Overview

overview

10

Static

static

3

2f133fae54...0b.exe

windows7-x64

10

2f133fae54...0b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b

  • Size

    9.8MB

  • Sample

    240406-yfj9fahb5w

  • MD5

    8f31cb1de574e7070f0b756474968456

  • SHA1

    680aba2b6b0a4cfa1d106c3c8f732a89d261e265

  • SHA256

    2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b

  • SHA512

    825a889b23884c8cb3fbaf06de6184b387c087bf24bdca17380f0442523d49c97762a6b6150a8276d1ff414799728a340e9f9e114f36b045d865d7d2e5912b57

  • SSDEEP

    196608:iwumqqo5Kpjc4bSmpcxZJMI3LDbbxI0T1SwgfWtjen+7VMHFRMY:iwumRoApjc4bJKxzMcbbX2WNen++Hp

Score
10/10
blackguardspywarestealerupxvmprotect

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot7160282613:AAFbC1FSQC-98qkDv63fGJWl04i7irG3A2w/sendMessage?chat_id=5314341717

Targets

    • Target

      2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b

    • Size

      9.8MB

    • MD5

      8f31cb1de574e7070f0b756474968456

    • SHA1

      680aba2b6b0a4cfa1d106c3c8f732a89d261e265

    • SHA256

      2f133fae5486b86cbf0f65e82c309692c054557cc4fde262af158c489a7ec00b

    • SHA512

      825a889b23884c8cb3fbaf06de6184b387c087bf24bdca17380f0442523d49c97762a6b6150a8276d1ff414799728a340e9f9e114f36b045d865d7d2e5912b57

    • SSDEEP

      196608:iwumqqo5Kpjc4bSmpcxZJMI3LDbbxI0T1SwgfWtjen+7VMHFRMY:iwumRoApjc4bJKxzMcbbX2WNen++Hp

    Score
    10/10
    blackguardspywarestealerupxvmprotect

    • BlackGuard

      Infostealer first seen in Late 2021.

      stealerblackguard

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables packed with VMProtect.

    • Detects executables referencing Discord tokens regular expressions

    • Detects executables referencing credit card regular expressions

    • Detects executables referencing many VPN software clients. Observed in infosteslers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables using Telegram Chat Bot

    • UPX dump on OEP (original entry point)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks