blackguard | 7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577

General

Target

7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
Size

3.0MB
MD5

0f75083f87680daffd59c8fa57249f8f
SHA1

3b701dd48a6fc85b1517307e830e5469b379e623
SHA256

7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577
SHA512

fdbe247262aac9d3fe16c1209b1962795c40bb58a1775d09a31c23b1075a112ceb50bb603778dc8ae1559e765d1fef48faf9074f5e34be3552f464dfb2050a13
SSDEEP

24576:zgWsVRCBzuhKPEyhdohtH/DIrQ+NOS2HMGwHThXNL2PVh6B+BzjmcdTf+rmFWuST:zgWsVR4eKfdohx/IGwH8Bzjx+mFi

Score

10^/10

blackguard discovery stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Loads dropped DLL 12 IoCs

Processes:

7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe

pid	process
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
2424	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2872 2424 WerFault.exe 7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe

pid	pid_target	process	target process
2872	2424	WerFault.exe	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe

C:\Users\Admin\AppData\Local\Temp\7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe
"C:\Users\Admin\AppData\Local\Temp\7684bd825a96858669a41fd1017a1697a5b031d56bc2a3add52ca70c87ecb577.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2424
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 1256
  2⤵
  - Program crash
  PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2424 -ip 2424
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\inputmanager.dll

Filesize
20KB

MD5
1fd7368d50298c9afe6c12e74ac19589

SHA1
3a1ab4d3e2a14854b9e17af5f55d60a9c62a72cc

SHA256
1a6dd2f79674f2334fca758da41d22045c47332683d7079fae2925d58b61efff

SHA512
c3a45aa0e3fca5e43534e961bf49df8513da0a2edbf9580e8a572d0e4ad51623b9253bf095d37f620a16b8204336eced37e7896482dfc7bd11f9391b45c65c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\naudio.dll

Filesize
501KB

MD5
047bca47d9d12191811fb2e87cded3aa

SHA1
afdc5d27fb919d1d813e6a07466f889dbc8c6677

SHA256
bc4bacc3b8b28d898f1671b79f216cca439f95eb60cd32d3e3ecafbecac42780

SHA512
99505644d42e4c60c977e4144165ea9dea8f1301e6456aa809e046ecc84a3813a190ce65169a6ffef5a36ad3541ec91002615a02933f8deb642aa3f8f3b11f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\newtonsoft.json.dll

Filesize
683KB

MD5
6815034209687816d8cf401877ec8133

SHA1
1248142eb45eed3beb0d9a2d3b8bed5fe2569b10

SHA256
7f912b28a07c226e0be3acfb2f57f050538aba0100fa1f0bf2c39f1a1f1da814

SHA512
3398094ce429ab5dcdecf2ad04803230669bb4accaef7083992e9b87afac55841ba8def2a5168358bd17e60799e55d076b0e5ca44c86b9e6c91150d3dc37c721

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\simplewpf.dll

Filesize
21KB

MD5
6949b56eefede827d7a82acef8ea303e

SHA1
dccec3108c724a477154099cb970d1a6cbc6f0f5

SHA256
108992c9d8aae7ca7db8db951d240b86ae3be26fb06cc2813b629db59cd80d7f

SHA512
43d3413789415cad525e97441154067a858d0a28f1eb9939c2938e838f0d91a169a11875ab65d17eb642df437e480c3afc74d7e3d3f468d5bd4b0f3eb7f9926e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\2DBAF1FEDF7B704159B7F064EF200FB9\smartthreadpool.dll

Filesize
63KB

MD5
05fc040e25e3ee6fe1bc1978deadd87a

SHA1
86c9656fe1269e571ee87f183cfc637f583efd92

SHA256
f2b5bc27ee17c866e1e897fd3869227bdc41d3931da77fab2e48bd4d490b8ab7

SHA512
fd7d0969b20fece2561b22ce1c96a56636cbb51de76e1fa7eb50f0cf8035eecb84bab9b134266c71895356cd7cea869f7b6d49cc71728341e4e83c696000968d

Download Submit
memory/2424-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/2424-1-0x0000000000030000-0x000000000032C000-memory.dmp

Filesize
3.0MB

Download
memory/2424-29-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2424-33-0x00000000051E0000-0x00000000051EC000-memory.dmp

Filesize
48KB

Download
memory/2424-36-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing