Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
-
submitted
22-02-2024 16:06
General
-
Target
Fluxus.exe
-
Size
7.7MB
-
MD5
b467c46d660686e75e40341c0c7ff3b2
-
SHA1
109d3de55143ca891844ea9450c0f724a3f0a6c9
-
SHA256
755cf8ab4b9d456e9a75fe22b5b54da8de5d8c125e288d96d913cacb9402fafa
-
SHA512
1d427f295722ae3194b328e3f2ba5abba7f0ef0f30d49a9662360fb4eaaed0cdf70d841eea84b09bae99fd5d1de5de91656a238f7c03985c24b41a8e36f210b1
-
SSDEEP
196608:nHWp1r9qaKBgngb8KiqYy2+yrTleWDdC7P6hZ0Rxd3:nHWp1r2aq9yPlN0zmYX
Malware Config
Extracted
blackguard
https://api.telegram.org/bot6483219642:AAFWWWbNgdseifC8eEZUAO7r5AzREdOAdQg/sendMessage?chat_id=6282952772
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 45 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Fluxus.exe"C:\Users\Admin\AppData\Local\Temp\Fluxus.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD5169b6d383b7c650ab3ae2129397a6cf3
SHA1fcaef7defb04301fd55fb1421bb15ef96d7040d6
SHA256b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf
SHA5127a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87
-
Filesize
1.3MB
MD50a1e95b0b1535203a1b8479dff2c03ff
SHA120c4b4406e8a3b1b35ca739ed59aa07ba867043d
SHA256788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e
SHA512854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e
-
Filesize
410KB
MD5056d3fcaf3b1d32ff25f513621e2a372
SHA1851740bca46bab71d0b1d47e47f3eb8358cbee03
SHA25666b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9
SHA512ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180
-
Filesize
271KB
MD548659a7389db03a5b15080464cf2e746
SHA1854df29ea26c0610aba91834999a3929616f2a7b
SHA2568e1d929d82cc5bb3d4f959eabddf69e43eeac17a90986c87a1b2bf1626c62dc9
SHA512c3759af061ed7382f16a0769e77197441a441e0b69dd3647413243cfa6f349246a3a8cea34909d6f549be78881dd4c9a91a06a01d839a68343f1859f0bb6e3c9
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
745B
MD5f3f539d4190238862a5de75ec3d11590
SHA19842f80cf84fea330e629a3109b420c06ddde209
SHA256cad43b09440ce65c7df2ebdec1eebd1f06b046afac979d26b4f7e59ded43a35a
SHA512fe11e3fccbe13240bd676bded9b7a4fccd99dae81b1409042f294296d2c2954d37be44e46da3d6b30b1e86853d273e7ad3370186a572332d92dad5cd36b1b976
-
Filesize
1KB
MD55626e38b38b9489002d18a39d238130b
SHA1eae19b17fa9eced75866df03dbe278b6e417eb86
SHA2560940ac0724e32401ea89522b157504a720a420a1e548b9335d4e1dc7e25eff11
SHA51219b731f42b69808b432294171201785446c47f8f8c69de84859f352fe1d25679fab0342aa64bd0d535b3572990fb0f9a31f7d1e543465d38242e27c86bda7b99
-
Filesize
7.2MB
MD5e79cbf4b8cef12fc28460c57083f1186
SHA13ef31989b8d2199edd8e01997656ce4e0dd5e18d
SHA256d95c7b2e5cac794ad6116e26a9bd394164c2f29775cd8d419d57b513ab974bc2
SHA512a43193ff935df9dc4ac0cd1c1d3f51a50d8a17f518af18a47ce67a825b0e6065a5b8cb05cd2d44e746c863bc4b5232facffd250d836a13ca7417ee4d50f4e06d
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
296KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
120KB
-
Filesize
584KB
-
Filesize
132KB
-
Filesize
320KB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
416KB
-
Filesize
3.3MB
-
Filesize
304KB
-
Filesize
1.8MB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB