blackguard | 755cf8ab4b9d456e9a75fe22b5b54da8de5d8c125e288d96d913cacb9402fafa

Analysis

max time kernel
27s
max time network
44s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24-02-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fluxus.exe
Size

7.7MB
MD5

b467c46d660686e75e40341c0c7ff3b2
SHA1

109d3de55143ca891844ea9450c0f724a3f0a6c9
SHA256

755cf8ab4b9d456e9a75fe22b5b54da8de5d8c125e288d96d913cacb9402fafa
SHA512

1d427f295722ae3194b328e3f2ba5abba7f0ef0f30d49a9662360fb4eaaed0cdf70d841eea84b09bae99fd5d1de5de91656a238f7c03985c24b41a8e36f210b1
SSDEEP

196608:nHWp1r9qaKBgngb8KiqYy2+yrTleWDdC7P6hZ0Rxd3:nHWp1r2aq9yPlN0zmYX

Score

10^/10

blackguard spyware stealer

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6483219642:AAFWWWbNgdseifC8eEZUAO7r5AzREdOAdQg/sendMessage?chat_id=6282952772

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	Fluxus.exe

Executes dropped EXE 1 IoCs

pid	Process
2944	v2.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	v2.exe
2944	v2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	freegeoip.app
17	freegeoip.app
31	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2944	v2.exe
2944	v2.exe
2944	v2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	v2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4448 wrote to memory of 2944	4448	Fluxus.exe	88
PID 4448 wrote to memory of 2944	4448	Fluxus.exe	88
PID 4448 wrote to memory of 2944	4448	Fluxus.exe	88

C:\Users\Admin\AppData\Local\Temp\Fluxus.exe
"C:\Users\Admin\AppData\Local\Temp\Fluxus.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\v2.exe
  "C:\Users\Admin\AppData\Local\Temp\v2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
352KB

MD5
0fbbfa511a3a4bf530aa384ca1315a37

SHA1
e93d8aa32c7ff86d44dfd7245e874035bd9155d0

SHA256
0f9fa78d8c993ea603faf19e148320d112faa6f1bc3030dbee64508db326e05c

SHA512
f0c9728cc003e5329e74d61797eeff7977bc3b9b12511cfc348b3ebc8b2db11d604a83c4fa15ace15218d309d3fa3199c43b52192c263c4681d302a8a3045bd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
803KB

MD5
bc1361e07659bb97fdf236e537d055dd

SHA1
fcf810d945b546c827353795822733130a9a2603

SHA256
84c4b5a4a1dc75315c9a56c4dd79a1658015e7b50e03137dced57674551de2cf

SHA512
1a4d60e9a06f12dfdd45093a10f38496d808e3da897469bca12e3f505d02b0c1f548c7dc21b44c6e20377d17587e967005348834717d4b0df30725b4ded8e203

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
677KB

MD5
1b5397b8ca30c0998c0de3f58d166a63

SHA1
62bd8f56a63f298b23e582181822f517972a131b

SHA256
753e254e4efec9f2b0aee44e15d7aed8372f6656345a9fb68107c78a4c6e33e0

SHA512
6c23f94986fd4c98a00d78952cb657fa053ee3cd05947f90cfbc17e51701361f2a8bb1c7c0a24c88800b863b9d0f989e8d500758af6903cd3efdfab290241cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2.exe

Filesize
271KB

MD5
48659a7389db03a5b15080464cf2e746

SHA1
854df29ea26c0610aba91834999a3929616f2a7b

SHA256
8e1d929d82cc5bb3d4f959eabddf69e43eeac17a90986c87a1b2bf1626c62dc9

SHA512
c3759af061ed7382f16a0769e77197441a441e0b69dd3647413243cfa6f349246a3a8cea34909d6f549be78881dd4c9a91a06a01d839a68343f1859f0bb6e3c9

Download Submit
C:\Users\Admin\AppData\Roaming\wNRFuNHywLPXTVVXHFRNNJNFKIXJTUOD.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\wNRFuNHywLPXTVVXHFRNNJNFKIXJTUOD.Admin\Process.txt

Filesize
459B

MD5
84867d1321d496d3424d6af4fc66007b

SHA1
1faf157923605b6082acd768470560b871f153c7

SHA256
dc577db4e563b4e42fe72674de505fb08851a56430d1483edeea65d409457258

SHA512
199d51c5675d380211fa4839a9d9a97cd0b6a1843af2291b89e4b53db41b22111e6e67426b77660534e6c1912353d1acf816261f485eab6f37eafe143c6d18a8

Download Submit
C:\Users\Admin\AppData\Roaming\wNRFuNHywLPXTVVXHFRNNJNFKIXJTUOD.Admin\Process.txt

Filesize
1KB

MD5
52ecb261f9a5fc8334b9c4192805eb2e

SHA1
beb79d8b40f333d652957b6df2e1306e3806056e

SHA256
9a8632ef146aef78fcda12e20daa13929546ece2b00901a699356ff914e412a4

SHA512
747bb391d60b66b8313e29a058db924e8fbc35cf5fc0daad0ffc007eb5b0acbacb457d8ed57b4246cc949b8fc8426b3a588ea1c644cbe522dc6ed4039ebd8e7c

Download Submit
memory/2944-31-0x0000000000BA0000-0x0000000000BEA000-memory.dmp

Filesize
296KB

Download
memory/2944-97-0x0000000006030000-0x0000000006051000-memory.dmp

Filesize
132KB

Download
memory/2944-89-0x0000000005E30000-0x0000000005E98000-memory.dmp

Filesize
416KB

Download
memory/2944-84-0x0000000005690000-0x00000000056E0000-memory.dmp

Filesize
320KB

Download
memory/2944-90-0x0000000006A00000-0x0000000006D54000-memory.dmp

Filesize
3.3MB

Download
memory/2944-91-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

Filesize
304KB

Download
memory/2944-39-0x00000000066C0000-0x0000000006752000-memory.dmp

Filesize
584KB

Download
memory/2944-30-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download
memory/2944-96-0x0000000006E60000-0x0000000006E9C000-memory.dmp

Filesize
240KB

Download
memory/2944-85-0x0000000005C10000-0x0000000005C32000-memory.dmp

Filesize
136KB

Download
memory/2944-102-0x0000000007E40000-0x0000000008002000-memory.dmp

Filesize
1.8MB

Download
memory/2944-106-0x00000000085C0000-0x0000000008B64000-memory.dmp

Filesize
5.6MB

Download
memory/2944-32-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/2944-193-0x00000000084A0000-0x0000000008506000-memory.dmp

Filesize
408KB

Download
memory/2944-35-0x0000000006760000-0x00000000067F2000-memory.dmp

Filesize
584KB

Download
memory/2944-194-0x0000000008510000-0x0000000008586000-memory.dmp

Filesize
472KB

Download
memory/2944-195-0x0000000007050000-0x000000000706E000-memory.dmp

Filesize
120KB

Download
memory/2944-198-0x00000000750C0000-0x0000000075870000-memory.dmp

Filesize
7.7MB

Download