92d25471c504c3bca8c0934

SHA1
27462f7eb1c1e16bf29b519aa13956c1a438e60d

SHA256
88b2a1a19508abeca2a99cd5c8bbf069b5dae90f3292afe1182c01ca22fe67e2

SHA512
9cc1eb726e48e830f625b0e6f6dd2db0a288085f2de9667557cf86c1a6ea8f08d7142e883a4d7185a8b0daccbeb0f4aa0dce89a8a48a6e4208db61af650535a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
159KB

MD5
0802bd9f1394e0fa05772bcfde7d19a9

SHA1
fbc80422d2632f670b6fd2523d8443b8bf7b665e

SHA256
f85721735ac9640ccf5ff447e930c870ce7134cf4a304b8069905dab0abd348f

SHA512
dddea519bb2d184f8f636f5ec27c817472c04cfbc322dbe85557753e10aeadce0313a075307aeaef2db3516023fea0420e3f99d49199ddef56b498076b878e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
86KB

MD5
91e10ef80350196add7c038fd4202c2e

SHA1
79218493b9f7aa293f37af6b0c571d04b3606f49

SHA256
2be980ff47bff84ab5471ed74b54ae6beb302bf7a775a9a770c6fd0f6a392882

SHA512
d68a3e4923cf6ad324f196ff4fd0e0eef9e04f9827c48d1402c46ddf73a5c69a3b1e004d2d4d5674319a8e7a820103b3d0fff6c4d8e1f72dd197edc89e5f875c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe

Filesize
345KB

MD5
5fd086a8a83f32fe9771c422481a937a

SHA1
2e3c271650de74491c7a833fe3fc34b8487a70ca

SHA256
ca0346a3f431cd7c8ef2ba7d699cb295db1d119460f090d5a2b1ba6e9bf3def4

SHA512
9a7ceb26f26c7940bf2defac7e15324111903529306d96b5749c64a06d84fd7245cd5a52b6313a2d73b638da863bc38aedad0df8d1964a5166cffdb391e791d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe

Filesize
383KB

MD5
487d18707332ab9dc6f3ffccfeea49c0

SHA1
16c99657746384c8e1a3146c1dacce55bedc2fa8

SHA256
3a34decec8cbbb53a6658823990a47e18f9655d143e2ad3e31f3eb6b421b2991

SHA512
32341daa51f4714719afaac6ff42d7a11c3863db771943162baf5337e730ae11c569a1eec85a3b13b3e662810253e3543dd5b0f29e27ca415fd2f03dfd6c384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
109KB

MD5
0d456f1fcbc9a82996d7632adfb446b2

SHA1
0eba6282e5b6eebbebfffeedeaa1295cb07ba466

SHA256
4ddd296a561fb86e99a720d972849690cef5f9fd3c0331ac3781721412f7cc15

SHA512
f6ee9f410118d5673a83e99e5d7fd77cc585626bdba311a66d02864cf93932b5809b536ff72597a87675e8ca18740687d25da144d6ba030493f469fc908dcce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
103KB

MD5
a899cf49d1838352c097b45ffe5c1d16

SHA1
1e74adcd6a42bf905e157205cf3054cbfcd4f067

SHA256
5201ac9954ac0edea70540c261b59e7ad3ec0a311750da7f2ae134db5912fc22

SHA512
4c3a0c461053e19f2b8ff925794ac85a737f174fa2b17b027348b7f856f4856174de53bebbda3dbb0b4033d7a99b6f9f4905d33b35fc6e9924409925cc9470fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
297KB

MD5
aa41e2f01294022c393c17da2a2d934f

SHA1
4a9a0a302ede4579af3a1dc72280b77d8b04794d

SHA256
ea207d4baa2bad8f3cb653db5e8e326ad2f2d747c2deb28044dc44e41d7cffac

SHA512
053da105691cee3047295cd83f58d616417643c1b3b3f330b0f4377722792fbc3afdfac8b8a1a28d76951ac6c4da322e0b5a35872f9e9dbbba4692fd4c443e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
276KB

MD5
d86aa6099cd665921df078712113346c

SHA1
c75a61c0d75028e57a62162233d449c630f42338

SHA256
9780a7cec961c0a13b9bfd6fec26811f1ffd27a70a42c50ab01e9c623ddb9583

SHA512
b6e4634f80d0f4c7c15f916a9e5bc8b0da1edc8cf8562ae51749224e9590b786ba15d001034d59bdbfbd83c5f6f35903c3c60576d1935ad80564b809693b232b

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
45KB

MD5
103fa46e06ae9cd6d9e4c852d213547e

SHA1
57b10fa0528a53e4dadac9ee5856f6f7d35f6f61

SHA256
bdd500886dd5178fdd9c4cc1abb580e61d15f714b89fa9892154035d312f9d20

SHA512
b355fae77c448bd3458f91f34647c90942af448d48db1f680461b42b36db29904211bf1df4f3e24941dfa06a0f51f0d0037097ed1a7ad8f4b0a7fa6b03291098

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
136KB

MD5
d33335ae74e0bd15c3be2dc6bcc9f9af

SHA1
2141c390b56613dafdcce22ccf4fc0d73776a8b4

SHA256
a035b3dfd78557328a6e5f052c74363a932ed9ad85e66a271f0f833991b21616

SHA512
14cbbfc7785944bd68e3aa4bcde56487549162c724a11ac474694fdb6b1de9258bb1997318f44dd781be421a046c763cff9338afb9bfc7ebe4feab5706d93b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
152KB

MD5
28e5b44f891f02ec76932e10e72e1449

SHA1
a7f009953a35cf9866cf64d171dce26e9a6bb97a

SHA256
0b0f10c86e2014fb90797889997d5d09b18d3d428edb32d85fe1aec2001b6aca

SHA512
d39c6076618a45dda446ffd271bef166aa72af2ced22ac762be95bd524694aa57b341bc33334cbf278d6ee43f146168510f9d60c2f59e8ad6fabed8b1ee750c2

Download Submit
C:\Users\Admin\AppData\Roaming\JNLwZBPTFLZyZJLNJTBLCALKHSYM.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
173KB

MD5
9fc0f6ce2eb684bcacd330fca0d55759

SHA1
280e5ce42e33347f349b00e0adf32e90a333798e

SHA256
7ab58e35ed7e012319db4461685ab0215d79360290b898af6e4ebc37ddcd84e6

SHA512
d33210e969c0ef5414e201e9b49ae646bf7af14dca27d6ad0ac236dec2ffcadc07973c8201ef8c36c462dd4a2ded45e92dc4488bd25c4bc0047884d5f66bfeb9

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
154KB

MD5
124f89c3e2d59aa2ad850c14bd207a26

SHA1
9868292e75dcaccdcea9a6d5ee79974bbb4e35de

SHA256
e8c1b1241f4360620651d3ca252758fe846d499107f55a0e604707aa4a988615

SHA512
305f1c85a4b76acab14e27cf87fe6a161452945ee18d227ad9f1e7108104bc7895acc27e6e7d1e4a5166b90235c7d2daa33ef30e9f4892428128f0ef1e3f65b0

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
1KB

MD5
9ef8a5dc34f1e5c0fb8a090ec4520643

SHA1
53c2f03eb7dcfd2b6370eddfbfe0cf8b7668e2b9

SHA256
584cbe9330365178a9b4987a8100a2062261ae5b9e2e2451e896929557926dc4

SHA512
3f6402a9e43c6d20f511ba6db302cde9248ae6d12d99f33acc13556c962ac1ce7561ac6dd03c689a601c58fb3dbef6fa915873f6435e646be8f142103d6986f1

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
16KB

MD5
4deefd584aad73c4da1265ef44c3a9d5

SHA1
1daf662c03b068875462b01dccefdfcda3735ad5

SHA256
f6ddbfcde988d47ba8d39b8d31b351fc7ef7ab68cb36e58f2d5b94bceecbaacc

SHA512
5b6d01db72c9ac27317ff0ceec8802fb4b6bb3df688d344d3f0311c429b56841e938b47febe5a43ad0507062492b8ffea63cf8f182c6ead882505210938fd674

Download Submit
\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1KB

MD5
5b29bccb92631bb74468a151da3bd43a

SHA1
24af8d41bd1d467d4ca49fca65a0bf67e34e65e2

SHA256
f60ccb5580d525fda262bf106579f9ac003fa5cabbfc0977fecccc48ea019c5f

SHA512
8a74a970b75ffe394557477d2b528664ac902fd92f88b38b68116c12ec1980b1d8d4ed5cd472c0f31adbdd6511a133c5b815cfa6d6b6feccd3f0bc3cde07748b

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
124KB

MD5
8afb5d4c5ff7bb4c9ffa08186f17e401

SHA1
6e8a53a94c2329db0d17d238f29dc2c9c31ef140

SHA256
3d32abdc23075a86dc05f24b6871447d5c73d8cdd35d0be7fb8e720f6c8fe9da

SHA512
fb4e9f256aa382e25663f815ec7f99b0dde1ea3b095a4ffa0bac6cb68991b116cf96722b797a5ebfef7ea522b75abe9d70a15882aaeec73be31e6cdcade6ffb0

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
33KB

MD5
0b8892068896420c2444aa6b3a344e64

SHA1
6240c3b4a3f7bca9c3987214e01c99b1d7a52572

SHA256
66534d72ba1b0617ecfafc713ae21b69e22b05f660a767688978f750be522592

SHA512
d6718677f1cdc5d5dbefd6fe2f68033d760e386cfe4e4a91ae983672c01d3e0ce9bed61e3c5fbe3d1dc12e20c4453dd1173d15d19c562540466df052752016a5

Download Submit
\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe

Filesize
471KB

MD5
c16427fbb765584797083431d2b9fd13

SHA1
b702232091a8fab0cd756a87ee786ace288aa5de

SHA256
e87e3b64ee95f72a505ebb244bdd245f6bb07af0eaec174df6d486441635ef8e

SHA512
841a4ac554809e63ac89575471b527383de1a23d47c6680f9ce40252d3b97f41c27a8070b90529d9e72e2bb496589a3ee78600b28f439243d4e6f16637194f05

Download Submit
\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe

Filesize
1024KB

MD5
e40c19e9ca699d81f7920f996b2cb3cc

SHA1
5c3aab1a8155e143c1c63e1770bdbe942c8a4db1

SHA256
d8516bb175dfd7fdacfdbaece51547dc6c7f95fb87d997190c6d6fbd6dc266b7

SHA512
455b0f6d8d404e03ee630391dbbf8209a0ba88a9324c98862f4240f833484f5b5f95ff337f9a9a68fd36163d2e72e465087fd4042f4d3113d981d7d48e1d7212

Download Submit
\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
51KB

MD5
db366921d1aae71d2315c687b9af8cd7

SHA1
09ae8a34b123978eed4e06c3367779223191febc

SHA256
5c4ebc0db78cc7872e34740d2fa8c14b1f071fc4c0332d117c0aecbc2e15e7c1

SHA512
c72b1ddfe79ed0ddb0f3c313789571151df02864d3209aca9060b0802b13f8c5e74a230ffc96104470f7640c56b48e69a5d7027a0b6dd3cd1bf5522a07234f26

Download Submit
\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
136KB

MD5
b62b64ff0f8358ccfaaa3ee9f712ad7e

SHA1
60e3387d4b5919da30b3e73e321cfda1f668a7e6

SHA256
d37deed182eee22a818087e3e7ba7dbb6942a5a07836dac64806502712f69058

SHA512
09f90c42820b6c18a304159717217fe75d5e7884cf314f372f3dc61e8a6a2860109fefc6039b2d8bcdae467bffada750cb34f1d93407066136d55d2d81bfda92

Download Submit
\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe

Filesize
79KB

MD5
0bcb344314e978fa35a89644734055ca

SHA1
16d275d1331e4d77a29733b2f450fbb625787d2e

SHA256
f8fa7c5338d894ab03c8234b5c6fccd2adfef3ccd448e052ac10a7c794c4446d

SHA512
f3861efca4bb76414afea6c8dfb4a1234de23f3c784e32657f1a03721817ea16e4792090b3f0c76408c834676d2502315bf5c9bace1a63813e6cb257a3cb3ff9

Download Submit
\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe

Filesize
28KB

MD5
0d149f9dacc962c155515b10d13ab652

SHA1
0e98ecbab6857eade282e1b3bae495e68b04b8c2

SHA256
a61056c7bac51f4ec7fd436093f00c34bfca3aa5360710a1504a08a85cc9d7ff

SHA512
2f8026e2cf67e557b978fc57f599c3f16a57b379b10fbb0a1dcc9cebd5a43f769ce3fdbd3f58e27a967f246b4fe45c1a81e0cf5d67a8abc2b57162b31ca0eadd

Download Submit
\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
50KB

MD5
5141aefb9ce6b115a187d2ed5b725375

SHA1
a2e87de096cdfbcf887de6198bdb7d16e3b69c4a

SHA256
f11635c2b476fa5fb40bee37e47230b5c35eaa54f20eb0a2c9d9bf394c1eb18a

SHA512
cd0e15e1491c2513f159090bb800f9e43c7e7b4174eb45fffdf8f64b845775cabdc3b2d9367677e8e58936106ec3a73d575f8adac648efd0d23acb1a248f6317

Download Submit
memory/1252-16-0x0000000000400000-0x0000000000C3C000-memory.dmp

Filesize
8.2MB

Download
memory/2484-159-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-25-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2484-18-0x0000000000B00000-0x0000000000B20000-memory.dmp

Filesize
128KB

Download
memory/2660-68-0x0000000000CF0000-0x0000000000D3A000-memory.dmp

Filesize
296KB

Download
memory/2660-111-0x0000000005130000-0x0000000005198000-memory.dmp

Filesize
416KB

Download
memory/2660-79-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/2660-116-0x0000000000650000-0x0000000000670000-memory.dmp

Filesize
128KB

Download
memory/2660-70-0x0000000004F00000-0x0000000004F40000-memory.dmp

Filesize
256KB

Download
memory/2660-69-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-158-0x0000000074670000-0x0000000074D5E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-35-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2972-36-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-124-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download
memory/2972-24-0x0000000001040000-0x0000000001090000-memory.dmp

Filesize
320KB

Download
memory/2972-160-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-161-0x000000001B140000-0x000000001B1C0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads