blackguard | 45b98eb93ac47dc935eef58720a7b84e952eda334b4f24315282d938bbaf49c1

Sharing

Copy URL

Twitter E-mail

General

Target

Netflix-Ultimate-_ing-Pack.zip
Size

344.9MB
Sample

240801-jvsrssvbmc
MD5

078f48af4b58a7b93ad9a802c81197f7
SHA1

7f74bbaf85f70b47b43a2401963305732bf6c539
SHA256

45b98eb93ac47dc935eef58720a7b84e952eda334b4f24315282d938bbaf49c1
SHA512

a0e6c6b1b878ef1c92cdeb1e494d40aac45af4665476426c69ccbb4bf4a4e0021fe8177b312502bc5104212ee3913d06d39b9ed4a075ba4e4fa9eebc2115b78e
SSDEEP

3145728:tZS1mpy7ONvZ5S0ftco+t5kc/mrx4fUdr:e1mpn7gmc/MxTr

Score

10^/10

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Netflix checker By Omega

127.0.0.1:6522

Mutex

89d6d2d9aa70d461bc8210d5c8a38bd0

Attributes

reg_key
89d6d2d9aa70d461bc8210d5c8a38bd0
splitter
Y262SUCZ4UJJ

Targets

- Target
  
  BearFlix\BearFlix.exe
- Size
  
  393KB
- MD5
  
  219cc860813f9cdfad1e7e45a19da1a4
- SHA1
  
  e7d27e4b0441283acc06b8270de41918dbd9ec7a
- SHA256
  
  1422481834c140a96979b1618db835231b4e67475854c9a200fa08f0cdb02371
- SHA512
  
  c9d7419db07c3d6820ab5dddbcfdca1ba787e6d4777248354d4f596987f9eb9bdd301ab6a102a95469c8031bf259cd9e0f58fca64df30d01861150a952574fc4
- SSDEEP
  
  6144:GfUXZAwseFnp0Ak27gU6bF8ViOAOupdDCXPaKFh:GsJrrFnphE78IOQWXPaEh
Score

9^/10

agilenet discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2
- Target
  
  BearFlix\data.bin
- Size
  
  1.6MB
- MD5
  
  939712a4d4341fb67c0214621a78fca7
- SHA1
  
  53225cb2d07e8131c9fdb086a70a81cd41f588ea
- SHA256
  
  f594ff49ea0a51dc4a76609291b7c3e44fcc92789378f899349609407ac55b61
- SHA512
  
  f9cd9997394dae980b99018902e347a48b4eab44041e88bad6fc3d10c173b31cea44b0202e7233b1dc934c102c27f1ce5662a01e53b1b0f80197c9c73bb24144
- SSDEEP
  
  24576:1UUovXhGzCgXSbnI8pPdzUd+z3ljPO2WDmHj53NOxOHf1:1UU9TSbnJiK1jPO2WDmHj53NOxO
Score

3^/10

discovery
behavioral3 behavioral4
- Target
  
  BearFlix\libcef.lib
- Size
  
  3.0MB
- MD5
  
  a553208ea4a57f1334669fe1e80113b7
- SHA1
  
  509aebd8384adb5f0d5f37dd3dd2b799ca7ddae6
- SHA256
  
  c868a800bef638fd579202534fa763a584cf78a01447afc89908ed1bae308ace
- SHA512
  
  08765ce1ed9d095527b469495b2138e6446c9034916f4030e7c02c43ea7b39708c1d3cd4f35c9df156633e77cdcb702258f7d627c028c902ac3f450dd0643eef
- SSDEEP
  
  49152:k81zxrw6PRLfCprOOR0yXNnMFraaDbXkQe/9p:k81zxrwkCNlxNgrfn0n
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral5 behavioral6
- Target
  
  BearFlix\strip.cfg
- Size
  
  7.1MB
- MD5
  
  43971e360fe1b457f22b16f5e25d51a2
- SHA1
  
  ed96672880b32da758d841cb9882037057105290
- SHA256
  
  c606a1a71374ee7b0fb844c47c448bab0234d9162951f488f07edd5664a88c16
- SHA512
  
  85b9e91f25f5ded543f05ad2d9265564f3585f0ce86c02f65b3e766c0a17da1b2c427d54500ed6bf23fcb5a75e10ea1f4d1a82db87fb91f7768d0d35a4a9518f
- SSDEEP
  
  196608:WZDBLzV8ld98BlON2jnbNswvBXvowJgzl7GSZn7ftm:WZD+90jVvBXvoww77rc
Score

9^/10

agilenet discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral7 behavioral8
- Target
  
  BruteFlix - Multi Module Netflix Valid Mail & Mail Access Checker\BruteFlix_protected.exe
- Size
  
  499KB
- MD5
  
  95fb8d6e4711d68a03da70c28590f3cf
- SHA1
  
  e63d4905e61575f8b1227ca13ef8d727e62f3e6e
- SHA256
  
  170a2009c0f8c0558e5c39061f499083ea9f4a5bf7c4af66c5d6074293893970
- SHA512
  
  07a8a1bcdc903c5eed4e3f42cb9197a5b49068136d54e6acc09c035088175a6309057bd7dcaeb120ec00bccb2b7e7924fa1fec30915457272f42ba869dc40c94
- SSDEEP
  
  6144:xrUHZYwUeFnp0Ak27gU6bF8VqOAOlpfQ6H21SyA8n7Tcnts/3dbCCgw+eh52caKv:xY5DjFnphE78AOjF9RyAA2omknPaEh
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral10 behavioral9
- Target
  
  BruteFlix - Multi Module Netflix Valid Mail & Mail Access Checker\Colorful.Console.dll
- Size
  
  88KB
- MD5
  
  9f6ce7ff934fb2e786ced3516705efad
- SHA1
  
  6e7bcc7b8a5d0e2e46c15a8e0f0c76129d170b61
- SHA256
  
  59a3696950ac3525e31cdd26727dabd9fecd2e1bdc1c47c370d4b04420592436
- SHA512
  
  d61674649fa9a091aa379fe1c227e42eb6cfd3226ad1e26ef089b747fce98b96f4eb78d736c24d6f5f60c4980bb1043ec0f1ef0d69f126870448129a47e22578
- SSDEEP
  
  1536:dJ1J4aE966w/2DtgNpWFbCagAHM9uTC/bR:dC796R/ObCagAs9uTgV
Score

1^/10
behavioral11 behavioral12
- Target
  
  BruteFlix - Multi Module Netflix Valid Mail & Mail Access Checker\Leaf.xNet.dll
- Size
  
  129KB
- MD5
  
  ea87f37e78fb9af4bf805f6e958f68f4
- SHA1
  
  89662fed195d7b9d65ab7ba8605a3cd953f2b06a
- SHA256
  
  de9aea105f31f3541cbc5c460b0160d0689a2872d80748ca1456e6e223f0a4aa
- SHA512
  
  c56bd03142258c6dcb712d1352d2548a055fbb726ee200949d847cb2d23d9c52442b1435be0df0bf355701a2c1a3c47cd05b96972501f457d2d401501d33d83a
- SSDEEP
  
  3072:gE3OJDHIfFLlL3pPiqhcLS/oZhttaMBM2cid:gHWZxJiqO
Score

1^/10
behavioral13 behavioral14
- Target
  
  BruteFlix - Multi Module Netflix Valid Mail & Mail Access Checker\Newtonsoft.Json.dll
- Size
  
  685KB
- MD5
  
  081d9558bbb7adce142da153b2d5577a
- SHA1
  
  7d0ad03fbda1c24f883116b940717e596073ae96
- SHA256
  
  b624949df8b0e3a6153fdfb730a7c6f4990b6592ee0d922e1788433d276610f3
- SHA512
  
  2fdf035661f349206f58ea1feed8805b7f9517a21f9c113e7301c69de160f184c774350a12a710046e3ff6baa37345d319b6f47fd24fbba4e042d54014bee511
- SSDEEP
  
  12288:U9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3Q5:U8m657w6ZBLmkitKqBCjC0PDgM5A5
Score

1^/10
behavioral15 behavioral16
- Target
  
  BruteFlix - Multi Module Netflix Valid Mail & Mail Access Checker\data.cfg
- Size
  
  3.3MB
- MD5
  
  18cb4bd70e87ec73e6162dcc9ff91d5f
- SHA1
  
  be430c6d7abe5207f046ae2c226c25082404fb77
- SHA256
  
  7a757c8154b6276d2252762ea7b829e10df1931366f6cd65e51b7f23c43481b7
- SHA512
  
  3d0b1f0b5d60ba27698642847b923224412595b6888df9cea2ec455e74b0b352eed03a5120cacc20a689b9c99aacabf7bde74031d4815ac6ffc47d9a0ec50315
- SSDEEP
  
  98304:6zZljAa+FybUJwNNHFt1EmU4s75HZu0HEMg:0D+aUJ6dFLEm3AHEMg
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral17 behavioral18
- Target
  
  BruteFlix - Multi Module Netflix Valid Mail & Mail Access Checker\libcef.lib
- Size
  
  3.0MB
- MD5
  
  a553208ea4a57f1334669fe1e80113b7
- SHA1
  
  509aebd8384adb5f0d5f37dd3dd2b799ca7ddae6
- SHA256
  
  c868a800bef638fd579202534fa763a584cf78a01447afc89908ed1bae308ace
- SHA512
  
  08765ce1ed9d095527b469495b2138e6446c9034916f4030e7c02c43ea7b39708c1d3cd4f35c9df156633e77cdcb702258f7d627c028c902ac3f450dd0643eef
- SSDEEP
  
  49152:k81zxrw6PRLfCprOOR0yXNnMFraaDbXkQe/9p:k81zxrwkCNlxNgrfn0n
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral19 behavioral20
- Target
  
  BruteFlix - Multi Module Netflix Valid Mail & Mail Access Checker\libexec.lib
- Size
  
  1.6MB
- MD5
  
  939712a4d4341fb67c0214621a78fca7
- SHA1
  
  53225cb2d07e8131c9fdb086a70a81cd41f588ea
- SHA256
  
  f594ff49ea0a51dc4a76609291b7c3e44fcc92789378f899349609407ac55b61
- SHA512
  
  f9cd9997394dae980b99018902e347a48b4eab44041e88bad6fc3d10c173b31cea44b0202e7233b1dc934c102c27f1ce5662a01e53b1b0f80197c9c73bb24144
- SSDEEP
  
  24576:1UUovXhGzCgXSbnI8pPdzUd+z3ljPO2WDmHj53NOxOHf1:1UU9TSbnJiK1jPO2WDmHj53NOxO
Score

3^/10

discovery
behavioral21 behavioral22
- Target
  
  Dark Star Netflix Checker By Scorpio\Bunifu_UI_v15232.dll
- Size
  
  663KB
- MD5
  
  7d723a8eb4d7e494ea488c13510b97b6
- SHA1
  
  07f07c10e0661fa5f272a61ce69ed95c1cb251b8
- SHA256
  
  b695ac865a5df23e45ff991bf26b71e4f879c89a1a6fde0ba92f31904beaca5c
- SHA512
  
  5ff49cc06df33b65c2bfbf37d89fa6ae2b71e26046bd7cf96a374ceb840ec7d3e11761f94b0f67b9ae38e4fcb1fe836c09a0b227e4a478f775a7511eda9d133c
- SSDEEP
  
  12288:q0MpAgk/SL8w92kboM7E2PheNUd6/8O+OeO+OeNhBBhhBB1xzyqtqKm9RZwWMN46:q0MpAgkdw/eC6/IxTtqB9RZw34HWOU
Score

3^/10

discovery
behavioral23 behavioral24
- Target
  
  Dark Star Netflix Checker By Scorpio\Bunifu_UI_v15264.dll
- Size
  
  728KB
- MD5
  
  08dfad3a22e42e17a3bf8f4ee43a67f5
- SHA1
  
  add9635ce5de6886b0010c83295df59d3c40a2b1
- SHA256
  
  b3710de17d2c2f84def83c8f3093df0dbe1664f34ab4a3adb72f1085e71c773c
- SHA512
  
  820163bcac0c44dddf55d423c06895d419b71beb8a2099501c3e334689dac9d034f543c72733b3bc56505d662bf821df807ef84c7d16a46a0217aebc7192ab60
- SSDEEP
  
  12288:UF4dPwdZ2MWYgeWYg955/155/26Bm5h56GbU+rwo4o:Rwb6BK56GbVrwf
Score

1^/10
behavioral25 behavioral26
- Target
  
  Dark Star Netflix Checker By Scorpio\Netflix Checker By Scorpio.exe
- Size
  
  408KB
- MD5
  
  0db447aeb70b31d758bbf420a70cfc09
- SHA1
  
  599997e1ddc208cf8b566601d13d2dc03a641661
- SHA256
  
  44612ea7656b2170978ab78ccf2cd3440bdd3164e4ccbc6be34eaf9b7b6036ba
- SHA512
  
  aa09275fbe90a15e31ba75f6e8729dda411a0efa0dafc927a12c088f4d085e4196ecf73dade2b349efa8f34b3fd1afb7aebb4c874216fc50c81ba9577c66a21d
- SSDEEP
  
  6144:CNUjZUwpfFnp0Ak27gU6bF8VWOAOapvlq/aKFh:C2FHRFnphE78EOMRiaEh
Score

9^/10

discovery evasion themida trojan
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral27 behavioral28
- Target
  
  Dark Star Netflix Checker By Scorpio\alocal.cfg
- Size
  
  906KB
- MD5
  
  25783918816d674edbaa87fd9a9990b4
- SHA1
  
  e62c64d036edff03764ece224df18b5da73bd12a
- SHA256
  
  9b996eb290c94f1c3a7b00bd8e9b2ef33f1cfc3e16b00d427d9267e8d24ec567
- SHA512
  
  dfb978cdb68cd253f4fb38d026a7339faed6403afcd986a27954acfcbfa7aa9201770ba13784e3e06d4ef4c10f82ccee0ce4f6ba4257edc653e993e716f5753c
- SSDEEP
  
  6144:QRS38PbDbl+/HKJbH+C0PjfDtZjfDtrtnLxCZhN2jq8NWclJPpv80dUwtn1Qsi9B:QQMPbP3gxCd2vNWcLUinusi9opw/
Score

3^/10

discovery
behavioral29 behavioral30
- Target
  
  Dark Star Netflix Checker By Scorpio\database32.dll
- Size
  
  1.6MB
- MD5
  
  939712a4d4341fb67c0214621a78fca7
- SHA1
  
  53225cb2d07e8131c9fdb086a70a81cd41f588ea
- SHA256
  
  f594ff49ea0a51dc4a76609291b7c3e44fcc92789378f899349609407ac55b61
- SHA512
  
  f9cd9997394dae980b99018902e347a48b4eab44041e88bad6fc3d10c173b31cea44b0202e7233b1dc934c102c27f1ce5662a01e53b1b0f80197c9c73bb24144
- SSDEEP
  
  24576:1UUovXhGzCgXSbnI8pPdzUd+z3ljPO2WDmHj53NOxOHf1:1UU9TSbnJiK1jPO2WDmHj53NOxO
Score

3^/10

discovery
behavioral31 behavioral32

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Themida packer

Checks whether UAC is enabled

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16

behavioral17

behavioral18

behavioral19

behavioral20

behavioral21

behavioral22

behavioral23

behavioral24

behavioral25

behavioral26

behavioral27

behavioral28

behavioral29

behavioral30

behavioral31