Overview

overview

10

Static

static

1

b344cae600...02.exe

windows7-x64

10

b344cae600...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-03-2024 22:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b344cae600dfbd1b6128308fb5dd0902.exe

  • Size

    1.7MB

  • MD5

    b344cae600dfbd1b6128308fb5dd0902

  • SHA1

    454e8ff06373b2faf985afd03faa68bfcf558b30

  • SHA256

    3baba0e5ac69f265b2b01a091ffd6a39b27c1cd897337d6dfe5bb08643c7c619

  • SHA512

    5404eb514b8d861dcc84577163bd0f861809e8bc53e2ca6444ff142263ab170b30de48d321ff17d293b51888269c954424cde31c170c39cc4c031693fc2c85b7

  • SSDEEP

    49152:ArxVV0DLYe8UTCEhVMrVKFJnSw46ezzkp5a4XAtF5ijsyU4Cof:KVVvLUGSWMvSw46eM5jXK+jsH

Score
10/10
44caliberblackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1949371393:AAHUhcBi4jT-n7M-0jdnFN7sSCcZev8Wgv8/sendMessage?chat_id=578325291

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b344cae600dfbd1b6128308fb5dd0902.exe
    "C:\Users\Admin\AppData\Local\Temp\b344cae600dfbd1b6128308fb5dd0902.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit
  • C:\ProgramData\44\Process.txt
    Filesize

    209B

    MD5

    c251a869b18ce56ace7fe3a99a2013e9

    SHA1

    d10f13ecf7d05cadc067895af2914e8bc5e94a31

    SHA256

    5f5b31207067865851a55ce1c575832269ca62c043e7f1671f88b19413d204d5

    SHA512

    dadc6c6fe29968dd6b811c17e567ff9a384fdcaae9abff512e659d89317d4c15cec594eaa1cf3615c67f4b5d9852b863881ae5f3adda330965fa3a8701f0bf79

    Download Submit
  • C:\ProgramData\44\Process.txt
    Filesize

    412B

    MD5

    2165c0d6893c9546871def8aea0c51fa

    SHA1

    e6ba6b3239e830af39806e33fd900ad43aa838a8

    SHA256

    a20efa9be954de391c0f784b30670316e60addd2a6c5fb8f647725f625849c32

    SHA512

    2ff27fbb54d26e22b8f8b19773958962e0a621b688ac079ac0543cd153564ebdb6a636afcc160c5d08b4eb4b489806956a535b710cb29b795693785301f48818

    Download Submit
  • memory/2128-0-0x00000000013C0000-0x00000000018A2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/2128-2-0x0000000074160000-0x000000007484E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2128-1-0x00000000013C0000-0x00000000018A2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/2128-3-0x0000000005AE0000-0x0000000005B20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2128-75-0x0000000000F30000-0x0000000000F3A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2128-76-0x0000000000F40000-0x0000000000F48000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2128-79-0x00000000013C0000-0x00000000018A2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/2128-80-0x0000000074160000-0x000000007484E000-memory.dmp
    Filesize

    6.9MB

    Download