blackguard | fe364ddbfe5b0fdd34ca1f2de1f901f8b1097ae9a4d0cee649d3a09e1c02518c

Sharing

Copy URL

Twitter E-mail

General

Target

fe364ddbfe5b0fdd34ca1f2de1f901f8b1097ae9a4d0cee649d3a09e1c02518c
Size

271KB
MD5

9f6a3708aefe70bc0dce3791933daa15
SHA1

955d4199f1e6b4baa1505facbc706dd3f4f216e5
SHA256

fe364ddbfe5b0fdd34ca1f2de1f901f8b1097ae9a4d0cee649d3a09e1c02518c
SHA512

9e70cdc23bffd3e08a3efd848490ad591a1cd45aa7e9785c639f44af2282241b806a306dec0a1c6a8823d0d973709fa581638473ba9b402e9835d43d1dfc5edb
SSDEEP

6144:VmYKJMVRp9hnmy0UYU9B93YUnLbB62X3Rb36h3BQ:uJ0Rp9hzL82ghRQ

Score

10^/10

blackguard

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot6791527720:AAGAcaNpEBFqTzq72qgKaCrjniEEB3GQpKo/sendMessage?chat_id=1160270288

Signatures

Blackguard family
blackguard

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Detects executables containing common artifacts observed in infostealers 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_GENInfoStealer

Detects executables referencing Discord tokens regular expressions 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_Discord_Regex

Detects executables referencing credit card regular expressions 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_CC_Regex

Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_References_VPN

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables using Telegram Chat Bot 1 IoCs

resource	yara_rule
sample	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fe364ddbfe5b0fdd34ca1f2de1f901f8b1097ae9a4d0cee649d3a09e1c02518c

Files

fe364ddbfe5b0fdd34ca1f2de1f901f8b1097ae9a4d0cee649d3a09e1c02518c
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 269KB - Virtual size: 268KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

File Characteristics

Imports

mscoree

Sections

.text Size: 269KB - Virtual size: 268KB

.rsrc Size: 1KB - Virtual size: 1KB

.reloc Size: 512B - Virtual size: 12B

.text
Size: 269KB - Virtual size: 268KB

.rsrc
Size: 1KB - Virtual size: 1KB

.reloc
Size: 512B - Virtual size: 12B