Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/01/2025, 14:04

General

  • Target

    AdvegaHack.exe

  • Size

    7.7MB

  • MD5

    5f8d5770292267bca8c17dd1bf4ecdf2

  • SHA1

    debdca02009b642fc15e990fcf286838d8d16cf4

  • SHA256

    817cd1a400d6133e5959971d975a5cba0f03f403a2eedeeb4004fd48bc6d367b

  • SHA512

    fc28ebd0d216efca4dd0d31b60d29ce0c6e253381825e478dcf1bcb7792ee2b9d26ff2317a09247710504cb3f9d9cd15e88e483c59bfd36884788df43f37e10d

  • SSDEEP

    98304:hgl47z3Aldea5a/OhtJeq+4NK+dG7M0mWZsE6+YhU+dbkh4yiMP0T:X/wld79ht+j1M0mWZsE6+YASy10T

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot6540906397:AAG08fPgT-V7I17vtz49STaZEuwqXqKshuM/sendMessage?chat_id=5445185021

Signatures

  • BlackGuard

    Infostealer first seen in Late 2021.

  • Blackguard family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvegaHack.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:464
    • C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe
      "C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3984
      • C:\Users\Admin\AppData\Local\Temp\v2.exe
        "C:\Users\Admin\AppData\Local\Temp\v2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4732

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll

    Filesize

    571KB

    MD5

    169b6d383b7c650ab3ae2129397a6cf3

    SHA1

    fcaef7defb04301fd55fb1421bb15ef96d7040d6

    SHA256

    b896083feb2bdedc1568b62805dbd354c55e57f2d2469a52aec6c98f4ec2dedf

    SHA512

    7a7a7bdb508b8bf177249251c83b65a2ef4a5d8b29397cab130cb8444b23888678673a9a2e4b1c74cc095b358f923b9e7e5a91bfa8c240412d95765851f1dd87

  • C:\Users\Admin\AppData\Local\Temp\SQLite.Interop.dll

    Filesize

    1.3MB

    MD5

    0a1e95b0b1535203a1b8479dff2c03ff

    SHA1

    20c4b4406e8a3b1b35ca739ed59aa07ba867043d

    SHA256

    788d748b4d35dfd091626529457d91e9ebc8225746211086b14fb4a25785a51e

    SHA512

    854abcca8d807a98a9ad0ca5d2e55716c3ce26fae7ee4642796baf415c3cfad522b658963eafe504ecaed6c2ecdcdf332c9b01e43dfa342fcc5ca0fbedfe600e

  • C:\Users\Admin\AppData\Local\Temp\System.Data.SQLite.dll

    Filesize

    410KB

    MD5

    056d3fcaf3b1d32ff25f513621e2a372

    SHA1

    851740bca46bab71d0b1d47e47f3eb8358cbee03

    SHA256

    66b64362664030bff1596cda2ec5bd5df48cc7c8313c32f771db4aa30a3f86f9

    SHA512

    ce47c581538f48a46d70279a62c702195beacbfafb48a5a862b3922625fe56f6887d1679c6d9366f946d3d2124cb31c2a3eacbbd14d601ea56e66575cdf46180

  • C:\Users\Admin\AppData\Local\Temp\VegaStealer_v2.exe

    Filesize

    7.7MB

    MD5

    9f4f298bcf1d208bd3ce3907cfb28480

    SHA1

    05c1cfde951306f8c6e9d484d3d88698c4419c62

    SHA256

    bf7057293d871cac087daab42daf22c1737a1df6adc7b7963989658f3b65f4cc

    SHA512

    4c763c3b6d4884f77083db5ccada59bc57803b3226294eff2ec3db8f2121ac01ee240b0e822cb090f5320ce40df545b477e323efabdbca31722731adc4b46806

  • C:\Users\Admin\AppData\Local\Temp\v2.exe

    Filesize

    271KB

    MD5

    3f62213d184b639a0a62bcb1e65370a8

    SHA1

    bbf50b3c683550684cdb345d348e98fbe2fcafe0

    SHA256

    c692dfc29e70a17cabc19561e8e2662e1fe32fdba998a09fe1a8dc2b7e045b34

    SHA512

    0cd40d714e6a6ebd60cc0c8b0e339905a5f1198a474a531b1794fb562f27053f118718cc68b9652fef3411906f9d8ad22d0253af256fa1922133e9907298e803

  • C:\Users\Admin\AppData\Roaming\wTZTJHJXwPuFXFyGUMLNLFE.Admin\Browsers\Firefox\Bookmarks.txt

    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

  • C:\Users\Admin\AppData\Roaming\wTZTJHJXwPuFXFyGUMLNLFE.Admin\Process.txt

    Filesize

    740B

    MD5

    61a7d119a24df2e19337cf64f4b4503e

    SHA1

    4a13370a8f96e8003235e1eceaf9a1a918a04ce8

    SHA256

    b79b1faef04868a70835fb46cac0d96ccb2e45bcd495eb827ae678210a3ee308

    SHA512

    2182de07b7a91fc83b9059939555b2cb0e783c5c6353aebf480e17b403be9c332cf4e1ee090b01bebbd1781cd1133c15916d5dc93752e1171dda2ab7ff32a5d8

  • C:\Users\Admin\AppData\Roaming\wTZTJHJXwPuFXFyGUMLNLFE.Admin\Process.txt

    Filesize

    1KB

    MD5

    6b01c8e5b3519282449db8315820af52

    SHA1

    54411db25bb5c969e386558cb8ea5c200ee2bf2d

    SHA256

    30aee9c70aafb996eebd4b9cf635117925abbc1c9fa9b55da83fce1380bc01a5

    SHA512

    18a319d5478365c9c16319bb43869fdf2df2198fa33cba9f1161ef166930bf91360361f86c9e9a53822bcb3c44f55a909ef79706d4e5b3b81760c119832ac812

  • memory/464-8-0x0000000000400000-0x0000000000BBE000-memory.dmp

    Filesize

    7.7MB

  • memory/4732-52-0x0000000005340000-0x00000000053D2000-memory.dmp

    Filesize

    584KB

  • memory/4732-103-0x0000000006210000-0x000000000624C000-memory.dmp

    Filesize

    240KB

  • memory/4732-92-0x0000000004F90000-0x0000000004FB2000-memory.dmp

    Filesize

    136KB

  • memory/4732-85-0x00000000055E0000-0x0000000005672000-memory.dmp

    Filesize

    584KB

  • memory/4732-96-0x0000000005A30000-0x0000000005A98000-memory.dmp

    Filesize

    416KB

  • memory/4732-97-0x0000000005AA0000-0x0000000005DF4000-memory.dmp

    Filesize

    3.3MB

  • memory/4732-44-0x0000000074840000-0x0000000074FF0000-memory.dmp

    Filesize

    7.7MB

  • memory/4732-98-0x0000000006140000-0x000000000618C000-memory.dmp

    Filesize

    304KB

  • memory/4732-104-0x00000000061B0000-0x00000000061D1000-memory.dmp

    Filesize

    132KB

  • memory/4732-91-0x0000000005060000-0x00000000050B0000-memory.dmp

    Filesize

    320KB

  • memory/4732-108-0x0000000007240000-0x0000000007402000-memory.dmp

    Filesize

    1.8MB

  • memory/4732-112-0x00000000079C0000-0x0000000007F64000-memory.dmp

    Filesize

    5.6MB

  • memory/4732-40-0x0000000000040000-0x000000000008A000-memory.dmp

    Filesize

    296KB

  • memory/4732-39-0x000000007484E000-0x000000007484F000-memory.dmp

    Filesize

    4KB

  • memory/4732-196-0x0000000007410000-0x0000000007476000-memory.dmp

    Filesize

    408KB

  • memory/4732-197-0x0000000007480000-0x00000000074F6000-memory.dmp

    Filesize

    472KB

  • memory/4732-198-0x00000000071D0000-0x00000000071EE000-memory.dmp

    Filesize

    120KB

  • memory/4732-201-0x0000000074840000-0x0000000074FF0000-memory.dmp

    Filesize

    7.7MB