blackguard | 02559f0afdb12d5a44162d8c4aadfb89cf07c922cf19294c23590bc383ae1a94

General

Target

PWS.MSIL.Stealgen.GA.exe
Size

237KB
MD5

95e3799df95c333eb5904813f864bda0
SHA1

fe55c816b4e80f0765d9363181900cffab99d187
SHA256

02559f0afdb12d5a44162d8c4aadfb89cf07c922cf19294c23590bc383ae1a94
SHA512

841bb7f0156cfc055f7ea0f141e65ede00c1e917aeab719cb86b557f5145859e1e702d4b673b44aebf1a35c8c2af06f2d7fab1ff97d45f2b87c61fe13d87a5b1
SSDEEP

3072:/J6IY+0lD4awMe9CHmmnWKe9iZd7UI2Lle4RbaE6cvFKJL+heI/Kh73WmqcSCJLD:BTY+0lNwOnyIv7UI242bL/kAlxO

Score

10^/10

blackguard credential_access discovery spyware stealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot6260248143:AAFGcO0NbgajE-Ec1Ns2AJpJeqgHc2w6xB8/sendMessage?chat_id=6495741315

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	freegeoip.app
6	freegeoip.app

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PWS.MSIL.Stealgen.GA.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	PWS.MSIL.Stealgen.GA.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	PWS.MSIL.Stealgen.GA.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4192	PWS.MSIL.Stealgen.GA.exe
4192	PWS.MSIL.Stealgen.GA.exe
4192	PWS.MSIL.Stealgen.GA.exe
4192	PWS.MSIL.Stealgen.GA.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4192	PWS.MSIL.Stealgen.GA.exe

C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Stealgen.GA.exe
"C:\Users\Admin\AppData\Local\Temp\PWS.MSIL.Stealgen.GA.exe"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\XLBJXLNBPBTwwZFwyPLDHVDPCYGS.Admin\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Roaming\XLBJXLNBPBTwwZFwyPLDHVDPCYGS.Admin\Process.txt

Filesize
1KB

MD5
d072fccb8699cc26a51f2140af842b36

SHA1
dff28e123b293a102da90f727b014c735ce0393c

SHA256
734f50366a4ae8cc57be951aa10772831b548abf64c33a162e551c208dc58d8e

SHA512
9cba7b2653093d029642c5db7e69651b7dc417e9acac859a67b6d6675eff85f614fb1da2dcadb3dff6cdc2631c4701209084e20e78d7288ae6bb3e2787e2ee33

Download Submit
C:\Users\Admin\AppData\Roaming\XLBJXLNBPBTwwZFwyPLDHVDPCYGS.Admin\Process.txt

Filesize
773B

MD5
829e0ea4de470c9b93a22fcb5abdbf45

SHA1
169cac3998f96f53f4af0e3f2aa27be527e22ec7

SHA256
300416035d4fd520710f4bc387668ad6ec033f74f51c4d0e97fa4e235158708f

SHA512
b644616ba4a5327729e411de3f55b1f743c0a076944bb65844501f5f175708a842f0225613ec79c7cf5b58e3c1da991c60248c8e34c9f01257788a04628d8ba6

Download Submit
memory/4192-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

Filesize
4KB

Download
memory/4192-1-0x0000000000C80000-0x0000000000CC2000-memory.dmp

Filesize
264KB

Download
memory/4192-13-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download
memory/4192-34-0x0000000006000000-0x0000000006092000-memory.dmp

Filesize
584KB

Download
memory/4192-50-0x0000000006E10000-0x00000000073B4000-memory.dmp

Filesize
5.6MB

Download
memory/4192-134-0x0000000006D00000-0x0000000006D66000-memory.dmp

Filesize
408KB

Download
memory/4192-137-0x0000000074D80000-0x0000000075530000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing