blackguard | dfea5761c13795a4eac03f0e150f92eae0c7fd2b1be234bc53cf3726f8aacdbd

Analysis

max time kernel
72s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
07-02-2025 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dsa.7z
Size

31.6MB
MD5

29df20c3ab674d32dbff4ad9d2cae227
SHA1

53b1252248cf35260f31243e7167486a6ceb508f
SHA256

dfea5761c13795a4eac03f0e150f92eae0c7fd2b1be234bc53cf3726f8aacdbd
SHA512

da31410916079c47fdc55cf66e7a98240a85fc785ece94c252c81a11814756af7ca1b8900065d62559a912ddb554a76e79447ca7ffdf6ac6ddc54a694c3f35e1
SSDEEP

786432:p+lahZxH62fanCSUpfUfp+iZPcdDfK3BpEJz/RbRMzDIfka:prJinCdU8iZkdDBRbGIl

Score

10^/10

blackguard discovery stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard
Blackguard family
blackguard

Executes dropped EXE 1 IoCs

pid	Process
4736	Builder.exe

Loads dropped DLL 4 IoCs

pid	Process
4736	Builder.exe
4736	Builder.exe
4736	Builder.exe
4736	Builder.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1528	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4704	7zFM.exe
1528	vlc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4704	7zFM.exe
Token: 35	4704	7zFM.exe
Token: SeSecurityPrivilege	4704	7zFM.exe
Token: 33	412	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	412	AUDIODG.EXE
Token: 33	1528	vlc.exe
Token: SeIncBasePriorityPrivilege	1528	vlc.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4704	7zFM.exe
4704	7zFM.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe

Suspicious use of SendNotifyMessage 9 IoCs

pid	Process
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe
1528	vlc.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\dsa.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4704

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2036

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\BlackGuard Stealer Builder\bandicam 2022-05-12 17-09-20-649.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Users\Admin\Desktop\BlackGuard Stealer Builder\Builder\Builder.exe
"C:\Users\Admin\Desktop\BlackGuard Stealer Builder\Builder\Builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zE06238D87\BlackGuard Stealer Builder\Panel\www\img\famfamfam-countryflags\re.gif

Filesize
366B

MD5
0a4673b07b377d1f58230f40f256d890

SHA1
7e36554ade83e484899a73946ce5e59a4b9fb6e6

SHA256
e2016ab933817845c6bca46de5c80793c2e3baa94fdd467589a0ca47ebdb9676

SHA512
1724e9e368bf09377878b4674cddf56e1cb7d31a6e86d8be747480365d6bd10b0ff118e6a525090f196c1113c4344792725b79f6ba3dcc10e66a84fbf726da1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE06238D87\BlackGuard Stealer Builder\Panel\www\img\famfamfam-countryflags\sj.gif

Filesize
376B

MD5
bbc9011e876a122ea89923e6b730ec50

SHA1
7398e4ba0fd8d122eaa2e4c807345f611d6a7594

SHA256
019bdfaed643674542f71514948050b099901534673a2b5d80a472f1f1a88dfd

SHA512
141810a6dcc436864b41667064f06dc188e6847fe745f85a65003430ec2608490a43fb6f6adca68994c21da90ffef2d08c0890d4f2b3b527246c6270559563d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE06238D87\BlackGuard Stealer Builder\Panel\www\panel\font-awesome.css

Filesize
36KB

MD5
c495654869785bc3df60216616814ad1

SHA1
0140952c64e3f2b74ef64e050f2fe86eab6624c8

SHA256
36e0a7e08bee65774168528938072c536437669c1b7458ac77976ec788e4439c

SHA512
e40f27c1d30e5ab4b3db47c3b2373381489d50147c9623d853e5b299364fd65998f46e8e73b1e566fd79e97aa7b20354cd3c8c79f15372c147fed9c913ffb106

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zE06238D87\BlackGuard Stealer Builder\Panel\www\panel\img\famfamfam-countryflags\au.gif

Filesize
378B

MD5
1fe85ab1104e05f5a26efa5bbcd1cf18

SHA1
3dc73195ca141c933931a6447468dd1b6fb73301

SHA256
6a86e7a3e4bda011deb945b4168e01c5435efcb9cc41c00efbd5fe464dbb65db

SHA512
e9a86a9d745fbf255360af58785166174ceb54b7f9d91ba4d9085c7f7d3173723d0b8846146a85668bc88c36f82a3d1ee0ab1c067bcad4cb9bccb8a46306861d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect32.dll

Filesize
634KB

MD5
4a647d989a49725ff6617de8357be484

SHA1
2e8f72c54edfd71ca7e3c7fad545ae73a305ca7e

SHA256
9c86108e34a3d07890551e35bf497da052ce21cab0ba4ec10ccd439001b5892b

SHA512
29f2813ec799d66c4c702b656fd621be0d1a8389d8fb2ae7f3fcbb3dc5e7d1619b75bc92f369200e02a95c02da22223cbf0e520796bd5b5cbd2689e5d382d395

Download Submit
C:\Users\Admin\AppData\Local\Temp\VikaRT32.dll

Filesize
580KB

MD5
513e7845d06db10b2d639370d94767ec

SHA1
967df05e9d8bf431962fb28a771667462211672a

SHA256
d67906f22f3ab191f9774a48977c9a765582c948a37c595bd299db3c8f465f13

SHA512
698eb74eab94485371cff4ecb4f31c42ec27490aba25513b85b9d509313617936efaf170e93d40ec40a550076f43340955289bfbd40decc765d5891bb2cd97cc

Download Submit
C:\Users\Admin\Desktop\BlackGuard Stealer Builder\Builder\Builder.exe

Filesize
9.7MB

MD5
11ee415ffe942a18f5429802a56b5a08

SHA1
1536b8d10f827c2a483d9b4c7423b3ae9b35772a

SHA256
8556a420ce8441261c575e1f030ad2d90a69d08bae576f7db921dd727925a291

SHA512
0c984827933e8e6fcc2ac4f64bef598cab884c9cbb8da4376e9beb9c030dc57c54e72f25a6ec25acbb07472f19fe4639ceefa20627775ad828b23740411737b7

Download Submit
C:\Users\Admin\Desktop\BlackGuard Stealer Builder\Builder\dnlib.dll

Filesize
1.1MB

MD5
de0069c4097c987bd30ebe8155a8af35

SHA1
aced007f4d852d7b84c689a92d9c36e24381d375

SHA256
83445595d38a8e33513b33dfc201983af4746e5327c9bed470a6282d91d539b6

SHA512
66c45818e5c555e5250f8250ea704bc4ca32ddb4d5824c852ae5dc0f264b009af73c7c1e0db1b74c14ee6b612608d939386da23b56520cac415cd5a8f60a5502

Download Submit
C:\Users\Admin\Desktop\BlackGuard Stealer Builder\bandicam 2022-05-12 17-09-20-649.mp4

Filesize
43.0MB

MD5
b00d387b39cf7ac870e38db2e3e8f378

SHA1
62daf2dbdd2235c8018046f493fbc09476338fb1

SHA256
ea711ccefa4b4167e8260688ee347810787608e868bb2da7c2bb9b36398b390b

SHA512
e556ff9cce0ca366ce6fb4ec60e26170e8556964a715646d019332496959bc0997b6fcf35597b5cd3cb5e59ef7fc31cde594cddf44c26c7d73ff542c95a57411

Download Submit
memory/1528-1126-0x00007FFA6B7B0000-0x00007FFA6B817000-memory.dmp

Filesize
412KB

Download
memory/1528-1122-0x00007FFA6CA00000-0x00007FFA6CA1B000-memory.dmp

Filesize
108KB

Download
memory/1528-1112-0x00007FFA73E20000-0x00007FFA73E3D000-memory.dmp

Filesize
116KB

Download
memory/1528-1111-0x00007FFA77320000-0x00007FFA77331000-memory.dmp

Filesize
68KB

Download
memory/1528-1110-0x00007FFA774C0000-0x00007FFA774D7000-memory.dmp

Filesize
92KB

Download
memory/1528-1109-0x00007FFA7A010000-0x00007FFA7A021000-memory.dmp

Filesize
68KB

Download
memory/1528-1108-0x00007FFA7C660000-0x00007FFA7C677000-memory.dmp

Filesize
92KB

Download
memory/1528-1120-0x00007FFA73D20000-0x00007FFA73D31000-memory.dmp

Filesize
68KB

Download
memory/1528-1129-0x00007FFA6B710000-0x00007FFA6B767000-memory.dmp

Filesize
348KB

Download
memory/1528-1128-0x00007FFA6B790000-0x00007FFA6B7A1000-memory.dmp

Filesize
68KB

Download
memory/1528-1127-0x00007FFA65BE0000-0x00007FFA65C5C000-memory.dmp

Filesize
496KB

Download
memory/1528-1114-0x00007FFA64C40000-0x00007FFA64E4B000-memory.dmp

Filesize
2.0MB

Download
memory/1528-1125-0x00007FFA6BA80000-0x00007FFA6BAB0000-memory.dmp

Filesize
192KB

Download
memory/1528-1124-0x00007FFA6C9C0000-0x00007FFA6C9D8000-memory.dmp

Filesize
96KB

Download
memory/1528-1123-0x00007FFA6C9E0000-0x00007FFA6C9F1000-memory.dmp

Filesize
68KB

Download
memory/1528-1115-0x00007FFA73DB0000-0x00007FFA73DF1000-memory.dmp

Filesize
260KB

Download
memory/1528-1116-0x00007FFA63B90000-0x00007FFA64C40000-memory.dmp

Filesize
16.7MB

Download
memory/1528-1121-0x00007FFA73D00000-0x00007FFA73D11000-memory.dmp

Filesize
68KB

Download
memory/1528-1119-0x00007FFA73D40000-0x00007FFA73D51000-memory.dmp

Filesize
68KB

Download
memory/1528-1118-0x00007FFA73D60000-0x00007FFA73D78000-memory.dmp

Filesize
96KB

Download
memory/1528-1117-0x00007FFA73D80000-0x00007FFA73DA1000-memory.dmp

Filesize
132KB

Download
memory/1528-1107-0x00007FFA7C760000-0x00007FFA7C778000-memory.dmp

Filesize
96KB

Download
memory/1528-1130-0x000001DF9F940000-0x000001DFA11AF000-memory.dmp

Filesize
24.4MB

Download
memory/1528-1143-0x00007FFA63B90000-0x00007FFA64C40000-memory.dmp

Filesize
16.7MB

Download
memory/1528-1160-0x00007FFA65840000-0x00007FFA65AF6000-memory.dmp

Filesize
2.7MB

Download
memory/1528-1106-0x00007FFA65840000-0x00007FFA65AF6000-memory.dmp

Filesize
2.7MB

Download
memory/1528-1104-0x00007FF77DDA0000-0x00007FF77DE98000-memory.dmp

Filesize
992KB

Download
memory/1528-1113-0x00007FFA73E00000-0x00007FFA73E11000-memory.dmp

Filesize
68KB

Download
memory/1528-1105-0x00007FFA76390000-0x00007FFA763C4000-memory.dmp

Filesize
208KB

Download
memory/4736-1232-0x0000000002FB0000-0x0000000002FBE000-memory.dmp

Filesize
56KB

Download
memory/4736-1225-0x0000000000160000-0x0000000000B16000-memory.dmp

Filesize
9.7MB

Download
memory/4736-1240-0x00000000059A0000-0x0000000005ABE000-memory.dmp

Filesize
1.1MB

Download