Malware Analysis Report

2024-11-15 06:33

Sample ID 241111-bwsjesyhrr
Target b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1
SHA256 b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1
Tags
blackguard stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1

Threat Level: Known bad

The file b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1 was found to be: Known bad.

Malicious Activity Summary

blackguard stealer

Blackguard family

BlackGuard

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-11 01:30

Signatures

Blackguard family

blackguard

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 01:30

Reported

2024-11-11 01:32

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1.exe

"C:\Users\Admin\AppData\Local\Temp\b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1940 -s 1088

Network

N/A

Files

memory/1940-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

memory/1940-1-0x0000000001030000-0x00000000014C0000-memory.dmp

memory/1940-7-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/1940-9-0x0000000000260000-0x000000000026C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\50E5C95F83CFA2A62760985E8C452772\simplewpf.dll

MD5 6949b56eefede827d7a82acef8ea303e
SHA1 dccec3108c724a477154099cb970d1a6cbc6f0f5
SHA256 108992c9d8aae7ca7db8db951d240b86ae3be26fb06cc2813b629db59cd80d7f
SHA512 43d3413789415cad525e97441154067a858d0a28f1eb9939c2938e838f0d91a169a11875ab65d17eb642df437e480c3afc74d7e3d3f468d5bd4b0f3eb7f9926e

C:\ProgramData\ETUVA\EASET.xml

MD5 63804d4b5f68f502555e9d5e7287bf08
SHA1 58dae40f00b7f951e05cb10858e06aef86438dae
SHA256 bcdc4437531e81b272643614d726ba37fb58fb752d0385d8aab94a77e4681108
SHA512 5656a088195e3b3741c1061c1f46394379debcb66b84598459f9db32b72568c172c324d4e6671d37ad12aca98d2e426c377a9eedcf880b8717cd91a39d3a7b03

memory/1940-18-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 01:30

Reported

2024-11-11 01:32

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1.exe"

Signatures

BlackGuard

stealer blackguard

Blackguard family

blackguard

Processes

C:\Users\Admin\AppData\Local\Temp\b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1.exe

"C:\Users\Admin\AppData\Local\Temp\b5a72562707f2f4f2f07c554f1870edd48b8dfd2c0666ec8d2a88cbea50235e1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

memory/3200-0-0x00007FFBC2933000-0x00007FFBC2935000-memory.dmp

memory/3200-1-0x0000027DA2630000-0x0000027DA2AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Costura\50E5C95F83CFA2A62760985E8C452772\simplewpf.dll

MD5 6949b56eefede827d7a82acef8ea303e
SHA1 dccec3108c724a477154099cb970d1a6cbc6f0f5
SHA256 108992c9d8aae7ca7db8db951d240b86ae3be26fb06cc2813b629db59cd80d7f
SHA512 43d3413789415cad525e97441154067a858d0a28f1eb9939c2938e838f0d91a169a11875ab65d17eb642df437e480c3afc74d7e3d3f468d5bd4b0f3eb7f9926e

memory/3200-8-0x0000027DA3120000-0x0000027DA312C000-memory.dmp

memory/3200-11-0x0000027DBE9D0000-0x0000027DBEA7A000-memory.dmp

memory/3200-16-0x00007FFBC2930000-0x00007FFBC33F1000-memory.dmp

C:\ProgramData\ETUVA\EASET.xml

MD5 63804d4b5f68f502555e9d5e7287bf08
SHA1 58dae40f00b7f951e05cb10858e06aef86438dae
SHA256 bcdc4437531e81b272643614d726ba37fb58fb752d0385d8aab94a77e4681108
SHA512 5656a088195e3b3741c1061c1f46394379debcb66b84598459f9db32b72568c172c324d4e6671d37ad12aca98d2e426c377a9eedcf880b8717cd91a39d3a7b03

memory/3200-19-0x00007FFBC2930000-0x00007FFBC33F1000-memory.dmp