General

  • Target

    Installer.exe

  • Size

    7.7MB

  • Sample

    240317-w77spscf52

  • MD5

    9f4f298bcf1d208bd3ce3907cfb28480

  • SHA1

    05c1cfde951306f8c6e9d484d3d88698c4419c62

  • SHA256

    bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

  • SHA512

    4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

  • SSDEEP

    98304:Rgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0Q:H/wld79ht+j1M0mWZsE6+YASy10Q

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Targets

    • Target

      Installer.exe

    • Size

      7.7MB

    • MD5

      9f4f298bcf1d208bd3ce3907cfb28480

    • SHA1

      05c1cfde951306f8c6e9d484d3d88698c4419c62

    • SHA256

      bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

    • SHA512

      4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

    • SSDEEP

      98304:Rgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0Q:H/wld79ht+j1M0mWZsE6+YASy10Q

    • BlackGuard

      Infostealer first seen in Late 2021.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Accesses cryptocurrency files/wallets, possible credential harvesting

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v15

Tasks