blackguard | 9f0e679e94ceaec68e0ea18348b4c80cb86a963f8371eec43c48dec3b2113597

General

Target

6f6f3c5cf6e779cb7c503b94716e73e0N.exe
Size

1.1MB
MD5

6f6f3c5cf6e779cb7c503b94716e73e0
SHA1

4593d3351517012bf4ffb71711b73e2db9482885
SHA256

9f0e679e94ceaec68e0ea18348b4c80cb86a963f8371eec43c48dec3b2113597
SHA512

eac8e16fc046f757ef30f198117507b5289750361408723a317d0e8e252334dae54b056238f1ff10abb7b017f8d19f57bd96a0ae344e4fd685a744b168bc03b4
SSDEEP

24576:AuDXTIGaPhEYzUzA0IudFaqAmMtMM2dWks5NT:vDjlabwz9ddSD2ds

Score

10^/10

blackguard credential_access discovery spyware stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3774859476-2260090144-3466365324-1000\Control Panel\International\Geo\Nation	6f6f3c5cf6e779cb7c503b94716e73e0N.exe

Executes dropped EXE 2 IoCs

pid	Process
2680	SilverBulletSetup.exe
1692	configsetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org
17	ip-api.com
2	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	configsetup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	configsetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	configsetup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1692	configsetup.exe
1692	configsetup.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1692	configsetup.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2680	3016	6f6f3c5cf6e779cb7c503b94716e73e0N.exe	84
PID 3016 wrote to memory of 2680	3016	6f6f3c5cf6e779cb7c503b94716e73e0N.exe	84
PID 3016 wrote to memory of 1692	3016	6f6f3c5cf6e779cb7c503b94716e73e0N.exe	87
PID 3016 wrote to memory of 1692	3016	6f6f3c5cf6e779cb7c503b94716e73e0N.exe	87
PID 3016 wrote to memory of 1692	3016	6f6f3c5cf6e779cb7c503b94716e73e0N.exe	87

C:\Users\Admin\AppData\Local\Temp\6f6f3c5cf6e779cb7c503b94716e73e0N.exe
"C:\Users\Admin\AppData\Local\Temp\6f6f3c5cf6e779cb7c503b94716e73e0N.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\SilverBulletSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\SilverBulletSetup.exe"
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Users\Admin\AppData\Local\Temp\configsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\configsetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SilverBulletSetup.exe

Filesize
852KB

MD5
980400aaf2fddc15b1e79f68465d1ad8

SHA1
bc789cfa145a6a4f3f662ddfdee9f2bcca33a88d

SHA256
60efa33b9c0624e3bb5218dbff11ae9cf6d1c6df54ec87d22727697629187176

SHA512
ed0bea8d9cca0e42a458f82fbc2d37daa2814b1f549948e600be41403a8d259d1ed1d6c59641ad61cd90a14a4368a366b02bd2b8b574bbaea2d5a6d2e0c0a0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\configsetup.exe

Filesize
293KB

MD5
e2fa1d3f2f79ae2b19434524dd2b1f4a

SHA1
a941ceeac6d5ee17ddf15e443d8e2637754f0651

SHA256
bf2b2288fdf61dab79f35413c77a6f16a144a5592fc62a488cb95824a7e3f11c

SHA512
a3d971ec26617beabd98fb90a5edc23fef91fd527f31e0ad5930b640b0dd930e47ec1948f31ff38c4e9ae68cfbe4d02eb230e1c37fc1800c8b0b305f580ef98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96EC.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96FD.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\WindowsBrandOr\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\WindowsBrandOr\Process.txt

Filesize
1KB

MD5
2cab2c3b123e5cb4283fe47650aacfea

SHA1
d1b26079c7a0526812a420ace3e1b6fac6a06adf

SHA256
9504fd17b52fbad63afb9e081721ffcbb39578f81d9d3272504df3f24413a7ad

SHA512
7b762b7b0d14b0248ca4525a251e5784455f4f48cbe0812b2de58e31e419cf2fc7ee9be83a4191e94332efc9f04917619145bde78682610490bbc82da991431d

Download Submit
C:\Users\Admin\AppData\Local\WindowsBrandOr\Process.txt

Filesize
1KB

MD5
492933780390dd88903f764b3c4f4e86

SHA1
2b66ac2cbeac6988fa12b37ebca4ee5bd38d4bb3

SHA256
5e185227e513ba3eee18261c301a172ccaeb770e98af087b4365c9873380f16a

SHA512
4f1b596045f6cd54104610c369a98aa03a9fe61606bf5a27cf99dc5d367a4ec26cd8909ee2161b986bce06840a1b19d0b1a22159bf8d07b46a0cddc1eb7d1002

Download Submit
memory/1692-26-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1692-42-0x0000000005E00000-0x0000000005E92000-memory.dmp

Filesize
584KB

Download
memory/1692-43-0x0000000006450000-0x00000000069F4000-memory.dmp

Filesize
5.6MB

Download
memory/1692-29-0x0000000005970000-0x000000000598E000-memory.dmp

Filesize
120KB

Download
memory/1692-28-0x00000000059D0000-0x0000000005A46000-memory.dmp

Filesize
472KB

Download
memory/1692-27-0x0000000005900000-0x0000000005950000-memory.dmp

Filesize
320KB

Download
memory/1692-25-0x0000000000070000-0x00000000000C0000-memory.dmp

Filesize
320KB

Download
memory/1692-24-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/1692-182-0x0000000006390000-0x00000000063F6000-memory.dmp

Filesize
408KB

Download
memory/1692-184-0x00000000060B0000-0x00000000060C2000-memory.dmp

Filesize
72KB

Download
memory/1692-201-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads