Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2025, 14:04 UTC

General

  • Target

    AdvegaHack.exe

  • Size

    7.7MB

  • MD5

    5f8d5770292267bca8c17dd1bf4ecdf2

  • SHA1

    debdca02009b642fc15e990fcf286838d8d16cf4

  • SHA256

    817cd1a400d6133e5959971d975a5cba0f03f403a2eedeeb4004fd48bc6d367b

  • SHA512

    fc28ebd0d216efca4dd0d31b60d29ce0c6e253381825e478dcf1bcb7792ee2b9d26ff2317a09247710504cb3f9d9cd15e88e483c59bfd36884788df43f37e10d

  • SSDEEP

    98304:hgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0T:X/wld79ht+j1M0mWZsE6+YASy10T

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

  • Blackguard family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
      "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Users\Admin\AppData\Local\Temp\v2.exe
        "C:\Users\Admin\AppData\Local\Temp\v2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4732

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    216.87.200.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    216.87.200.23.in-addr.arpa
    IN PTR
    Response
    216.87.200.23.in-addr.arpa
    IN PTR
    a23-200-87-216deploystaticakamaitechnologiescom
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    freegeoip.app
    v2.exe
    Remote address:
    8.8.8.8:53
    Request
    freegeoip.app
    IN A
    Response
    freegeoip.app
    IN A
    104.21.80.1
    freegeoip.app
    IN A
    104.21.64.1
    freegeoip.app
    IN A
    104.21.48.1
    freegeoip.app
    IN A
    104.21.112.1
    freegeoip.app
    IN A
    104.21.32.1
    freegeoip.app
    IN A
    104.21.96.1
    freegeoip.app
    IN A
    104.21.16.1
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    GET
    https://freegeoip.app/xml/
    v2.exe
    Remote address:
    104.21.80.1:443
    Request
    GET /xml/ HTTP/1.1
    Host: freegeoip.app
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 26 Jan 2025 14:05:10 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Sun, 26 Jan 2025 15:05:10 GMT
    Location: https://ipbase.com/xml/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DCrRHy9bIZSJsAJM9tL3rLlzNF0BwzjaRhFeSTUUVtiOKOFz%2Bj9iSFIW16%2Fe2OpFWeZ45XPk%2B3Oo6I3bGRwKplneihYwWuSDD5zOGcPbT6vUoTfChDB4YXqBMKd8dVcf"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90810e6e4a8a776b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=58558&min_rtt=56310&rtt_var=14385&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2992&recv_bytes=364&delivery_rate=72237&cwnd=252&unsent_bytes=0&cid=cb66ded75b705d1d&ts=135&x=0"
  • flag-us
    DNS
    ipbase.com
    v2.exe
    Remote address:
    8.8.8.8:53
    Request
    ipbase.com
    IN A
    Response
    ipbase.com
    IN A
    104.21.85.189
    ipbase.com
    IN A
    172.67.209.71
  • flag-us
    GET
    https://ipbase.com/xml/
    v2.exe
    Remote address:
    104.21.85.189:443
    Request
    GET /xml/ HTTP/1.1
    Host: ipbase.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Sun, 26 Jan 2025 14:05:11 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Age: 54017
    Cache-Control: public,max-age=0,must-revalidate
    Cache-Status: "Netlify Edge"; hit
    Vary: Accept-Encoding
    X-Nf-Request-Id: 01JJHEWGHNQ28P3Z9SG5JRJTVH
    cf-cache-status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qG1h%2FoFCzGLaxYTMUwQNzlSGzWdMrK5AErC98v5%2Fkqbl03BtTh%2BLizEUGAkyI75klXfWnOZuf%2Bk3KFrYytFhP9CXoK1vV9wuPFtsJX92sHIGPLN79ZyyMrxwby%2Ff"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 90810e701dfff65b-LHR
    alt-svc: h3=":443"; ma=86400
    server-timing: cfL4;desc="?proto=TCP&rtt=48482&min_rtt=47832&rtt_var=11127&sent=6&recv=6&lost=0&retrans=0&sent_bytes=2979&recv_bytes=358&delivery_rate=77222&cwnd=253&unsent_bytes=0&cid=00ed9da1b6a52658&ts=149&x=0"
  • flag-us
    DNS
    1.80.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.80.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    189.85.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    189.85.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ip-api.com
    v2.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/?fields=61439
    v2.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/?fields=61439 HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 14:05:13 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    GET
    http://ip-api.com/json/?fields=61439
    v2.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/?fields=61439 HTTP/1.1
    Host: ip-api.com
    Response
    HTTP/1.1 200 OK
    Date: Sun, 26 Jan 2025 14:05:12 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    200.163.202.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.163.202.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.86.200.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.86.200.23.in-addr.arpa
    IN PTR
    Response
    194.86.200.23.in-addr.arpa
    IN PTR
    a23-200-86-194deploystaticakamaitechnologiescom
  • flag-us
    DNS
    16.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    16.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 104.21.80.1:443
    https://freegeoip.app/xml/
    tls, http
    v2.exe
    720 B
    4.3kB
    8
    7

    HTTP Request

    GET https://freegeoip.app/xml/

    HTTP Response

    301
  • 104.21.85.189:443
    https://ipbase.com/xml/
    tls, http
    v2.exe
    852 B
    8.1kB
    11
    14

    HTTP Request

    GET https://ipbase.com/xml/

    HTTP Response

    404
  • 208.95.112.1:80
    http://ip-api.com/json/?fields=61439
    http
    v2.exe
    402 B
    1.1kB
    6
    3

    HTTP Request

    GET http://ip-api.com/json/?fields=61439

    HTTP Response

    200

    HTTP Request

    GET http://ip-api.com/json/?fields=61439

    HTTP Response

    200
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    216.87.200.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    216.87.200.23.in-addr.arpa

  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    freegeoip.app
    dns
    v2.exe
    59 B
    171 B
    1
    1

    DNS Request

    freegeoip.app

    DNS Response

    104.21.80.1
    104.21.64.1
    104.21.48.1
    104.21.112.1
    104.21.32.1
    104.21.96.1
    104.21.16.1

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    167.173.78.104.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    167.173.78.104.in-addr.arpa

  • 8.8.8.8:53
    ipbase.com
    dns
    v2.exe
    56 B
    88 B
    1
    1

    DNS Request

    ipbase.com

    DNS Response

    104.21.85.189
    172.67.209.71

  • 8.8.8.8:53
    1.80.21.104.in-addr.arpa
    dns
    70 B
    132 B
    1
    1

    DNS Request

    1.80.21.104.in-addr.arpa

  • 8.8.8.8:53
    189.85.21.104.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    189.85.21.104.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    v2.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
    95 B
    1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    200.163.202.172.in-addr.arpa
    dns
    74 B
    160 B
    1
    1

    DNS Request

    200.163.202.172.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    194.86.200.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    194.86.200.23.in-addr.arpa

  • 8.8.8.8:53
    16.173.189.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    16.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

    Filesize

    571KB

    MD5

    169b6d383b7c650ab3ae2129397a6cf3

    SHA1

    fcaef7defb04301fd55fb1421bb15ef96d7040d6

    SHA256

    b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

    SHA512

    7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

  • C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

    Filesize

    1.3MB

    MD5

    0a1e95b0b1535203a1b8479dff2c03ff

    SHA1

    20c4b4406e8a3b1b35ca739ed59aa07ba867043d

    SHA256

    788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

    SHA512

    854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

  • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

    Filesize

    410KB

    MD5

    056d3fcaf3b1d32ff25f513621e2a372

    SHA1

    851740bca46bab71d0b1d47e47f3eb8358cbee03

    SHA256

    66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

    SHA512

    ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

  • C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

    Filesize

    7.7MB

    MD5

    9f4f298bcf1d208bd3ce3907cfb28480

    SHA1

    05c1cfde951306f8c6e9d484d3d88698c4419c62

    SHA256

    bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

    SHA512

    4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

  • C:\Users\Admin\AppData\Local\Temp\v2.exe

    Filesize

    271KB

    MD5

    3f62213d184b639a0a62bcb1e65370a8

    SHA1

    bbf50b3c683550684cdb345d348e98fbe2fcafe0

    SHA256

    c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

    SHA512

    0cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803

  • C:\Users\Admin\AppData\Roaming\wTZTJHJXwPuFXFyGUMLNLFE.Admin\Browsers\Firefox\Bookmarks.txt

    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Roaming\wTZTJHJXwPuFXFyGUMLNLFE.Admin\Process.txt

    Filesize

    740B

    MD5

    61a7d119a24df2e19337cf64f4b4503e

    SHA1

    4a13370a8f96e8003235e1eceaf9a1a918a04ce8

    SHA256

    b79b1faef04868a70835fb46cac0d96ccb2e45bcd495eb827ae678210a3ee308

    SHA512

    2182de07b7a91fc83b9059939555b2cb0e783c5c6353aebf480e17b403be9c332cf4e1ee090b01bebbd1781cd1133c15916d5dc93752e1171dda2ab7ff32a5d8

  • C:\Users\Admin\AppData\Roaming\wTZTJHJXwPuFXFyGUMLNLFE.Admin\Process.txt

    Filesize

    1KB

    MD5

    6b01c8e5b3519282449db8315820af52

    SHA1

    54411db25bb5c969e386558cb8ea5c200ee2bf2d

    SHA256

    30aee9c70aafb996eebd4b9cf635117925abbc1c9fa9b55da83fce1380bc01a5

    SHA512

    18a319d5478365c9c16319bb43869fdf2df2198fa33cba9f1161ef166930bf91360361f86c9e9a53822bcb3c44f55a909ef79706d4e5b3b81760c119832ac812

  • memory/464-8-0x0000000000400000-0x0000000000BBE000-memory.dmp

    Filesize

    7.7MB

  • memory/4732-52-0x0000000005340000-0x00000000053D2000-memory.dmp

    Filesize

    584KB

  • memory/4732-103-0x0000000006210000-0x000000000624C000-memory.dmp

    Filesize

    240KB

  • memory/4732-92-0x0000000004F90000-0x0000000004FB2000-memory.dmp

    Filesize

    136KB

  • memory/4732-85-0x00000000055E0000-0x0000000005672000-memory.dmp

    Filesize

    584KB

  • memory/4732-96-0x0000000005A30000-0x0000000005A98000-memory.dmp

    Filesize

    416KB

  • memory/4732-97-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

    Filesize

    3.3MB

  • memory/4732-44-0x0000000074840000-0x0000000074FF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4732-98-0x0000000006140000-0x000000000618C000-memory.dmp

    Filesize

    304KB

  • memory/4732-104-0x00000000061B0000-0x00000000061D1000-memory.dmp

    Filesize

    132KB

  • memory/4732-91-0x0000000005060000-0x00000000050B0000-memory.dmp

    Filesize

    320KB

  • memory/4732-108-0x0000000007240000-0x0000000007402000-memory.dmp

    Filesize

    1.8MB

  • memory/4732-112-0x00000000079C0000-0x0000000007F64000-memory.dmp

    Filesize

    5.6MB

  • memory/4732-40-0x0000000000040000-0x000000000008A000-memory.dmp

    Filesize

    296KB

  • memory/4732-39-0x000000007484E000-0x000000007484F000-memory.dmp

    Filesize

    4KB

  • memory/4732-196-0x0000000007410000-0x0000000007476000-memory.dmp

    Filesize

    408KB

  • memory/4732-197-0x0000000007480000-0x00000000074F6000-memory.dmp

    Filesize

    472KB

  • memory/4732-198-0x00000000071D0000-0x00000000071EE000-memory.dmp

    Filesize

    120KB

  • memory/4732-201-0x0000000074840000-0x0000000074FF0000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.