MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00ee54378e6756b246a4c783d17f04a8c80782cba56b3721e9806173bb14cbed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BlackGuard

Vendor detections: 13

Intelligence 13 IOCs YARA 13 File information Comments

SHA256 hash:	00ee54378e6756b246a4c783d17f04a8c80782cba56b3721e9806173bb14cbed
SHA3-384 hash:	ef2f71b9af66870da085492aa61797774fd21685e826f2f9aee92caca23598c92423f4ac1abf57ea47b6d1018ba7f69e
SHA1 hash:	fbc58ca9210f0cae4271ef28d14f66dadf073bf8
MD5 hash:	ced6b4527a3f34f3c41f64326e5ed855
humanhash:	magnesium-one-hot-west
File name:	Fortnite_CHEAT_CRACKED.exe
Download:	download sample
Signature	BlackGuard Create hunting rule
File size:	4'655'104 bytes
First seen:	2023-09-08 22:22:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	baa93d47220682c04d92f7797d9224ce (139 x RiseProStealer, 26 x Xtrat, 18 x CoinMiner)
ssdeep	98304:JpboyaGFmzStgEVRi4fEkZdulDMeF6UugCwrzE/2SMb/4K:JpoypFmzenHzfEGU6/dE4
Threatray	24 similar samples on MalwareBazaar
TLSH	T1AE26AFD1B90971CFD49E27B49927CE82692D03BA8B1109C79C2CB4BE7E67EC115F6C24
TrID	52.9% (.EXE) Win32 Executable (generic) (4505/5/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	71ecf0f0e8f0d0d0 (9 x BlackGuard)
Reporter	vovaan
Tags:	32 BlackGuard exe

vovaan

https://www.virustotal.com/gui/file/00ee54378e6756b246a4c783d17f04a8c80782cba56b3721e9806173bb14cbed/relations

Intelligence

File Origin

# of uploads :

# of downloads :

400

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Fortnite_CHEAT_CRACKED.exe

Verdict:

Malicious activity

Analysis date:

2023-09-08 22:23:04 UTC

Tags:

evasion blackguard

Link:

https://app.any.run/tasks/4ca0421c-7f5f-48fd-8957-1227dd7da4a8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/447600/

Detection(s):

SecuriteInfo.com.Heur.ManBat.1.31217.6675.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Searching for the window

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Sending a custom TCP request

Searching for synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Gathering data

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed packed themidawinlicense

Link:

https://www.filescan.io/uploads/64fb9ec7efe2af27e9c7c3e5/reports/c9ed28fb-4e66-42a7-a9b3-8fc4ec9bd5d4/overview

Verdict:

Malicious

Labled as:

ManBat.Generic

Link:

https://www.hybrid-analysis.com/sample/00ee54378e6756b246a4c783d17f04a8c80782cba56b3721e9806173bb14cbed

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BlackGuard Stealer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/dbf7b927-5670-4be3-a1ae-8e47ef694926

Result

Threat name:

n/a

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1306531

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Yara detected Costura Assembly Loader

Yara detected Generic Downloader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/00ee54378e6756b246a4c783d17f04a8c80782cba56b3721e9806173bb14cbed/

Threat name:

Win32.Trojan.ManBat

Status:

Malicious

First seen:

2023-09-08 22:23:06 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=adxfin4om5llervey6b5c7yevdeapawluvvtoipjqbqxhoyuzpwq._file

Verdict:

malicious

BlackGuard

71542a9dd0da516b5599228ace4fc9028ce2d389ec0fc1e68e9089ba174afe80

BlackGuard

7458785f0dc0847a0abf3329e7b6cb5380a32d711b14d63aa99ade54586f4b57

BlackGuard

79c4819c2c8e76c2498554c3c2ca9d54e2019df92254b5bf7a2d42896ec440d6

BlackGuard

8ced69a3c6796be12a0433300b9935b4c63fe4817b0830e1965b07fffaa360df

BlackGuard

9f7dfb962e2bf51b8635de5abf80bede395c54abdd19ce0e7caa2343667fefe9

BlackGuard

af74b80210c8fd9f512427ff46e8ccbdf063a9eed4fa3ffe15f791880c5b8d1e

BlackGuard

b2b465aad0a254c202bee124ff4beb540ac09ce04655f61478b5824509a1f6a2

BlackGuard

b4bbdadeb876d22140beabe77e143cd74871461c0823f9f9ba79b41106386d26

BlackGuard

d120f86810729718538a4afeacb0c1af96953e565cfe2fa5006c9dc823f8f274

BlackGuard

+ 14 additional samples on MalwareBazaar

Result

Malware family:

blackguard

Score:

10/10

Tags:

family:blackguard evasion stealer

Link:

https://tria.ge/reports/230908-2ar9msfg86/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

BlackGuard

Unpacked files

SH256 hash:

00ee54378e6756b246a4c783d17f04a8c80782cba56b3721e9806173bb14cbed

MD5 hash:

ced6b4527a3f34f3c41f64326e5ed855

SHA1 hash:

fbc58ca9210f0cae4271ef28d14f66dadf073bf8

Link:

https://www.unpac.me/results/2786cafd-e028-4e99-acfb-669e27f4c490/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/00ee54378e6756b246a4c783d17f04a8c80782cba56b3721e9806173bb14cbed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BlackGuard_Rule Create hunting rule
Author:	Jiho Kim
Description:	Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:	https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	INDICATOR_EXE_Packed_Fody Create hunting rule
Author:	ditekSHen
Description:	Detects executables manipulated with Fody

Rule name:	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore Create hunting rule
Author:	ditekSHen
Description:	Detects executables containing SQL queries to confidential data stores. Observed in infostealers

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	NETexecutableMicrosoft Create hunting rule
Author:	malware-lu

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	vmdetect Create hunting rule
Author:	nex
Description:	Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BlackGuard

exe 00ee54378e6756b246a4c783d17f04a8c80782cba56b3721e9806173bb14cbed

(this sample)

Link

https://oshi.at/USGi

Dropping

blackguard

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/447600/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample