blackguard | 4430db9f5ed3a2cc612fcd4784f0774d0fc5d505ee5c1aa25234e1d27e85a3a8

Analysis

max time kernel
918s
max time network
919s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BRUTOFORCE SEED V12.7.8.exe
Size

40.2MB
MD5

52abb3e74164e2ad5878096bb6a3625e
SHA1

6f2b960b05a788e7177320b16370613baac2a5e6
SHA256

4430db9f5ed3a2cc612fcd4784f0774d0fc5d505ee5c1aa25234e1d27e85a3a8
SHA512

a6b832560972ffe69c7a29b87dda53fe6dcf5f990724f2149df96c3ad233cf575658b59011ece904f2af3d138fe87d12703233636003fcd8cb46444398b5528f
SSDEEP

786432:0cmyjMgsUCYEUhp9+baSgeB/WdLH8J+hvAdanW0u2AyM1:0RqMQCuz9W/2cYYdanW31

Score

10^/10

blackguard discovery spyware stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	BRUTOFORCE SEED V12.7.8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	BRUTOFORCE SEED V12.6.1.EXE

Executes dropped EXE 3 IoCs

pid	Process
4932	BRUTOFORCE SEED V12.6.1.EXE
4016	BRUTOFORCE SEED V12.6.1.EXE
3212	SHARPIL.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	api.ipify.org
47	api.ipify.org
48	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRUTOFORCE SEED V12.6.1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BRUTOFORCE SEED V12.6.1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SHARPIL.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	SHARPIL.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SHARPIL.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3212	SHARPIL.exe
3212	SHARPIL.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	SHARPIL.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4912 wrote to memory of 4932	4912	BRUTOFORCE SEED V12.7.8.exe	83
PID 4912 wrote to memory of 4932	4912	BRUTOFORCE SEED V12.7.8.exe	83
PID 4912 wrote to memory of 4932	4912	BRUTOFORCE SEED V12.7.8.exe	83
PID 4932 wrote to memory of 4016	4932	BRUTOFORCE SEED V12.6.1.EXE	111
PID 4932 wrote to memory of 4016	4932	BRUTOFORCE SEED V12.6.1.EXE	111
PID 4932 wrote to memory of 4016	4932	BRUTOFORCE SEED V12.6.1.EXE	111
PID 4912 wrote to memory of 3212	4912	BRUTOFORCE SEED V12.7.8.exe	112
PID 4912 wrote to memory of 3212	4912	BRUTOFORCE SEED V12.7.8.exe	112
PID 4912 wrote to memory of 3212	4912	BRUTOFORCE SEED V12.7.8.exe	112

C:\Users\Admin\AppData\Local\Temp\BRUTOFORCE SEED V12.7.8.exe
"C:\Users\Admin\AppData\Local\Temp\BRUTOFORCE SEED V12.7.8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4912
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\BRUTOFORCE SEED V12.6.1.EXE
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BRUTOFORCE SEED V12.6.1.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\BRUTOFORCE SEED V12.6.1.EXE
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BRUTOFORCE SEED V12.6.1.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4016
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHARPIL.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHARPIL.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WindowsBrandOr\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\WindowsBrandOr\Process.txt

Filesize
1KB

MD5
85a28683aa1ab123853f2530055e4419

SHA1
7a4810aba698dbe3464d644be1fcd41c4eba20c4

SHA256
e6c12b54b25f9c897ba8148d32fe40d1bf4482dba6ca51f9b978cdd43b9720c2

SHA512
cced83afcba8afd0b95b4179e0c5e76fb438912a82cc00f741d2540ed3b776773b11eaa1d2d86339b105cf4c9a7a3f36ed0bc77001f5df11931a5baf0b36a612

Download Submit
C:\ProgramData\WindowsBrandOr\Process.txt

Filesize
1KB

MD5
e6683de66d8d2773b08b0683035f5acd

SHA1
8dbfedd072dc5d0bdaefe9a0ed2d345787d31a05

SHA256
3672a5b256454d65f4c059cada9a3db716c4a1153118b972a28c39ea3eec3017

SHA512
d0023d3018a177fe1a9d13cd0ae4573c2706329413940638663142bfdf7b293bddbd040426762fa98572dde7e257bd6082c9e0779ec217bdda4f7c23cc7d41a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\License.lic

Filesize
41B

MD5
6ab6927ce351b853fe0538033e9262c3

SHA1
2440c774afb6b49a2d5e2ba3001aa5c131824e5c

SHA256
08d91a6aa426886887112642fdd0f6f2e5c37a317c6fd3bba2e2305975f3110e

SHA512
ae7156df7ec8d63e5a097796052ce65b0db15744439839b1d223098704aa0190fa42159fc757491433334bc0a587da739623dc3b079ce09600087a8f55d0c85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHARPIL.exe

Filesize
291KB

MD5
fd8dbbff11893d8010cea56e7a8d5370

SHA1
b476bf5ac599b956beeb705c24fbb1a524ba4d7f

SHA256
72d4546c8928cf3e62f19543654da10b704cb1588458f0cc90ec0aaf62dc5d5c

SHA512
60742cecc99e9b2911dfa8a8b822cfaefa5ad109c87a026cf7f67c1e5ada78b12e81c76b29ea7bf171f622ef3012c1737f78fca68d4b850073b4a9fcbcd3b458

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77F6.tmp.dat

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp77F9.tmp.dat

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
memory/3212-439-0x0000000007040000-0x00000000070A6000-memory.dmp

Filesize
408KB

Download
memory/3212-306-0x0000000006A90000-0x0000000007034000-memory.dmp

Filesize
5.6MB

Download
memory/3212-305-0x0000000006440000-0x00000000064D2000-memory.dmp

Filesize
584KB

Download
memory/3212-291-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

Filesize
120KB

Download
memory/3212-290-0x0000000006010000-0x0000000006086000-memory.dmp

Filesize
472KB

Download
memory/3212-289-0x0000000005F40000-0x0000000005F90000-memory.dmp

Filesize
320KB

Download
memory/3212-441-0x0000000006740000-0x0000000006752000-memory.dmp

Filesize
72KB

Download
memory/3212-259-0x00000000007F0000-0x0000000000840000-memory.dmp

Filesize
320KB

Download
memory/4932-77-0x0000000006F80000-0x0000000006F92000-memory.dmp

Filesize
72KB

Download
memory/4932-38-0x0000000006DF0000-0x0000000006E2A000-memory.dmp

Filesize
232KB

Download
memory/4932-66-0x0000000006E40000-0x0000000006E46000-memory.dmp

Filesize
24KB

Download
memory/4932-65-0x0000000006EB0000-0x0000000006EC5000-memory.dmp

Filesize
84KB

Download
memory/4932-62-0x0000000006EB0000-0x0000000006EC5000-memory.dmp

Filesize
84KB

Download
memory/4932-61-0x0000000006E80000-0x0000000006EA2000-memory.dmp

Filesize
136KB

Download
memory/4932-57-0x0000000006E60000-0x0000000006E75000-memory.dmp

Filesize
84KB

Download
memory/4932-54-0x0000000006E60000-0x0000000006E75000-memory.dmp

Filesize
84KB

Download
memory/4932-53-0x0000000006D60000-0x0000000006D7F000-memory.dmp

Filesize
124KB

Download
memory/4932-50-0x0000000006D60000-0x0000000006D7F000-memory.dmp

Filesize
124KB

Download
memory/4932-49-0x0000000006D80000-0x0000000006D8C000-memory.dmp

Filesize
48KB

Download
memory/4932-46-0x0000000006D80000-0x0000000006D8C000-memory.dmp

Filesize
48KB

Download
memory/4932-42-0x0000000006DB0000-0x0000000006DC1000-memory.dmp

Filesize
68KB

Download
memory/4932-33-0x0000000008A30000-0x0000000009619000-memory.dmp

Filesize
11.9MB

Download
memory/4932-37-0x0000000006D90000-0x0000000006DAD000-memory.dmp

Filesize
116KB

Download
memory/4932-34-0x0000000006D90000-0x0000000006DAD000-memory.dmp

Filesize
116KB

Download
memory/4932-58-0x0000000006E80000-0x0000000006EA2000-memory.dmp

Filesize
136KB

Download
memory/4932-69-0x0000000006E40000-0x0000000006E46000-memory.dmp

Filesize
24KB

Download
memory/4932-70-0x0000000006F10000-0x0000000006F19000-memory.dmp

Filesize
36KB

Download
memory/4932-73-0x0000000006F10000-0x0000000006F19000-memory.dmp

Filesize
36KB

Download
memory/4932-74-0x0000000006F80000-0x0000000006F92000-memory.dmp

Filesize
72KB

Download
memory/4932-14-0x00000000074A0000-0x0000000007E29000-memory.dmp

Filesize
9.5MB

Download
memory/4932-79-0x0000000006F60000-0x0000000006F7E000-memory.dmp

Filesize
120KB

Download
memory/4932-45-0x0000000006DB0000-0x0000000006DC1000-memory.dmp

Filesize
68KB

Download
memory/4932-41-0x0000000006DF0000-0x0000000006E2A000-memory.dmp

Filesize
232KB

Download
memory/4932-31-0x0000000008A30000-0x0000000009619000-memory.dmp

Filesize
11.9MB

Download
memory/4932-17-0x00000000074A0000-0x0000000007E29000-memory.dmp

Filesize
9.5MB

Download
memory/4932-18-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/4932-21-0x0000000006F20000-0x0000000006F55000-memory.dmp

Filesize
212KB

Download
memory/4932-24-0x0000000006F20000-0x0000000006F55000-memory.dmp

Filesize
212KB

Download
memory/4932-29-0x0000000000F44000-0x0000000000F45000-memory.dmp

Filesize
4KB

Download
memory/4932-28-0x0000000007020000-0x00000000070D4000-memory.dmp

Filesize
720KB

Download
memory/4932-25-0x0000000007020000-0x00000000070D4000-memory.dmp

Filesize
720KB

Download