Analysis
-
max time kernel
92s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
25-01-2025 21:54
General
-
Target
AdvegaHack.exe
-
Size
7.7MB
-
MD5
5f8d5770292267bca8c17dd1bf4ecdf2
-
SHA1
debdca02009b642fc15e990fcf286838d8d16cf4
-
SHA256
817cd1a400d6133e5959971d975a5cba0f03f403a2eedeeb4004fd48bc6d367b
-
SHA512
fc28ebd0d216efca4dd0d31b60d29ce0c6e253381825e478dcf1bcb7792ee2b9d26ff2317a09247710504cb3f9d9cd15e88e483c59bfd36884788df43f37e10d
-
SSDEEP
98304:hgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0T:X/wld79ht+j1M0mWZsE6+YASy10T
Malware Config
Extracted
blackguard
https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Blackguard family
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe"C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\v2.exe"C:\Users\Admin\AppData\Local\Temp\v2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ShowLock.TS"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
571KB
MD5169b6d383b7c650ab3ae2129397a6cf3
SHA1fcaef7defb04301fd55fb1421bb15ef96d7040d6
SHA256b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf
SHA5127a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87
-
Filesize
1.3MB
MD50a1e95b0b1535203a1b8479dff2c03ff
SHA120c4b4406e8a3b1b35ca739ed59aa07ba867043d
SHA256788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e
SHA512854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e
-
Filesize
410KB
MD5056d3fcaf3b1d32ff25f513621e2a372
SHA1851740bca46bab71d0b1d47e47f3eb8358cbee03
SHA25666b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9
SHA512ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180
-
Filesize
7.7MB
MD59f4f298bcf1d208bd3ce3907cfb28480
SHA105c1cfde951306f8c6e9d484d3d88698c4419c62
SHA256bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc
SHA5124c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806
-
Filesize
271KB
MD53f62213d184b639a0a62bcb1e65370a8
SHA1bbf50b3c683550684cdb345d348e98fbe2fcafe0
SHA256c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34
SHA5120cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
1KB
MD5d24bb088921a322538c096b1dd13ba69
SHA16fe9caf54881d009763ed25d8254e5b7e1efb659
SHA2569a4e6c7b7429437f41ce1d62c25b168a02d3f5392eafa9fd5e237b3022deaaea
SHA512b10b881583d2c9790d2093a171cd1e3a7409b12aadae68ce8615d911779049df0d55b9e8b26eedf5ee035b4382a3d82d7073b2ae0ccfb9584bd77ab19901135e
-
Filesize
1KB
MD5821d52b7f959a15b9b24914b8fa5ef83
SHA185cfd82d0bb5513a9f217a48c3f59521a9358b15
SHA256c0052ea1e0ba7dbb7a2a4a999b0d546bea65590f5b23ec9fc31602639ac620fc
SHA5120739d165665473aeb3b19f697afc8da129f671f1342bea5f1213ba4f8e969c759eadf9ab4add04a1f804b8042f25367fc1b988164b471b155b9d42cd9ad57bbc
-
Filesize
16.7MB
-
Filesize
2.7MB
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
7.7MB
-
Filesize
1.8MB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
132KB
-
Filesize
240KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
304KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
472KB
-
Filesize
120KB
-
Filesize
584KB
-
Filesize
416KB
-
Filesize
136KB
-
Filesize
320KB