Analysis

  • max time kernel
    96s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:34

General

  • Target

    7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe

  • Size

    3.0MB

  • MD5

    0f75083f87680daffd59c8fa57249f8f

  • SHA1

    3b701dd48a6fc85b1517307e830e5469b379e623

  • SHA256

    7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577

  • SHA512

    fdbe247262aac9d3fe16c1209b1962795c40bb58a1775d09a31c23b1075a112ceb50bb603778dc8ae1559e765d1fef48faf9074f5e34be3552f464dfb2050a13

  • SSDEEP

    24576:zgWsVRCBzuhKPEyhdohtH/DIrQ+NOS2HMGwHThXNL2PVh6B+BzjmcdTf+rmFWuST:zgWsVR4eKfdohx/IGwH8Bzjx+mFi

Malware Config

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

  • Blackguard family
  • Loads dropped DLL 12 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
    "C:\Users\Admin\AppData\Local\Temp\7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    PID:2424
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1256
      2⤵
      • Program crash
      PID:2872
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2424 -ip 2424
    1⤵
      PID:3956

    Network

    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      140.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      140.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      228.249.119.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      228.249.119.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      200.163.202.172.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      200.163.202.172.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      171.39.242.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      171.39.242.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      43.229.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      43.229.111.52.in-addr.arpa
      IN PTR
      Response
    No results found
    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      140.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      140.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      228.249.119.40.in-addr.arpa
      dns
      73 B
      159 B
      1
      1

      DNS Request

      228.249.119.40.in-addr.arpa

    • 8.8.8.8:53
      200.163.202.172.in-addr.arpa
      dns
      74 B
      160 B
      1
      1

      DNS Request

      200.163.202.172.in-addr.arpa

    • 8.8.8.8:53
      171.39.242.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      171.39.242.20.in-addr.arpa

    • 8.8.8.8:53
      43.229.111.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      43.229.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\inputmanager.dll

      Filesize

      20KB

      MD5

      1fd7368d50298c9afe6c12e74ac19589

      SHA1

      3a1ab4d3e2a14854b9e17af5f55d60a9c62a72cc

      SHA256

      1a6dd2f79674f2334fca758da41d22045c47332683d7079fae2925d58b61efff

      SHA512

      c3a45aa0e3fca5e43534e961bf49df8513da0a2edbf9580e8a572d0e4ad51623b9253bf095d37f620a16b8204336eced37e7896482dfc7bd11f9391b45c65c7c

    • C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\naudio.dll

      Filesize

      501KB

      MD5

      047bca47d9d12191811fb2e87cded3aa

      SHA1

      afdc5d27fb919d1d813e6a07466f889dbc8c6677

      SHA256

      bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780

      SHA512

      99505644d42e4c60c977e4144165ea9dea8f1301e6456aa809e046ecc84a3813a190ce65169a6ffef5a36ad3541ec91002615a02933f8deb642aa3f8f3b11f2f

    • C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\newtonsoft.json.dll

      Filesize

      683KB

      MD5

      6815034209687816d8cf401877ec8133

      SHA1

      1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

      SHA256

      7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

      SHA512

      3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

    • C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\simplewpf.dll

      Filesize

      21KB

      MD5

      6949b56eefede827d7a82acef8ea303e

      SHA1

      dccec3108c724a477154099cb970d1a6cbc6f0f5

      SHA256

      108992c9d8aae7ca7db8db951d240b86ae3be26fb06cc2813b629db59cd80d7f

      SHA512

      43d3413789415cad525e97441154067a858d0a28f1eb9939c2938e838f0d91a169a11875ab65d17eb642df437e480c3afc74d7e3d3f468d5bd4b0f3eb7f9926e

    • C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\smartthreadpool.dll

      Filesize

      63KB

      MD5

      05fc040e25e3ee6fe1bc1978deadd87a

      SHA1

      86c9656fe1269e571ee87f183cfc637f583efd92

      SHA256

      f2b5bc27ee17c866e1e897fd3869227bdc41d3931da77fab2e48bd4d490b8ab7

      SHA512

      fd7d0969b20fece2561b22ce1c96a56636cbb51de76e1fa7eb50f0cf8035eecb84bab9b134266c71895356cd7cea869f7b6d49cc71728341e4e83c696000968d

    • memory/2424-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

      Filesize

      4KB

    • memory/2424-1-0x0000000000030000-0x000000000032C000-memory.dmp

      Filesize

      3.0MB

    • memory/2424-29-0x0000000074B30000-0x00000000752E0000-memory.dmp

      Filesize

      7.7MB

    • memory/2424-33-0x00000000051E0000-0x00000000051EC000-memory.dmp

      Filesize

      48KB

    • memory/2424-36-0x0000000074B30000-0x00000000752E0000-memory.dmp

      Filesize

      7.7MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.