Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 13:56
Static task
static1
Behavioral task
behavioral1
Sample
VZLOMJOPY.exe
Resource
win7-20231215-en
General
-
Target
VZLOMJOPY.exe
-
Size
8.1MB
-
MD5
ea8806ecab4b3ac8ec9ff7c42aab11f6
-
SHA1
627358ec908dafa1df6ee04a8a2920ecccb4b5d9
-
SHA256
4adb1da79a395bb35ef08bccc0bc047e27ffaf87b3671ad213426033df2f66ea
-
SHA512
58663574eb44fccabd5ebe479cb9374b97ec339c56265b6e4b758043ab53876dbc6334ce50edaabde7560d078b4f14a14485c63e3361b43ae1183d6a2c688c24
-
SSDEEP
196608:D58t3afccVSE+mfkSV6qfwI7fRxzpkhuUgF5io7:DWt3afccqmfLh7pfdF5i0
Malware Config
Extracted
xworm
5.0
5.39.43.50:5060
26CtPZOKzqwVA6P2
-
install_file
USB.exe
Extracted
blackguard
https://api.telegram.org/bot6890098459:AAHjv04XcY7xWyP2Vkp5g2wyR9vE4yvtyHs/sendMessage?chat_id=937347419
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023121-5.dat family_xworm behavioral2/memory/4852-15-0x0000000000210000-0x0000000000260000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation VZLOMJOPY.exe Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation VegaStealer_v2.exe -
Executes dropped EXE 3 IoCs
pid Process 4852 XClient.exe 968 VegaStealer_v2.exe 768 v2.exe -
Loads dropped DLL 5 IoCs
pid Process 768 v2.exe 768 v2.exe 768 v2.exe 768 v2.exe 768 v2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 42 ip-api.com 24 freegeoip.app 25 freegeoip.app -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 v2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier v2.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 768 v2.exe 768 v2.exe 768 v2.exe 768 v2.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4852 XClient.exe Token: SeDebugPrivilege 768 v2.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4180 wrote to memory of 4852 4180 VZLOMJOPY.exe 86 PID 4180 wrote to memory of 4852 4180 VZLOMJOPY.exe 86 PID 4180 wrote to memory of 968 4180 VZLOMJOPY.exe 87 PID 4180 wrote to memory of 968 4180 VZLOMJOPY.exe 87 PID 4180 wrote to memory of 968 4180 VZLOMJOPY.exe 87 PID 968 wrote to memory of 768 968 VegaStealer_v2.exe 88 PID 968 wrote to memory of 768 968 VegaStealer_v2.exe 88 PID 968 wrote to memory of 768 968 VegaStealer_v2.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe"C:\Users\Admin\AppData\Local\Temp\VZLOMJOPY.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4180 -
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4852
-
-
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD5169b6d383b7c650ab3ae2129397a6cf3
SHA1fcaef7defb04301fd55fb1421bb15ef96d7040d6
SHA256b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf
SHA5127a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87
-
Filesize
1.3MB
MD50a1e95b0b1535203a1b8479dff2c03ff
SHA120c4b4406e8a3b1b35ca739ed59aa07ba867043d
SHA256788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e
SHA512854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e
-
Filesize
410KB
MD5056d3fcaf3b1d32ff25f513621e2a372
SHA1851740bca46bab71d0b1d47e47f3eb8358cbee03
SHA25666b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9
SHA512ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180
-
Filesize
3.4MB
MD51669b6810c49913f19c2deb8fb43ca2a
SHA1bf6c9be00daa8b0e369883ba34b073235f7b7542
SHA256dbacbacc27e13ab226d4f39350f3183e9faa542c1fdcaecd2252c59f7e7f76ec
SHA512888c4c72f2170fbfae53c33b979ec88e76764390b679e7f8fdbcbc63ace5ebf84d4b5b2668cd13595b98b03172727b2aa3f9b7896c91225d24a034fad21ed670
-
Filesize
3.5MB
MD5db36a56804008bf9f1dd92aaa7233dd9
SHA1f7d047f2df188431a5178c390ba1f5be5462dac8
SHA2565225a0e68203914a788d147c58dcf90583a51fa820b7ece03b32664feb400b42
SHA5129ed876772140ef9e300e2d29e60c30792759aab0c30d469c19cfb1daca5b9d521890fe061e395bc6fec8f30bb25b27c2be52ee0b4d62a2eaf51d40f120489cda
-
Filesize
1.2MB
MD53593354b77f7b91b1d511e1e271c4524
SHA10779ed34681b0af89af6160e050359f92b5dc4aa
SHA256309a429086d31d3e00176c1981e02717e09fdaeb36c82b7ae314ad9e6cc54026
SHA5120daa9d212d99c7e5776abcf9ca668fadc9436f7286b6d6671ba4ea5785234096990fa2a924f0608c14236c6f0e1aeaa6034bfa5237975e1a64000de3a29952f5
-
Filesize
297KB
MD5aa41e2f01294022c393c17da2a2d934f
SHA14a9a0a302ede4579af3a1dc72280b77d8b04794d
SHA256ea207d4baa2bad8f3cb653db5e8e326ad2f2d747c2deb28044dc44e41d7cffac
SHA512053da105691cee3047295cd83f58d616417643c1b3b3f330b0f4377722792fbc3afdfac8b8a1a28d76951ac6c4da322e0b5a35872f9e9dbbba4692fd4c443e3a
-
Filesize
271KB
MD5ae72225d88f8672576d1255d11c9196a
SHA1dd8e0afdf35d8e00b981fef61387f984d5dea7fa
SHA256ff70a6e222ae7a334414103070eb76f9de1304e5e0e9656828e0aaa56842e1e5
SHA512f58e7fcd1e9b53755dca703cbf52d3e11f300eac1cf567e50633f2c21a52b40da2957d4649b91f624486ec41b0eb3b6c1fbae7a36f424e0c0725b8229864c140
-
Filesize
627B
MD56b712af12620ee39037b62b623427bc2
SHA1abf555863882e433b19aeaa67bf6f539080762a5
SHA2569c2cc479848d66943de7664c4b27df70980e7cd2b1ffd15d0dec04d2a2ad62c7
SHA512a3477c4a7a97b3a9a8fe1add472722058b947ab62c9a009d740fcea3d9ee8a4afc8c7340cb555ed3862268482326bc58be5f15cac4c9145074bc00c688a943d2
-
Filesize
1KB
MD55e57b30954f8a61bcc730c96caf2b929
SHA1a2288276e62f5cfc2bb2dd7ea2c2e914be058e94
SHA256bcc006e0a1ab922ebec5f569dd4033b62922c72c01543332438736672ca6ea44
SHA512ca506889f985df1c9f2268b51579fdc641cc148f43a00cb1ce64112037a1112e08cd83eaf19da5054aabb24aa4284734ca55fb8dc4de7a1a16f05775de00d0db