blackguard | 4adb1da79a395bb35ef08bccc0bc047e27ffaf87b3671ad213426033df2f66ea

Analysis

max time kernel
205s
max time network
207s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-01-2024 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VZLOMJOPY.exe
Size

8.1MB
MD5

ea8806ecab4b3ac8ec9ff7c42aab11f6
SHA1

627358ec908dafa1df6ee04a8a2920ecccb4b5d9
SHA256

4adb1da79a395bb35ef08bccc0bc047e27ffaf87b3671ad213426033df2f66ea
SHA512

58663574eb44fccabd5ebe479cb9374b97ec339c56265b6e4b758043ab53876dbc6334ce50edaabde7560d078b4f14a14485c63e3361b43ae1183d6a2c688c24
SSDEEP

196608:D58t3afccVSE+mfkSV6qfwI7fRxzpkhuUgF5io7:DWt3afccqmfLh7pfdF5i0

Score

10^/10

blackguard xworm rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

5.39.43.50:5060

Mutex

26CtPZOKzqwVA6P2

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

blackguard

https://api.telegram.org/bot6890098459:AAHjv04XcY7xWyP2Vkp5g2wyR9vE4yvtyHs/sendMessage?chat_id=937347419

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000012253-2.dat	family_xworm
behavioral1/memory/280-18-0x00000000002F0000-0x0000000000340000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Executes dropped EXE 3 IoCs

pid	Process
280	XClient.exe
2704	VegaStealer_v2.exe
2660	v2.exe

Loads dropped DLL 11 IoCs

pid	Process
2528	VZLOMJOPY.exe
2528	VZLOMJOPY.exe
2528	VZLOMJOPY.exe
2704	VegaStealer_v2.exe
2660	v2.exe
2660	v2.exe
2660	v2.exe
2660	v2.exe
2660	v2.exe
2660	v2.exe
2660	v2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2660	v2.exe
2660	v2.exe
2660	v2.exe
2660	v2.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	v2.exe
Token: SeDebugPrivilege	280	XClient.exe
Token: 33	2848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2848	AUDIODG.EXE
Token: 33	2848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2848	AUDIODG.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 280	2528	VZLOMJOPY.exe	28
PID 2528 wrote to memory of 280	2528	VZLOMJOPY.exe	28
PID 2528 wrote to memory of 280	2528	VZLOMJOPY.exe	28
PID 2528 wrote to memory of 280	2528	VZLOMJOPY.exe	28
PID 2528 wrote to memory of 2704	2528	VZLOMJOPY.exe	29
PID 2528 wrote to memory of 2704	2528	VZLOMJOPY.exe	29
PID 2528 wrote to memory of 2704	2528	VZLOMJOPY.exe	29
PID 2528 wrote to memory of 2704	2528	VZLOMJOPY.exe	29
PID 2704 wrote to memory of 2660	2704	VegaStealer_v2.exe	30
PID 2704 wrote to memory of 2660	2704	VegaStealer_v2.exe	30
PID 2704 wrote to memory of 2660	2704	VegaStealer_v2.exe	30
PID 2704 wrote to memory of 2660	2704	VegaStealer_v2.exe	30

C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe
"C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:280
- C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
  "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\v2.exe
    "C:\Users\Admin\AppData\Local\Temp\v2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2660

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x188
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:992

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:920

C:\Windows\System32\control.exe
"C:\Windows\System32\control.exe" SYSTEM
1⤵
PID:2656

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
105KB

MD5
42dde025e434091f81394341646fa754

SHA1
38ed8a1d40c5347f6daa29c3dddc6d59870716b6

SHA256
84a7e21555e3b6cbd5dbb149a8b9e76ba7904bf3ae6addc3814c60454a243f29

SHA512
e496d51ea0be4376ddeb16d7a01826affd91333b6b551e6f9f9d779b9824edbc393aa6fe6ecbd2eb75cad5f3331bdd430a019dadc04bb17dcb41beb68221c2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
380KB

MD5
e4a51330e9c0da7de7a0453d7101397d

SHA1
367d17dc52c3961549654b3043b68da81cf23e6b

SHA256
2c74dd4b3c32895c0fb9d1ab93313a2c9531e7afdc83fe4091970e679d783a93

SHA512
e4784addc49116d033338e58fa2097598c92233f873d107ad9e567ce73aa57ef085b1425691e123f2ef5c413c920f76bb12f1d9b50770cbeab73085cb5f2cebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
1.5MB

MD5
df0e3ca02246c4663e2e1b9560084572

SHA1
cb4dcdcaf557a43a3ad657864198f0aed5eb6930

SHA256
a2fddeacf67e7f5ba5cabde777a53854d286573c5b3afcfadccebe66ad94e57d

SHA512
a1c75044d5559340d06ccd7bd501d0f0d212f4d8a85329713ac70c91edb4df3cde2f1b271969b299ebe3a12fc7d4d3d63d8f651ac58cf22767a92e46ea040bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
1.9MB

MD5
6ffd3167e6e51786492e965462066f3f

SHA1
991e47ed8626da769dad3853123df73ac66e7ee9

SHA256
62d9694503b0db425bad102bdb56383cf490769b1da106f656ac384105a77936

SHA512
7c0fc1fff78be73d62b4768d3c96713b8bf7af8ad36a4509a4ae021c6263947d20764c2c81641607410133ce8a41aeeaf11bc43566dedbf0c2e898349bb5ad05

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
ae72225d88f8672576d1255d11c9196a

SHA1
dd8e0afdf35d8e00b981fef61387f984d5dea7fa

SHA256
ff70a6e222ae7a334414103070eb76f9de1304e5e0e9656828e0aaa56842e1e5

SHA512
f58e7fcd1e9b53755dca703cbf52d3e11f300eac1cf567e50633f2c21a52b40da2957d4649b91f624486ec41b0eb3b6c1fbae7a36f424e0c0725b8229864c140

Download Submit
C:\Users\Admin\AppData\Roaming\TLZRVuyXHZDPyDTTHZBXBTLDBHN.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\TLZRVuyXHZDPyDTTHZBXBTLDBHN.Admin\Process.txt

Filesize
382B

MD5
32d50e481f975a3b92979494e817a1ef

SHA1
0f53889fdceb8b09d8b1e27de6eb5f7ffd75a1db

SHA256
394872572f6e51cedefa14f3104e7fbe17b7f30ea07c886860921e73b1cf6ece

SHA512
d73dd1b39a98956b4478ca5ac346b109db8112f410555f4b66b1495b3924ed79fb47cef904b02860a4b879b020d2a04088ff7186ed4b3a38a6d5a5661aa0698f

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
456KB

MD5
02a6f7f7461f4390c1174b16cb1d2115

SHA1
b9a47d97771a730a0070543a579bc34d8b3c1179

SHA256
5733b13f69daa2ad9e448d5237bc23c307f67324147745990daf8577894745aa

SHA512
fb69b08fc40de65b86eed7baa98a1783b7acee1001b1f166451ab1e24109bf6bd341c10064c71c78f7cf2ce6893e1fb08c34e907f3e604646034e1887c23f6ef

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
407KB

MD5
64babcb94751c03022fa4f63c7f350c1

SHA1
6cf75cace54252e1f999c42247915371da3eb110

SHA256
96ebe9ace615d023565c516227c0a010d5957ac0b0c2bcd33e67e9aabd010f6c

SHA512
60bec869173f6e14f461b80bef64a9d69b35f6b90b40663205c91d2fed496ad8963b05e9ceb7716a0b2dce99af4a317efc38ac4c463dffa22e082059bfad8293

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
523KB

MD5
430ee462e197a1c9947beb6889a16c39

SHA1
774b9adac98e57cf9888cccd40cba592c9f372a1

SHA256
7b051d60ceace589e2f8ba9d7989c5541466dd94b01b259785b57b37410381fb

SHA512
5b38af1e6cc12dbac1e2af015278a1016536fbe349ebb3e17390b5e6cdcd82356573dc4711e1c6286e595b6f44dc91a62f889237ae6cc60d7c93b8068fea466c

Download Submit
\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
96KB

MD5
21da19fbddce63ac876c89913e9a57a7

SHA1
7e8442de7dc4620d5ed302e28bc939164225c363

SHA256
f06ec53c75868f27db7ec23fc9171b17c86f088102d4eeb18d0c7d303406fcee

SHA512
f742b6af16e0f2cb4df58e177d347baef6cd6f6e28bc51e1d4f3528a76deaa14818fac5f320977a20e1d98f4369fbf81ca3e51c014db76ccd4fd2c6c99ea4b52

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
232KB

MD5
2ba2db0eb88677fe1ad413ecf3d6aa04

SHA1
dfd55251edae163acfdc5e51fe21ff21e799ef98

SHA256
9f18b01e14ce063835201a4f24b762569a6a8fa59597eb181421e908fd4eca42

SHA512
cd0fa32ce9d34af24d4096c99140013325374240499cdb3134abb2aadd95fd384f0ebd0d959387dbc1da4217471a992cbdad48e5538f583438e2ca9469e20677

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
244KB

MD5
c6838cbf3bd5c5c1dc09c3ec9955d929

SHA1
461eb3882de393b005d866cfecfc7e780e25234e

SHA256
0a4beeac25eff8628d401210950872b5608eb777c587e60c360298e14238ea98

SHA512
d486993e71e969ca22ea7ed51e545f2c09d350d175437a038f8d2b8f3046689acf33d7ba0ad22054f61cea5f7de7ffc94346e43e0befb3d8b00fd9e1649f1507

Download Submit
\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
1.9MB

MD5
bd294a74e2f2b03c75bbd298293ba413

SHA1
8efad1777a3c28d883ea6bec4a8488d2d12f0e49

SHA256
6a6131050b76ad8af7d6315e5835efeed68a131c19b2ec3b734984ee0125cd59

SHA512
b0ec83be8adec2d90d1033b3510622e543ce46648948115d742fb72e09578ee35b8df5d9628c9fe051733d931e0b4c639b19a7119ab30db627664cd89a162de9

Download Submit
\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

Filesize
1.6MB

MD5
a4463381d3070aba5f4e42406579e9ed

SHA1
efe87616e75c8aff6f1d3bf3d5f9ce032b2452f8

SHA256
7b9a507cfa636b34fde12ad2da4a74b6fca50f560dfe76dcf4b6ba2739395be2

SHA512
2d4d0e306803b65e4b893c5c191526b21b155b21e8d3e2de7ccb4bebd3de25416dad4511af7a13b843dfac54cbe54df06765d1ccf4124bee406bbffe0bd19278

Download Submit
\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
297KB

MD5
aa41e2f01294022c393c17da2a2d934f

SHA1
4a9a0a302ede4579af3a1dc72280b77d8b04794d

SHA256
ea207d4baa2bad8f3cb653db5e8e326ad2f2d747c2deb28044dc44e41d7cffac

SHA512
053da105691cee3047295cd83f58d616417643c1b3b3f330b0f4377722792fbc3afdfac8b8a1a28d76951ac6c4da322e0b5a35872f9e9dbbba4692fd4c443e3a

Download Submit
memory/280-101-0x0000000000340000-0x00000000003C0000-memory.dmp

Filesize
512KB

Download
memory/280-134-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/280-133-0x0000000000340000-0x00000000003C0000-memory.dmp

Filesize
512KB

Download
memory/280-132-0x000007FEF6290000-0x000007FEF6C7C000-memory.dmp

Filesize
9.9MB

Download
memory/280-38-0x000007FEF6290000-0x000007FEF6C7C000-memory.dmp

Filesize
9.9MB

Download
memory/280-18-0x00000000002F0000-0x0000000000340000-memory.dmp

Filesize
320KB

Download
memory/2528-15-0x0000000000400000-0x0000000000C1E000-memory.dmp

Filesize
8.1MB

Download
memory/2660-88-0x0000000000A20000-0x0000000000A88000-memory.dmp

Filesize
416KB

Download
memory/2660-93-0x0000000000B70000-0x0000000000B90000-memory.dmp

Filesize
128KB

Download
memory/2660-46-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/2660-131-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download
memory/2660-44-0x0000000001270000-0x00000000012BA000-memory.dmp

Filesize
296KB

Download
memory/2660-53-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/2660-45-0x0000000074A80000-0x000000007516E000-memory.dmp

Filesize
6.9MB

Download