blackguard | 755cf8ab4b9d456e9a75fe22b5b54da8de5d8c125e288d96d913cacb9402fafa

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22-02-2024 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fluxus.exe
Size

7.7MB
MD5

b467c46d660686e75e40341c0c7ff3b2
SHA1

109d3de55143ca891844ea9450c0f724a3f0a6c9
SHA256

755cf8ab4b9d456e9a75fe22b5b54da8de5d8c125e288d96d913cacb9402fafa
SHA512

1d427f295722ae3194b328e3f2ba5abba7f0ef0f30d49a9662360fb4eaaed0cdf70d841eea84b09bae99fd5d1de5de91656a238f7c03985c24b41a8e36f210b1
SSDEEP

196608:nHWp1r9qaKBgngb8KiqYy2+yrTleWDdC7P6hZ0Rxd3:nHWp1r2aq9yPlN0zmYX

Score

10^/10

blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6483219642:AAFWWWbNgdseifC8eEZUAO7r5AzREdOAdQg/sendMessage?chat_id=6282952772

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Executes dropped EXE 1 IoCs

pid	Process
2632	v2.exe

Loads dropped DLL 8 IoCs

pid	Process
1540	Fluxus.exe
2632	v2.exe
2632	v2.exe
2632	v2.exe
2632	v2.exe
2632	v2.exe
2632	v2.exe
2632	v2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app
6	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	v2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2632	v2.exe
2632	v2.exe
2632	v2.exe
2632	v2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	v2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 2632	1540	Fluxus.exe	28
PID 1540 wrote to memory of 2632	1540	Fluxus.exe	28
PID 1540 wrote to memory of 2632	1540	Fluxus.exe	28
PID 1540 wrote to memory of 2632	1540	Fluxus.exe	28

C:\Users\Admin\AppData\Local\Temp\Fluxus.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
380KB

MD5
d333bb0a1c60917880827e88193befe1

SHA1
74653604cb674197791563bd14c872d46ade97dd

SHA256
6ce7164839cf9ed82982cb8c910784985c7f6b924a9644796dcea1acf00b3cb3

SHA512
a793eb20e126afa2cef8cffc836980ad0b8b9fc662490f9d4427c0a12b84b0786e9bba1dbc0096bc5df35a449f8cae151f0b1eb4fc901d05ffc4aba31f348795

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
10KB

MD5
eccff518061fda027aae178904523e6b

SHA1
6a061661548cb01258f06e1eabcca3fbfdf30fdc

SHA256
cc2921ba506fcccc74c1f5a3ac76f94afe3f56bd033c0c055a783a4d3010d855

SHA512
fadaaec57f3a3ef340d8a875d45c5acf65a5854747e4a3975884e5cd2a04f5dc3fe681e1e21205b0b08ac5a57f28fc289f3592166c0249ee25547f158cfe8e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
63KB

MD5
d695c0700fb1b33ad46c61e8f0c3f74a

SHA1
1966bdf1bf221ba14de4d4f15380184698853641

SHA256
a80593783e03552f356a4bdf56107cba7103b1e02d7440352ed8da1f2f9160f9

SHA512
95858b7c4133ab82ca1ccb6b2be0f9f6057802367e1633faa6cce8f540068a98a50899a7c0c0dda9f01a83c1dadfca21c14da03362391dab434c92124d4e59ae

Download Submit
C:\Users\Admin\AppData\Roaming\FPuDNKXIPPCKF.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
231KB

MD5
ce5c5527a7c9088606b76cf4d6d9d5c7

SHA1
989c69ab5017005b197a0a2796ae4c7751c0190e

SHA256
7a64ae446a4e7758d2b5e414d822cf9898cf33c69b518a66e5c968306de55b38

SHA512
0b389409e70d901c16ed84273f149de34d78c708f36c29820ee0f7a1789a3d4f8249658213427911edd383f070bf7e540c82de1050ef9909e5e4430e5984a072

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
258KB

MD5
63f7aa9e83a34746fd5dfef060f9d7de

SHA1
d186e222dd8afd85bff5e6c336b6dc4eaf7a9089

SHA256
2ba0c759688448a38a61e6b719b8ce3a85409d1c3624bad4994d39c52aef20c8

SHA512
8a01ee619720aa3616366de50352a1c541425abd9a6d1cfb877113de4addc16024dcde1ebe89a2dad1b9285fd4a820312392311a16a6fc8ee38e9e6a50cea9a5

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
332KB

MD5
4d91b2b9544370f19895b4eb40a720ba

SHA1
bcb72b5ec328b5696c8cc9933bdb890aea4ec484

SHA256
5d485ba551743497433394f0b816a5e0dda46d756f7d8c89cee9b4d18b07ae42

SHA512
811b1aafb1acd605a3c99a14150b638c433278e255f402ce35856bd8c6b87fa4e6843307506736c1b140b93c03687fb92a46a2acfe4787ba1bebe112f42b2c8b

Download Submit
\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
203KB

MD5
b557f9e1239104386b85b206c060a126

SHA1
3389a260d84ad877fcb3af8bd471173c37ad80b8

SHA256
6abf694d9a319f02494f008861846fe2b9d7cdd966af6aebca2722745454dc09

SHA512
3885c23abc9f86f7602bdeaf9b36127901d04b8ad44e62ce08ed7c36be903f3c5a3ad6a73f5336e8eccf7fe6e241ce86553893cba44e449123243a97d4cca0c5

Download Submit
\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
34KB

MD5
28ec87879b9c3030127d6306bdfcdfb8

SHA1
484421666ba1ac9db09b3c599404399dd9754e85

SHA256
80e7e74fac4ce5c38cba60e5604268fcdcacf865ce633f9843800222c517908e

SHA512
dfca4f370dd82266531dfd30d413b0db1882e84a81ce164cad263e8cc147c06306b7ca1ff2824cc6ee61e668a1270136d1cb9cf18fd5a1ecd938aaef62c18a4a

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
89KB

MD5
7bf5bf9352dabcccd6e274557617d927

SHA1
d3a79b150fd81102aeac4d26edbe094ac5354665

SHA256
81329d1974a740cdae730ad51528a2f4230134b7ef92ebff8490db7231d3214f

SHA512
731f196a4537c4b74bafa3f50a98fd2013b3dce8fa372c65920c55353955be5fbdb86c2542ee1117786e4e67c4206a821ecd5e7be0efdf89075988b513d1062d

Download Submit
\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
124KB

MD5
20869da53e4aeee383e3c839c180bce0

SHA1
6ec5527c2736961c5504e68b612ed305e2703f14

SHA256
3a86b0401dfea9eb1ed75a373a54494d27723ba911e0e07a9c205ea91c97330e

SHA512
6e4e58a4d6850df1081ed886e7ee6da3dc70f33e05003c9f7c20590ac3fb601373377a8653f0c652867ca90978bba9cabfafa8a4a482bf3c9c126e4687b2b8c4

Download Submit
\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
48659a7389db03a5b15080464cf2e746

SHA1
854df29ea26c0610aba91834999a3929616f2a7b

SHA256
8e1d929d82cc5bb3d4f959eabddf69e43eeac17a90986c87a1b2bf1626c62dc9

SHA512
c3759af061ed7382f16a0769e77197441a441e0b69dd3647413243cfa6f349246a3a8cea34909d6f549be78881dd4c9a91a06a01d839a68343f1859f0bb6e3c9

Download Submit
memory/2632-38-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/2632-28-0x00000000045D0000-0x0000000004610000-memory.dmp

Filesize
256KB

Download
memory/2632-69-0x0000000004B20000-0x0000000004B88000-memory.dmp

Filesize
416KB

Download
memory/2632-27-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-26-0x00000000008B0000-0x00000000008FA000-memory.dmp

Filesize
296KB

Download
memory/2632-74-0x00000000044C0000-0x00000000044E0000-memory.dmp

Filesize
128KB

Download
memory/2632-111-0x0000000074850000-0x0000000074F3E000-memory.dmp

Filesize
6.9MB

Download