blackguard | a25f014c881f4e00db371fd0da081542d14d72311c86b7ad908933a9ba3269a0

Analysis

max time kernel
0s
max time network
30s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2024 13:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XWormLoader.exe
Size

8.2MB
MD5

b545d6f6bb0ea7b613185e9b6108c54c
SHA1

7228529c2b7527004b34de6406ac1c744f35f434
SHA256

a25f014c881f4e00db371fd0da081542d14d72311c86b7ad908933a9ba3269a0
SHA512

0807e5e73573da08eb562fd73022c7c44d88c3ecf888086ab52257f491c717deb058fae0b0185de5db49de6158783d25c37db2186a61f18059e4070a4abe667c
SSDEEP

196608:C58t3afccVSE+mfkSV6qfwI7fRxzpkhuUgF5ioK:CWt3afccqmfLh7pfdF5iR

Score

10^/10

blackguard xworm rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

5.39.43.50:5060

Mutex

26CtPZOKzqwVA6P2

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

blackguard

https://api.telegram.org/bot6890098459:AAHjv04XcY7xWyP2Vkp5g2wyR9vE4yvtyHs/sendMessage?chat_id=937347419

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023216-26.dat	family_xworm
behavioral2/files/0x0006000000023216-32.dat	family_xworm
behavioral2/memory/3652-38-0x0000000000C40000-0x0000000000C90000-memory.dmp	family_xworm
behavioral2/files/0x0006000000023216-31.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	freegeoip.app
13	freegeoip.app
24	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe
"C:\Users\Admin\AppData\Local\Temp\XWormLoader.exe"
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe
  "C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe"
  2⤵
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe
  "C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe"
  2⤵
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\XClient.exe
    "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
    3⤵
    PID:3652
- - C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
    "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
    3⤵
    PID:3684
  - - C:\Users\Admin\AppData\Local\Temp\v2.exe
      "C:\Users\Admin\AppData\Local\Temp\v2.exe"
      4⤵
      PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
110KB

MD5
98e1d90c34071e50649818d5109966fc

SHA1
c4117ff3cc64e9cc8c4c2e25d0805c9d222dc4dc

SHA256
0fc2cfcaed03e2d527b47ac3d9bb29db4fc7685752f0c40137f579ce05530858

SHA512
407c6b91c1343a39b10c8d12c0bb24a4acd96e650b95aa1a8e2bfa1d648b95e2480aa7cd990a684f339fb3743b48ab29d41dff3d5e3bef11e0d7730005a1cda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
51KB

MD5
76e20f4b975a9879e483b2a744eb83d2

SHA1
0805e3d473ee1567cfb3ed486b33cd1f2e8e2b5b

SHA256
dce1ed267d90305dd5d00e5d7284a13ddf7f4ea975ed0a78b28ea7afa1d353dd

SHA512
f6f17b36e1118b6591f78922fbd78b01cd4612d81e28a1d09633953c4c41f63043cb4d9b0826e6d3859c14677cd80effd7637a910e2109d7867841da4ecdb890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
52KB

MD5
b2f55e696d3eca9a46ae8393c91e9ecf

SHA1
8e436a4fa5cb6374a622903e61776bff2ca07925

SHA256
368abdb33b3646c9da5ebdb74b680873df02b6ac2b26448e33444c4368e6bf16

SHA512
ff71d0b00ea6a85471c0c246ca76ae5b1a55b80f8df6557d0c485a1cb7def9b39de9bda739c806a5b90303de8bf41fdfca4efd733d94641029835a08fa0a2d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
9KB

MD5
978eb9e2e9f5fb02362e6164eb018b63

SHA1
1826c9b61c2400aa51a22283857d1cc48da5514a

SHA256
93e04869ec7fad951b348d8a463426967ca0a39893fab76da3c15100199b8a4d

SHA512
30cdd6ecf38386411f58593bb867354719ac5f83e2c04cbb077d1f4f983d8ee2d8d0e25d408e47657b5495d7f591fa964702647e1fdfa412e617a5c8a98a2583

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
19KB

MD5
1189e35fe3a9dea177aba554998c5720

SHA1
9cc7e28df8ef84894c722b50ce8c003be801c71b

SHA256
6ab6da5a099e1fac8b3d7b8348cdbfe6bdbd770066e49ef8b3333740654f4073

SHA512
d590918c460f19ea89bdc48195c786ec9d5511be4892399948be4828324467d8f6d338afee5aec38371a4bb9dce93a5ac0e3032c6c993b3f2e7d8108fbe0c5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
178KB

MD5
e60a35c28a4fb81e24fdbac32d58ff6a

SHA1
0a9a06b2e399ea9e77be827f6584efc8495482e8

SHA256
f25d43bc828b9960d77e87f0bf34aecca75b75b39e7c8a0e77c54de62e8ac5c8

SHA512
549a88b6e49ddc38a42dcce7113df76319768c3dcd73ce50c445c20cba1adb99b3814ff8da96859075c52417fd08009e9d305eb44d88204ca63cee2d51ff5cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
348KB

MD5
a0c58a6d5a51a50bb4dad62020eafc14

SHA1
42339d34eb4f97f4702d378271aa08acb8b995b7

SHA256
bcf31d2c65be95bd3f7087aaf5a593c5d5d3e586d822e9ea35e6f94e33c476ee

SHA512
66c1baeec136dfe665afd1a2de57bc4733b7c2d31c83ce1caa7a47f42bf2228cf57a18dc80f5470e064ce9a6ca6ce715341544093f5d062ed5d17ff03125ac79

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
50KB

MD5
7e9c36b509b040a08400103c78e643eb

SHA1
7e9ca6783b898bfa4942a7762ef81fddaab955bf

SHA256
cecb5de89a4046962605058de7b18341d98ef6e2ee1b874148ed29eb448ddd8b

SHA512
2871d4051273e8fd2ef0d9cf2b3bcb0719125c4d13df54abdef24525dbebc69f4150f4e8d277b207e74744bf6be92db17d52ed6eec5bdbfaa252c8bfbb3ad50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe

Filesize
897KB

MD5
6151984153c216c769dc8e1a30be67fe

SHA1
3730d13ae3b231e5421415ee53528493bd51cfc9

SHA256
c8b4d33472ea6b44b01e2e9b7534ef22ae5a0a5b817a5c0fe6864bc6c090b606

SHA512
1b4ca4f5aaac6b66134fabd33ee54d891166c2645a55768c7dee21ad4c43d655ac904ffee3e3c1fcfb47c672fea701c643b9a073ef0211f0a68ffeb8cfc852fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe

Filesize
314KB

MD5
39ec29ba25aabbc39f0bfe196941d53f

SHA1
1abb7689cd10fad54d2b5859ddf55044fa0e52f9

SHA256
3accac39fae567ff5bac7d2be37514c86880e9e7d09d303e0ba36d3e0906cd22

SHA512
f8f53b9c6f597e84ab1a1116f9c2834f1154671874761ca6c2a96da1a4f53ec7be794f49566a7b068933d3d7decd70f57ff30149d161caaa124854081e1a2e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe

Filesize
537KB

MD5
4bb15b42e8b9c591cb2e91e6b4fe2a4b

SHA1
a2cef88c34a92820b0804c1add4a9b31d8c482a7

SHA256
5f33d224e198c9470a333e2557360901eb47c9c8e98089a1dfcae223e65bdd60

SHA512
8b3491eec091d58eafeaaf615e7b29dbff36d0acb75f6fc325775470ff4752108cb250336d50cd8f553f2360bc9e00b9ddce436c73fbc3cbb340b16a0c44c568

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
197KB

MD5
c2159ecb31ef6e96885238a415ff5af3

SHA1
17828659c12be2830437ecfab0cbd0b7723d7bbc

SHA256
c29e221cf6c32bf62269d4f5b6d4db02107e5dea1bfc90a5af6aa588d7fee856

SHA512
54896dbe99fd2e8233981e6146decadf7d0d0da1d9e253e0614d0389059d64e8813fba16d4163d8f5da4b57068c0b03485890dbf9d6cfe8841f6c05a24b18b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
119KB

MD5
d4627e47e348a1e7a6e0f75e0d5b3670

SHA1
28f87382dd374018047fd2ae36adc831b8eaaea4

SHA256
d8218b2523c70d6c223770d7a7f42f1b008e2f3d1c4fb88da7ec30b19a8335da

SHA512
bdd611487d14f70ba38173e3374886dd141aaa18bfc2fa3fa903d3508385c9cdbf46bf44592401c1091cf426e41eaa10ac4e38be62e307789a034d7868c791ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
112KB

MD5
a6461ecafeb1cb1b8c51c9714ab7cdbc

SHA1
4997ef4f584cc3805503b35d978d62cac02b6ca3

SHA256
19e2a7c4b1325d05dcd4a3286b6a0229ecbc0829b212ebf3dbcb570b2c20c336

SHA512
fbdf4c458e83512b76e6e6d01d7197a393d192f833f457fa2180da51404fa8a4bfafd85c93414990897b96713db2b81168951680b22c1eef4dd92d9da9fe75cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
241KB

MD5
c646445cf9475d75006553d8613d07ff

SHA1
e314de5e93ec62b6ce900bd9070970152fa72309

SHA256
bcab6795fbc6c5733fc47f94be38d3d16b18cdc394e47cccecafb674d65dda27

SHA512
997483bca8e66147a155231d00d24914fa524e6de52da253d8c0ccae29de1e5ca4589e5c799220c48661ba5873277c6be1660d464ac1c4b5d63b754de609c42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
297KB

MD5
aa41e2f01294022c393c17da2a2d934f

SHA1
4a9a0a302ede4579af3a1dc72280b77d8b04794d

SHA256
ea207d4baa2bad8f3cb653db5e8e326ad2f2d747c2deb28044dc44e41d7cffac

SHA512
053da105691cee3047295cd83f58d616417643c1b3b3f330b0f4377722792fbc3afdfac8b8a1a28d76951ac6c4da322e0b5a35872f9e9dbbba4692fd4c443e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
118KB

MD5
ea18cb34bc14f6ee872803de99b23ab0

SHA1
f5a04a5bfe57753f909b1854725a63bcd55a6b24

SHA256
7a8a78fd9999bb4f583266da37aa4f3b6be01e2bcd10f45742fb7be6e1b0db34

SHA512
b0a5d417e8a30d40e63a6ae1521025e87dd431d0eeefa74de7dd0609dd1f3a1ce582701859b41208df20173198b7bfce415026eb862e87c5273bddf0bee03468

Download Submit
C:\Users\Admin\AppData\Local\Temp\XWormLoader 5.2 x64.exe

Filesize
109KB

MD5
e6a20535b636d6402164a8e2d871ef6d

SHA1
981cb1fd9361ca58f8985104e00132d1836a8736

SHA256
b461c985b53de4f6921d83925b3c2a62de3bbc5b8f9c02eecd27926f0197fae2

SHA512
35856a0268ed9d17b1570d5392833ed168c8515d73fac9f150cf63cc1aea61c096aa2e6b3c8e091a1058ba062f9333f6767e323a37dfb6f4fa7e508a2a138a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
207KB

MD5
8eefc5ec14dca5a4c40894afe2bda9bc

SHA1
0219c797dce39e2625e7c98f1af3c30dcbafead7

SHA256
d9e783b46a67dbec014a4c5e28c23f4d177ddeac136f4842178d12f88c114c56

SHA512
c7f7dac5d25a0d74c18276c252bb05943d8796cda2f370841e5ea3f8c11696f40ecfb698833829089d898377478a58b5bf3307df36ddab1f1d9a7d0d21d76290

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
223KB

MD5
a33d1d44a75e71189ef8bdfdda9977db

SHA1
9bb1603104bac628584169b59b7e61ad3df02f52

SHA256
8772a8a24c1932a5cd393fc08b6e5612d69e261185df8b3cfdc90312bd7eaa3d

SHA512
480e7d055ffe8b2ddec7ddcbaaab5449d05b09d5dbe53ce93f07a2bc14abb95daeb9d0794bf5700f81094c3e5b1bab2ef7c24044253a0a9249fed2e19f8148d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
119KB

MD5
2dc7d730bb4f8ab4f86805d0c17c0f52

SHA1
d448ad3a228236b9b81ce09326c32a4dfce52103

SHA256
0f76048df8b6f20594f62ddbad58902f23e5a06311e4a33305554d60a31fced7

SHA512
3bfdefc4ef644402d6c6a43327112b0091b90e615e4c5b17b223d6c206e47787ca13ac18be4ac69cd061af0e7a3901f9d46ad4c6abad0f22dbdc1d0d4d90fed7

Download Submit
C:\Users\Admin\AppData\Roaming\LwVVXBuNBPHZVTPwXPVGAWKBMOT.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\LwVVXBuNBPHZVTPwXPVGAWKBMOT.Admin\Process.txt

Filesize
344B

MD5
afe6a3da67615a85d2ad1dde6feed65e

SHA1
80c74512bc02c94f2c097fb90568bf1412a5290f

SHA256
fdb2fcbb0c00c743627e0e646ac74acb957c3953591346a665d472b03232c70e

SHA512
21b8203beb39d489fb6e17af91a9c666911e4fe0eb0533dc6f32abda0312403412f4fb2b6d3003ff0b16317648ae9ba3ce36efda3a2d14245a965ab0ddf89801

Download Submit
C:\Users\Admin\AppData\Roaming\LwVVXBuNBPHZVTPwXPVGAWKBMOT.Admin\Process.txt

Filesize
976B

MD5
e4d9c782cd8a179b97a461dc468ece59

SHA1
df8f593011f4c3991a446eb3b746acd67d19d99f

SHA256
0a1f46d8e039ace7d1e59a58aa0105482d5f60dbcc8533c8f129af653fb1b4fa

SHA512
d324f2d7c974afcc508bf9c375cc362bbd91ed02341306559f3377f18ddff4e19b324ee0ee99da6458f4086f9dce1817542be8d92a95878ccaebe9029205e88b

Download Submit
C:\Users\Admin\AppData\Roaming\LwVVXBuNBPHZVTPwXPVGAWKBMOT.Admin\Process.txt

Filesize
1KB

MD5
2f3eaba0bb32dbad80e21eaaba6e3d22

SHA1
bb97e9ba546d7dff7525f47b8c70f25587538c5a

SHA256
21b2c0d2a32cc809221e4f4b0eb21689891e1b6e15cca65475aa9445cee08e05

SHA512
1402d30099417cb411866242d8b321ac1e70432dd336a6db2e84cd1b3c9e6e869163156e9b34f29eb6823436990ed8fbf89ed367ddd49a2910ac3570f985811c

Download Submit
C:\Users\Admin\AppData\Roaming\LwVVXBuNBPHZVTPwXPVGAWKBMOT.Admin\Process.txt

Filesize
1KB

MD5
5befe540538ecdb8d1a311ee67960b02

SHA1
2f9aa18b385ec290618f520a8e7b7708b4161a75

SHA256
e885e41762eaaac2ea7db2e6a2daaf474a62c91e0f965829f53c81bcc73b9835

SHA512
bcb0cc4388716fe1a9601909e6c463cc6056f60b0cd2972886d500149f459965f58f5d6c94f97c3741594ae16d5f4a1f8e19022153a1ee231174c5ef615849e6

Download Submit
memory/2176-43-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/3028-22-0x0000000000C40000-0x0000000000C60000-memory.dmp

Filesize
128KB

Download
memory/3028-74-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download
memory/3028-21-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download
memory/3552-19-0x0000000000400000-0x0000000000C3C000-memory.dmp

Filesize
8.2MB

Download
memory/3652-38-0x0000000000C40000-0x0000000000C90000-memory.dmp

Filesize
320KB

Download
memory/3652-39-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download
memory/3652-239-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/3652-245-0x00007FFE098B0000-0x00007FFE0A371000-memory.dmp

Filesize
10.8MB

Download
memory/3652-246-0x000000001B9C0000-0x000000001B9D0000-memory.dmp

Filesize
64KB

Download
memory/3984-126-0x0000000005A40000-0x0000000005AD2000-memory.dmp

Filesize
584KB

Download
memory/3984-145-0x0000000007500000-0x00000000076C2000-memory.dmp

Filesize
1.8MB

Download
memory/3984-139-0x00000000065F0000-0x000000000662C000-memory.dmp

Filesize
240KB

Download
memory/3984-140-0x00000000065A0000-0x00000000065C1000-memory.dmp

Filesize
132KB

Download
memory/3984-133-0x0000000006140000-0x0000000006494000-memory.dmp

Filesize
3.3MB

Download
memory/3984-134-0x0000000006060000-0x00000000060AC000-memory.dmp

Filesize
304KB

Download
memory/3984-149-0x0000000007C80000-0x0000000008224000-memory.dmp

Filesize
5.6MB

Download
memory/3984-132-0x00000000060D0000-0x0000000006138000-memory.dmp

Filesize
416KB

Download
memory/3984-238-0x0000000007810000-0x0000000007876000-memory.dmp

Filesize
408KB

Download
memory/3984-128-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/3984-127-0x00000000059F0000-0x0000000005A40000-memory.dmp

Filesize
320KB

Download
memory/3984-99-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/3984-77-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/3984-240-0x0000000007880000-0x00000000078F6000-memory.dmp

Filesize
472KB

Download
memory/3984-241-0x00000000074A0000-0x00000000074BE000-memory.dmp

Filesize
120KB

Download
memory/3984-244-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/3984-75-0x0000000000560000-0x00000000005AA000-memory.dmp

Filesize
296KB

Download
memory/3984-76-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads