Overview

overview

10

Static

static

10

Valkyria.exe

windows7-x64

10

Valkyria.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    63s
  • max time network
    64s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Valkyria.exe

  • Size

    8.2MB

  • MD5

    1626922cadeeedea404cadfe628d7e16

  • SHA1

    9323dbefdd49c84ae79e188b79bac5cee2ab6a6e

  • SHA256

    202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49

  • SHA512

    80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0

  • SSDEEP

    196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN

Score
10/10
blackguardnjratevasionspywarestealertrojan

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot5865379362:AAEUbyvhTdYJ7SmCp7YyfRe8OBV_Jrj9iqg/sendMessage?chat_id=5481385928

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • njRAT/Bladabindi

    Widely used RAT written in .NET.

    trojannjrat
  • Modifies Windows Firewall 2 TTPs 1 IoCs
    evasion
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Valkyria.exe
    "C:\Users\Admin\AppData\Local\Temp\Valkyria.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe
      "C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Users\Admin\AppData\Local\Temp\server.exe
        "C:\Users\Admin\AppData\Local\Temp\server.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1820
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
          4⤵
          • Modifies Windows Firewall
          PID:3604
    • C:\Users\Admin\AppData\Local\Temp\Everything.exe
      "C:\Users\Admin\AppData\Local\Temp\Everything.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2396
      • C:\Users\Admin\AppData\Local\Temp\Natasha.exe
        "C:\Users\Admin\AppData\Local\Temp\Natasha.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Everything.exe
    Filesize

    7.7MB

    MD5

    37f6f35584fac7f216e69e813d4b7c10

    SHA1

    ddb093f14e5f2beb0512ac828448ff06d0237312

    SHA256

    cc17414b5bd2db809411f93256535e78d0c97f42fe86b6cc3119aa7c33c6e3c3

    SHA512

    917368e662428827f8477cc5915e41f6a06324f0e49721f807a6003740749261a219a25cd3d9a43d1a5714c73930e4b2da1240d2a9f108a62b11f990dc42a09e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Natasha.exe
    Filesize

    270KB

    MD5

    0ad61d702d2aca6801a833ec1d4bf5f7

    SHA1

    d4117c6c5c0ae71ee0ccd2554ab40fe69796c519

    SHA256

    e4668273e4cafe5a9a083eaa0d4d52ca1ba707e37ecb715c1b97de1dbb67faf4

    SHA512

    a0743430cabc74edb8600c71a4513ab83d21542a8088d230cd15e070d6b2b2d70dab057dd1bbd1968836bc0f3b3aceb90b98024b889503c6a28926475185e6ec

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
    Filesize

    571KB

    MD5

    169b6d383b7c650ab3ae2129397a6cf3

    SHA1

    fcaef7defb04301fd55fb1421bb15ef96d7040d6

    SHA256

    b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

    SHA512

    7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll
    Filesize

    1.3MB

    MD5

    0a1e95b0b1535203a1b8479dff2c03ff

    SHA1

    20c4b4406e8a3b1b35ca739ed59aa07ba867043d

    SHA256

    788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

    SHA512

    854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll
    Filesize

    410KB

    MD5

    056d3fcaf3b1d32ff25f513621e2a372

    SHA1

    851740bca46bab71d0b1d47e47f3eb8358cbee03

    SHA256

    66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

    SHA512

    ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe
    Filesize

    93KB

    MD5

    ac79af1c488ed1bc1b289e0eb8d89714

    SHA1

    913ceaaaf7664bb83a496ebe746b6d12bb1e5e9a

    SHA256

    dc8e217ced1f36323ce6c237fdaa330e342063a819c13defe3b248ee84c1d492

    SHA512

    cd09c7c5e60ba946f7c83001876f3d5c48eab06c259324a7941161978531a175d00142cd486ff7cf0d2d461a651745808361e894346259ac079cc90eb42022cc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\OBJIYUIE.Admin\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\Users\Admin\AppData\Roaming\OBJIYUIE.Admin\Process.txt
    Filesize

    1KB

    MD5

    99a65e6ae65c69007a29e6f3509834de

    SHA1

    42629c4d3ec3f6d82cf97b47c9fdfc0607338dc1

    SHA256

    db9792731555337b31bfc9a6b10868b567afa83b45c8c4e49b15eb9af39be4c2

    SHA512

    0e9b37c45d4cef8397b93196b2ec99a60a97818b64e820832b11f9c5148d4ad81db942fcdc3ab664a31fdbe30ab7ae5f8470fd63a9472969a3e9b3208c77f72e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\app
    Filesize

    5B

    MD5

    d43c5b07c128b116b7bc8faf7b8efa9d

    SHA1

    dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

    SHA256

    80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

    SHA512

    618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

    Download Submit

  • memory/2864-18-0x0000000073DC0000-0x0000000074371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2864-19-0x0000000073DC0000-0x0000000074371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2864-13-0x0000000073DC2000-0x0000000073DC3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2864-122-0x0000000073DC0000-0x0000000074371000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3260-17-0x0000000000400000-0x0000000000C30000-memory.dmp

    Filesize

    8.2MB

    Download

  • memory/3488-111-0x0000000006520000-0x0000000006588000-memory.dmp

    Filesize

    416KB

    Download

  • memory/3488-123-0x0000000006A30000-0x0000000006A6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3488-114-0x00000000064B0000-0x00000000064FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3488-107-0x0000000005460000-0x0000000005482000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3488-92-0x0000000005560000-0x00000000055B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3488-124-0x0000000005BD0000-0x0000000005BF1000-memory.dmp

    Filesize

    132KB

    Download

  • memory/3488-129-0x00000000078C0000-0x0000000007A82000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/3488-76-0x0000000006010000-0x00000000060A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3488-112-0x0000000006590000-0x00000000068E4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3488-57-0x0000000005C30000-0x0000000005CC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3488-135-0x0000000008040000-0x00000000085E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3488-51-0x0000000000810000-0x000000000085A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3488-223-0x0000000007B90000-0x0000000007BF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3488-226-0x0000000007C70000-0x0000000007CE6000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3488-227-0x0000000007890000-0x00000000078AE000-memory.dmp

    Filesize

    120KB

    Download