Analysis
-
max time kernel
105s -
max time network
98s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
25-07-2024 13:39
General
-
Target
https://www.mediafire.com/file/u6hk35tcu441lxk/Bltools+2.9.1[PRO].zip/file
Malware Config
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 10 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 5 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 64 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 23 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://www.mediafire.com/file/u6hk35tcu441lxk/Bltools+2.9.1[PRO].zip/file"1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
- NTFS ADS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Bltools 2.9.1[PRO]\" -spe -an -ai#7zMap28288:94:7zEvent278931⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Bltools 2.9.1[PRO]\Bltools 2.9.1[PRO].exe"C:\Users\Admin\Desktop\Bltools 2.9.1[PRO]\Bltools 2.9.1[PRO].exe"1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Desktop\Bltools 2.9.1[PRO]\Settings.exe"C:\Users\Admin\Desktop\Bltools 2.9.1[PRO]\Settings.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Desktop\Bltools 2.9.1[PRO]\XConfig.setup.exe"C:\Users\Admin\Desktop\Bltools 2.9.1[PRO]\XConfig.setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Bltools 2.9.1[PRO]\[Results] Password Searcher\[12.07.2024] [07.22.07] ⚡️Luffich&Cloud FREE LOGS [1138]⚡️\outlook.com\EmailPass.txt1⤵
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD51bfe591a4fe3d91b03cdf26eaacd8f89
SHA1719c37c320f518ac168c86723724891950911cea
SHA2569cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA51202f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
Filesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
Filesize
1KB
MD5bd915429730f45fdb2d171ae4db169b5
SHA112c6f93a3f8708cfda06c025b0c5e3c9041c3b81
SHA25677e8f8ea8f18c1de59ca32be0053d3831d3549c6d2010d879c6069bf199e245b
SHA5126c36c79aa634eda08ad3082510a641bb25656f153a2881eb2d896aec2b8c20c6a746f4a01c810d3b659cae228689e9b8944ff9bb51b532a6e53b015017ad055a
-
Filesize
10KB
MD5a301c91c118c9e041739ad0c85dfe8c5
SHA1039962373b35960ef2bb5fbbe3856c0859306bf7
SHA256cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f
SHA5123a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
192KB
MD5835218fe5b9a42c8ec98442dc44f8551
SHA1b8f5f190d1bcd9fb7b804a78419703298d9af1d8
SHA25619c8fb2838081c42f602f655b288c3339fad55acd2f5cbcc07e08ab3496d92e8
SHA512d37f24aa9c53044f52a43bc8c50cedd2c1d446280aa4401d00dcd3429bec4647d4f7f2183c625ebbc6fc083b10c5f0d4d32549c25f790d9cca3e064918115749
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
1KB
MD54177e61164e6e93cfaed9d7b339b4359
SHA1156e40f5f3755cfbdc8bed816e8a3da0ae729e82
SHA2565f16cad5faf0af5b14bfa5f1f19b28b18b13f8fd57f63d055cb87c2dca992776
SHA512da56ba1eaf1cf8407c184193404d7588bc3354762ebf2665e32a642af3329a8aa2779bebe40e87af44024669b2e7d0cfc7ce2eba7f020f3e9f034153550937e9
-
Filesize
13.5MB
MD5118b54c5fea1876411dbab7d8aee546f
SHA11a421aefdb70267bb244d6b8f466b032937062cc
SHA256ad618514efb30fe0bf4eed2949b5d9458105ae11c60de5e802505af7256e5ca4
SHA512fc1977df3817a0c708d3667d80e425f42a03da769822dcd95cca0e32984728640a25056a110d63048b17f776c639c7649db5b194a2b71efe120b168f881071ea
-
Filesize
3.5MB
MD578476189d432ff40798e50580486263f
SHA1fa3f47fb8306f63315e7af91e8b9ff1ac194a2f2
SHA25671e58a3b9932ab8ec42749ffa00ab1b81c0b9f1854112373a889dc71ec50f9bc
SHA5124226c818aa8edadf8e3500b86701d1caec30966ad61e750d433d8f53a5ec440eff73a3c31547448b6b36ec8a1f700a260efc2631263553451f8921bcca48105f
-
Filesize
9.1MB
MD5824cbf63999f954aa1747f79586a4d3c
SHA15f1cd6346a45024bbbe09e304c12b6f6bf227d5c
SHA256344e2cee979e979932f504dc76bd75e97ae1ff46caa3fe2795adfe0a866347f7
SHA512d36149f7cb5ffc62dac6bb4521105d09fac988de567e181fdca4f23e5079aca5f4292e1d314f797f1a597263ddac0210060cb71c111565717e3a288a47770c51
-
Filesize
3KB
MD5d9698097b7dc813f66fdd09347146178
SHA18e3f9836ac2bf661a77e4a984dfcdfcd2202e610
SHA256ed947ae727143a9629315eea856776bac664333d242bd5752c75a46cb5540bef
SHA512a022994eb86aff8209563da4d6fc615787ff5fff03bac3084b4343726bea740376d1224cf0707d5b0673990ef14a908895199ab48fda87bf5b543f1f62587527
-
Filesize
293KB
MD5ddb3bc4925f6f2067b1794390bd8f1f7
SHA10d807445e9f16a8d3736f7bc85cd073f811fd3b7
SHA256a28aa05fa3569bdbea78d80d5cf86243adb518f40f395dbd3a7609ac2b14aca9
SHA512dedd801f98fad6b3a1798676b04e95f7bb39b584373c4e6542923707c3532ffac627da6d71ac3066c88097faa18cde5399f62de419855aea85e600d83e1f158b
-
Filesize
3.2MB
MD5025d637741b1b326ded2e99e6b54ed77
SHA15fb6a288559f54aeb42203cf5e44a072c74f942f
SHA256d68b3cdca20f0b871a653a3203e4292846e766b45fb989856a2de0fb9e0c4860
SHA512720f4f03febbe7fdd661c14349680f6511a69487b0bdf5cd47ab4594b1fad49edeb0bde8e287272d84e21efc916ba91ca71bfa2632eba76e379e07815163d26b
-
Filesize
1.2MB
MD55cfc26570fe8fc7ea5db16484a39d0f5
SHA119ef3f0d4d907cfcf1e5af9a2640f5519a426734
SHA256c042a41ae731f0d31ddff855e212a258ddd54c8102a3103313d298e5fb5176ab
SHA512b34d4533c89409739850d415d4aa6a6067f8bf785c8e6bc1b23a432e88e90da38bdc9716198c21609a87c2788777baabf16307c17f0d71c01362bbc37dd12160
-
Filesize
738KB
MD5571be74355d0be4a9e3049e71e061831
SHA12852d60a573c8c2b113b4a05f79ba1dba2c1c576
SHA25655d19a2e37a277012be055baba74b187912cedb0886892b9582c59cecbbe7ea0
SHA512952a1efdb3e7f5321c35e80d9f3c06acf49f529860a035fee5bb6b5644d2ad3330ea00a9d6b550444691462c04b3636c4aa12ce802c3b75723942a4434b53833
-
Filesize
1.2MB
MD594de6c34c4a6ed0841b135b45b1065c4
SHA1ad01f05d00981e2231c73d673a26085e62517459
SHA25679611002cfdd4256606e79ad570452fa1b478deb54b0eca28c709ac2d70fbcac
SHA5124a2dc73235c4b9acfa6513fe94b2ff4bf2cde6c0f8e73af8845ace414cc35c018e89137c41d8528af875c5e23fb10c8c11ffec98dbfa03a2e9d609e7a9d87413
-
Filesize
738KB
MD51f3d30fb20a3c881b5662acb16994696
SHA1a4d37f2eba7d907682844abb2311968a782a6390
SHA2563d9a1426c934b9c48a7abd6be73a9981fdd764e4193cc73d7482d320b638b1e4
SHA5124f69833835d394d7bc3277242ee89203e98d09c2f95e7913271a004dce4295c0ad4de48e50fe6c7efa9a4af210b7994152511b7c79348fe630723032653b4fad
-
Filesize
68B
MD5a76cc7a95ced7b01b023960cd0d62bc7
SHA197d445d2743b93810a7133c51c563be6ca3602b4
SHA2566f206cdda0fdd59094ccfb1b1ac4781cea64f900f36bd98198f3e6d444024682
SHA5125db78cffcf87016f7de090314aca66f7bcb86b58c03661cb613f056cf70c99ae5278a4acaf1b9987cdc230df30403b1dce7744735dd73cc575ecd16ff63a906e
-
Filesize
89B
MD58e6a0e63223071e66caaf987831e6d25
SHA11ef6a1da48e55d4298098cef20c67c893ec5e96e
SHA256131e69f6cc64d3cad7027e4d071a726a8c76460033692236016cffb5cca806a2
SHA5125c80177a7f395b40c16c9fc5e2383532ee9f6286af39ab05fe119d259d9aa8475d63449b0d6b902884c7cdc85cbeb482bce21068b7b7311cee864d1dfc9968c6
-
Filesize
359KB
MD5f2f6f6798d306d6d7df4267434b5c5f9
SHA123be62c4f33fc89563defa20e43453b7cdfc9d28
SHA256837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd
SHA5121f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211
-
Filesize
121KB
MD5f79f0e3a0361cac000e2d3553753cd68
SHA14314bcef76fddc9379a8f3a266b37d685d0adb79
SHA2568a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd
SHA512c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355
-
Filesize
295KB
MD55c108c4da6d03f0fa2c3b4dc7890cb52
SHA148af67b6166068b6f138306bbd1157c7583c6e73
SHA256b5ec30c93b1d2b4631ee2b178750ec92e302e2e331090ec9783981b9572354f8
SHA51248d055610eead361809bd839c66ccdca1d5e0d9dffe15af9d15afa106ee7791c8b17acb91f2aba5cf3dda2997b049bcf70b43c3b56b8b01f1fc7bb845ce6c91b
-
Filesize
103KB
MD5932ebb3f9e7113071c6a17818342b7cc
SHA19ce2d08bc3840632092325abcc8d842eeb8189d4
SHA256285aa8225732ddbcf211b1158bd6cff8bf3acbeeab69617f4be85862b7105ab5
SHA5126b6086cff7b916c0c4536e3c7cba4ba17d6c4be2e4a88a5877be852e197f1f9c9c120d1295acf2b4277a9badd8cfd229ef3c1ab2049d0aeec22d3033be156141
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
408KB
-
Filesize
584KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
320KB
-
Filesize
1024KB
-
Filesize
9.2MB
-
Filesize
384KB
-
Filesize
40KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
7.3MB
-
Filesize
224KB
-
Filesize
736KB
-
Filesize
1.3MB
-
Filesize
144KB
-
Filesize
5.0MB
-
Filesize
128KB
-
Filesize
320KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
1024KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
1024KB
-
Filesize
8KB
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
64KB