Overview

overview

10

Static

static

3

1acff996f3...43.exe

windows7-x64

10

1acff996f3...43.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1acff996f30eca03412658e634931fd8f0d2cf1789f3938426db68d5f52f2743

  • Size

    4.1MB

  • Sample

    240613-yrtbgsygme

  • MD5

    089319196a1eb3954487ef27534fac37

  • SHA1

    9b78cc3e90ffaad1d4a772e414fee118b073c100

  • SHA256

    1acff996f30eca03412658e634931fd8f0d2cf1789f3938426db68d5f52f2743

  • SHA512

    c4bd1b6cc0a5f5d74ec15fc692e236c7d154ef5df54b48ed7c738c6c8aabc447cf98517c1375d4122ad802e7fbb7162837b4953e36e61867621c88cfe6c6141b

  • SSDEEP

    98304:uKZ1fFm44CeqdSpvTJ8kB1PHG4hKvQJXiurAGm8Nrmz9HT6qHdy6R:uY1fFm4LSpV88nKvURMGmiiBHT9Hd5

Score
10/10
blackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot7347084755:AAEPo6bIaWPl296sTBL5-HwHaIzcmHBRavo/sendMessage?chat_id=1880548751

Targets

    • Target

      1acff996f30eca03412658e634931fd8f0d2cf1789f3938426db68d5f52f2743

    • Size

      4.1MB

    • MD5

      089319196a1eb3954487ef27534fac37

    • SHA1

      9b78cc3e90ffaad1d4a772e414fee118b073c100

    • SHA256

      1acff996f30eca03412658e634931fd8f0d2cf1789f3938426db68d5f52f2743

    • SHA512

      c4bd1b6cc0a5f5d74ec15fc692e236c7d154ef5df54b48ed7c738c6c8aabc447cf98517c1375d4122ad802e7fbb7162837b4953e36e61867621c88cfe6c6141b

    • SSDEEP

      98304:uKZ1fFm44CeqdSpvTJ8kB1PHG4hKvQJXiurAGm8Nrmz9HT6qHdy6R:uY1fFm4LSpV88nKvURMGmiiBHT9Hd5

    Score
    10/10
    blackguardspywarestealer

    • BlackGuard

      Infostealer first seen in Late 2021.

      stealerblackguard

    • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

    • Detects executables containing SQL queries to confidential data stores. Observed in infostealers

    • Detects executables containing common artifacts observed in infostealers

    • Detects executables referencing Discord tokens regular expressions

    • Detects executables referencing credit card regular expressions

    • Detects executables referencing many VPN software clients. Observed in infosteslers

    • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

    • Detects executables referencing many email and collaboration clients. Observed in information stealers

    • Detects executables using Telegram Chat Bot

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks