blackguard | 8556a420ce8441261c575e1f030ad2d90a69d08bae576f7db921dd727925a291

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Builder.exe
Size

9.7MB
MD5

11ee415ffe942a18f5429802a56b5a08
SHA1

1536b8d10f827c2a483d9b4c7423b3ae9b35772a
SHA256

8556a420ce8441261c575e1f030ad2d90a69d08bae576f7db921dd727925a291
SHA512

0c984827933e8e6fcc2ac4f64bef598cab884c9cbb8da4376e9beb9c030dc57c54e72f25a6ec25acbb07472f19fe4639ceefa20627775ad828b23740411737b7
SSDEEP

196608:ZlIMJxeJxgVN8iNIS6bF8Yrz1x3PQha9:ZlIMmJxgX3YrzT

Score

10^/10

blackguard discovery stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Loads dropped DLL 2 IoCs

pid	Process
3004	Builder.exe
3004	Builder.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2976	3004	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2976	3004	Builder.exe	30
PID 3004 wrote to memory of 2976	3004	Builder.exe	30
PID 3004 wrote to memory of 2976	3004	Builder.exe	30
PID 3004 wrote to memory of 2976	3004	Builder.exe	30

C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 616
  2⤵
  - Program crash
  PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect32.dll

Filesize
634KB

MD5
4a647d989a49725ff6617de8357be484

SHA1
2e8f72c54edfd71ca7e3c7fad545ae73a305ca7e

SHA256
9c86108e34a3d07890551e35bf497da052ce21cab0ba4ec10ccd439001b5892b

SHA512
29f2813ec799d66c4c702b656fd621be0d1a8389d8fb2ae7f3fcbb3dc5e7d1619b75bc92f369200e02a95c02da22223cbf0e520796bd5b5cbd2689e5d382d395

Download Submit
\Users\Admin\AppData\Local\Temp\VikaRT32.dll

Filesize
580KB

MD5
513e7845d06db10b2d639370d94767ec

SHA1
967df05e9d8bf431962fb28a771667462211672a

SHA256
d67906f22f3ab191f9774a48977c9a765582c948a37c595bd299db3c8f465f13

SHA512
698eb74eab94485371cff4ecb4f31c42ec27490aba25513b85b9d509313617936efaf170e93d40ec40a550076f43340955289bfbd40decc765d5891bb2cd97cc

Download Submit
memory/3004-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/3004-1-0x00000000001F0000-0x0000000000BA6000-memory.dmp

Filesize
9.7MB

Download
memory/3004-7-0x0000000000CB0000-0x0000000000CBE000-memory.dmp

Filesize
56KB

Download
memory/3004-8-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-9-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-10-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-11-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-13-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-14-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/3004-17-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download