Extracted

• • Target

    Backdoor.Win32.Poison.ggrf-9ded158155f6ea7b0546f7b9f4232c6ab8a83dfa4a4a4541ad568c40701ccf63

  • Size

    7.7MB

  • MD5

    6584904d4b82003ab55cc4e409e3c3d1

  • SHA1

    00c2fdbad40ef28ee824930d6f951d8cc4cdbd22

  • SHA256

    9ded158155f6ea7b0546f7b9f4232c6ab8a83dfa4a4a4541ad568c40701ccf63

  • SHA512

    a4a0cdeb31b23f2abf4524354f9b1ab83c348ceb5f6c200db72cd0768dfe50f2ae4c6562ee9f6b1fe5e342ba1d61654bbf92d853aebda1d8c24d29da5184b41e

  • SSDEEP

    196608:7SsB3UHB58UTesBenxj2xwMz8Yi9pZpVU/E/YJsaMf:7SKkftTesBUWbotpKJsaS

  Score

  10^/10

  blackguardspywarestealer

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

  • Detects executables containing common artifacts observed in infostealers

  • Detects executables referencing Discord tokens regular expressions

  • Detects executables referencing credit card regular expressions

  • Detects executables referencing many VPN software clients. Observed in infosteslers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • Detects executables using Telegram Chat Bot

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  behavioral1behavioral2