blackguard | 202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49 | Triage

Resubmissions

22-05-2024 07:50

240522-jpeb8agg24 10

22-05-2024 07:46

240522-jlztragf56 10

Sharing

General

Target

Valkyria.exe
Size

8.2MB
Sample

240522-jlztragf56
MD5

1626922cadeeedea404cadfe628d7e16
SHA1

9323dbefdd49c84ae79e188b79bac5cee2ab6a6e
SHA256

202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49
SHA512

80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0
SSDEEP

196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN

Score

10^/10

blackguard njrat svhost evasion spyware stealer trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SvHost

C2

hakim32.ddns.net:2000

rates-alfred.gl.at.ply.gg:39912

Mutex

07fe81bb92603a7ba50e57049dc09693

Attributes

reg_key
07fe81bb92603a7ba50e57049dc09693
splitter
|'|'|

Extracted

Family

blackguard

C2

https://api.telegram.org/bot5865379362:AAEUbyvhTdYJ7SmCp7YyfRe8OBV_Jrj9iqg/sendMessage?chat_id=5481385928

Targets

- Target
  
  Valkyria.exe
- Size
  
  8.2MB
- MD5
  
  1626922cadeeedea404cadfe628d7e16
- SHA1
  
  9323dbefdd49c84ae79e188b79bac5cee2ab6a6e
- SHA256
  
  202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49
- SHA512
  
  80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0
- SSDEEP
  
  196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN
Score

10^/10

blackguard njrat svhost evasion spyware stealer trojan
- BlackGuard
  Infostealer first seen in Late 2021.
  stealer blackguard
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackguardnjratsvhostevasionspywarestealertrojan

behavioral2

blackguardnjratevasionspywarestealertrojan

behavioral3

blackguardnjratevasionspywarestealertrojan