blackguard | 202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49

Resubmissions

22-05-2024 07:50

240522-jpeb8agg24 10

22-05-2024 07:46

240522-jlztragf56 10

Analysis

max time kernel
148s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Valkyria.exe
Size

8.2MB
MD5

1626922cadeeedea404cadfe628d7e16
SHA1

9323dbefdd49c84ae79e188b79bac5cee2ab6a6e
SHA256

202faa66219e927a3b57d90ee9b2b4fbd309ed72ff89a7e28d7668ca08d0fd49
SHA512

80d0d6b93a8b85e2ed0fb6dee775b6f40f6d39381640c8e8ab3309f58e84d8b17e86b321849a2ffdfa4b7dd39736730b5a1d822f95a20153c1d41d52b604a9e0
SSDEEP

196608:68oppJhh2fJB0ZOFkGEWZd7HFApko0eYOiKddHB2icEPld6aGXAr5xN:6jppJEJB0ZOFNVZRlekSFPvHlQAxN

Score

10^/10

blackguard njrat evasion spyware stealer trojan

Malware Config

Extracted

Family

blackguard

https://api.telegram.org/bot5865379362:AAEUbyvhTdYJ7SmCp7YyfRe8OBV_Jrj9iqg/sendMessage?chat_id=5481385928

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

2060 netsh.exe

pid	process
2060	netsh.exe

Drops startup file 4 IoCs

Processes:

server.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Realtek HD Audio Universal Service.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07fe81bb92603a7ba50e57049dc09693Realtek Semiconductor.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\07fe81bb92603a7ba50e57049dc09693Realtek Semiconductor.exe	server.exe

Executes dropped EXE 4 IoCs

Processes:

zkzkzkz.exeEverything.exeNatasha.exeserver.exe

pid process

3976 zkzkzkz.exe
592 Everything.exe
2924 Natasha.exe
4424 server.exe
Loads dropped DLL 5 IoCs

Processes:

Natasha.exe

pid process

2924 Natasha.exe
2924 Natasha.exe
2924 Natasha.exe
2924 Natasha.exe
2924 Natasha.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
2 freegeoip.app
1 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3976	zkzkzkz.exe
592	Everything.exe
2924	Natasha.exe
4424	server.exe

pid	process
2924	Natasha.exe
2924	Natasha.exe
2924	Natasha.exe
2924	Natasha.exe
2924	Natasha.exe

flow	ioc
1	ip-api.com
2	freegeoip.app
1	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Natasha.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Natasha.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Natasha.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Natasha.exe

pid process

2924 Natasha.exe
2924 Natasha.exe
2924 Natasha.exe
2924 Natasha.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

4424 server.exe

pid	process
2924	Natasha.exe
2924	Natasha.exe
2924	Natasha.exe
2924	Natasha.exe

pid	process
4424	server.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

Natasha.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	2924	Natasha.exe
Token: SeDebugPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe
Token: 33	4424	server.exe
Token: SeIncBasePriorityPrivilege	4424	server.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Valkyria.exeEverything.exezkzkzkz.exeserver.exe

description	pid	process	target process
PID 4004 wrote to memory of 3976	4004	Valkyria.exe	zkzkzkz.exe
PID 4004 wrote to memory of 3976	4004	Valkyria.exe	zkzkzkz.exe
PID 4004 wrote to memory of 3976	4004	Valkyria.exe	zkzkzkz.exe
PID 4004 wrote to memory of 592	4004	Valkyria.exe	Everything.exe
PID 4004 wrote to memory of 592	4004	Valkyria.exe	Everything.exe
PID 4004 wrote to memory of 592	4004	Valkyria.exe	Everything.exe
PID 592 wrote to memory of 2924	592	Everything.exe	Natasha.exe
PID 592 wrote to memory of 2924	592	Everything.exe	Natasha.exe
PID 592 wrote to memory of 2924	592	Everything.exe	Natasha.exe
PID 3976 wrote to memory of 4424	3976	zkzkzkz.exe	server.exe
PID 3976 wrote to memory of 4424	3976	zkzkzkz.exe	server.exe
PID 3976 wrote to memory of 4424	3976	zkzkzkz.exe	server.exe
PID 4424 wrote to memory of 2060	4424	server.exe	netsh.exe
PID 4424 wrote to memory of 2060	4424	server.exe	netsh.exe
PID 4424 wrote to memory of 2060	4424	server.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\Valkyria.exe
"C:\Users\Admin\AppData\Local\Temp\Valkyria.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe
  "C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:2060
- C:\Users\Admin\AppData\Local\Temp\Everything.exe
  "C:\Users\Admin\AppData\Local\Temp\Everything.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:592
- - C:\Users\Admin\AppData\Local\Temp\Natasha.exe
    "C:\Users\Admin\AppData\Local\Temp\Natasha.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Everything.exe

Filesize
7.7MB

MD5
37f6f35584fac7f216e69e813d4b7c10

SHA1
ddb093f14e5f2beb0512ac828448ff06d0237312

SHA256
cc17414b5bd2db809411f93256535e78d0c97f42fe86b6cc3119aa7c33c6e3c3

SHA512
917368e662428827f8477cc5915e41f6a06324f0e49721f807a6003740749261a219a25cd3d9a43d1a5714c73930e4b2da1240d2a9f108a62b11f990dc42a09e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Natasha.exe

Filesize
270KB

MD5
0ad61d702d2aca6801a833ec1d4bf5f7

SHA1
d4117c6c5c0ae71ee0ccd2554ab40fe69796c519

SHA256
e4668273e4cafe5a9a083eaa0d4d52ca1ba707e37ecb715c1b97de1dbb67faf4

SHA512
a0743430cabc74edb8600c71a4513ab83d21542a8088d230cd15e070d6b2b2d70dab057dd1bbd1968836bc0f3b3aceb90b98024b889503c6a28926475185e6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

Filesize
571KB

MD5
169b6d383b7c650ab3ae2129397a6cf3

SHA1
fcaef7defb04301fd55fb1421bb15ef96d7040d6

SHA256
b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

SHA512
7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

Filesize
1.3MB

MD5
0a1e95b0b1535203a1b8479dff2c03ff

SHA1
20c4b4406e8a3b1b35ca739ed59aa07ba867043d

SHA256
788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

SHA512
854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

Filesize
410KB

MD5
056d3fcaf3b1d32ff25f513621e2a372

SHA1
851740bca46bab71d0b1d47e47f3eb8358cbee03

SHA256
66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

SHA512
ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkzkzkz.exe

Filesize
93KB

MD5
ac79af1c488ed1bc1b289e0eb8d89714

SHA1
913ceaaaf7664bb83a496ebe746b6d12bb1e5e9a

SHA256
dc8e217ced1f36323ce6c237fdaa330e342063a819c13defe3b248ee84c1d492

SHA512
cd09c7c5e60ba946f7c83001876f3d5c48eab06c259324a7941161978531a175d00142cd486ff7cf0d2d461a651745808361e894346259ac079cc90eb42022cc

Download Submit
C:\Users\Admin\AppData\Roaming\HRXJRyZyLDyTNTNVFEIHHORR.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\HRXJRyZyLDyTNTNVFEIHHORR.Admin\Process.txt

Filesize
752B

MD5
ced7fe9f00d3e465e8d3a2d8e7c59f24

SHA1
0ec11e6ff38725ab7620fa0b4665dfd696ef1a46

SHA256
23370126af8427ab231f2ed5a85f56ce709ff05c75e8807b840f21c3877689da

SHA512
7e78607e90d03748ca89cc1b89b1a50f8e755bb6cb5189697ca119be90b3c924aca42f4937d8a2429133806b350a51cc36921bf45ea019e72135e2d7ecf253b2

Download Submit
C:\Users\Admin\AppData\Roaming\HRXJRyZyLDyTNTNVFEIHHORR.Admin\Process.txt

Filesize
1KB

MD5
98978e88a1cd1e64f67419f7c0ff51bf

SHA1
795968f7f89ee87374f473cee64fda6fa4798de6

SHA256
aebcae525313ae0791823da3f3f109de97feb4671e979e17be16fd397c963398

SHA512
4b00ce5ac5db772af395bbfda316338e918d33a09117607d0a3e4be195340dd5e7f9502463e9bfe3ea671b22b6f727323f5251b3c3d6bdd1fc6790ad5623760e

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
d43c5b07c128b116b7bc8faf7b8efa9d

SHA1
dd3540ad4ae14b21b665d108cf4570c2dfa6a6fa

SHA256
80ad1cc7b3a784dad618a445af0c8cf3efa903f82a814756f2aaa7b57f45791f

SHA512
618b01e2b808e1954d011635dfdf63bc75855145208fc5cae33ce09c7e5b43cf978f6511beb311765e6920e728a290c9f9ced7563e40e8ff8d093d50fdc18334

Download Submit
memory/2924-51-0x0000000000BB0000-0x0000000000BFA000-memory.dmp

Filesize
296KB

Download
memory/2924-115-0x0000000006EA0000-0x0000000006EDC000-memory.dmp

Filesize
240KB

Download
memory/2924-103-0x00000000057B0000-0x0000000005800000-memory.dmp

Filesize
320KB

Download
memory/2924-104-0x0000000005D70000-0x0000000005D92000-memory.dmp

Filesize
136KB

Download
memory/2924-93-0x0000000006400000-0x0000000006492000-memory.dmp

Filesize
584KB

Download
memory/2924-108-0x00000000068F0000-0x0000000006958000-memory.dmp

Filesize
416KB

Download
memory/2924-110-0x00000000063A0000-0x00000000063EC000-memory.dmp

Filesize
304KB

Download
memory/2924-223-0x0000000007D20000-0x0000000007D3E000-memory.dmp

Filesize
120KB

Download
memory/2924-109-0x0000000006A60000-0x0000000006DB7000-memory.dmp

Filesize
3.3MB

Download
memory/2924-102-0x0000000005B40000-0x0000000005BD2000-memory.dmp

Filesize
584KB

Download
memory/2924-116-0x0000000006E00000-0x0000000006E21000-memory.dmp

Filesize
132KB

Download
memory/2924-119-0x0000000007DC0000-0x0000000007F82000-memory.dmp

Filesize
1.8MB

Download
memory/2924-222-0x0000000008490000-0x0000000008506000-memory.dmp

Filesize
472KB

Download
memory/2924-219-0x0000000008420000-0x0000000008486000-memory.dmp

Filesize
408KB

Download
memory/2924-137-0x0000000008540000-0x0000000008AE6000-memory.dmp

Filesize
5.6MB

Download
memory/3976-21-0x00000000733B0000-0x0000000073961000-memory.dmp

Filesize
5.7MB

Download
memory/3976-20-0x00000000733B0000-0x0000000073961000-memory.dmp

Filesize
5.7MB

Download
memory/3976-13-0x00000000733B1000-0x00000000733B2000-memory.dmp

Filesize
4KB

Download
memory/3976-134-0x00000000733B0000-0x0000000073961000-memory.dmp

Filesize
5.7MB

Download
memory/4004-17-0x0000000000400000-0x0000000000C30000-memory.dmp

Filesize
8.2MB

Download