MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433
SHA3-384 hash: d32e27565787d5b54150b981a05a4bbb85e6a76032eb9573fc8b3c7369f609c55c65a5a8d406f0602e2a25c138cdd85c
SHA1 hash: 1e39e52aefb0b5c7fa16aaf9c9d870150482a4eb
MD5 hash: 4ecc21c7a2aadaf74dfac9e52723d41e
humanhash: missouri-floor-michigan-delaware
File name:4ecc21c7a2aadaf74dfac9e52723d41e.exe
Download: download sample
Signature BlackGuard
Create hunting rule
File size:7'940'608 bytes
First seen:2023-01-07 06:55:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 196608:Z0Xi4ZgUmPjE+Agbk9fcGVN8iNISGK71:yXiMgbj7AsGXiw
Threatray 2'888 similar samples on MalwareBazaar
TLSH T1C1860102F29540E9E8E74179C17B6B67EA743C0503149AEB63E079A92F336D2767F318
TrID 48.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
28.5% (.EXE) InstallShield setup (43053/19/16)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 58c8d1d0cecbeeec (18 x AsyncRAT, 9 x XWorm, 6 x QuasarRAT)
Reporter abuse_ch
Tags:BlackGuard exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
252
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433
Verdict:
Suspicious activity
Analysis date:
2023-01-07 00:45:36 UTC
Tags:
installer
Link:
https://app.any.run/tasks/600240ac-cb09-4ade-ba0d-d4ba62857b43

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/350398/
Detection(s):
PUA.Win.Malware.Speedingupmypc-6718419-0
Create hunting rule

Win.Malware.Msilperseus-9807948-0
Create hunting rule

Win.Malware.Ursu-9937395-0
Create hunting rule

PUA.Win.Virus.Rdpwrap-6793227-0
Create hunting rule

PUA.Win.Virus.Rdpwrap-6793229-0
Create hunting rule

SecuriteInfo.com.Trojan.GenericKD.44081008.21193.10752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Connecting to a non-recommended domain
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file
Creating a file in the %temp% directory
Reading critical registry keys
Moving a recently created file
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Launching a service
Creating a file in the Program Files subdirectories
Launching the process to change the firewall settings
Loading a system driver
Creating a file in the Windows subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware packed rat setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63b9178bb9b1c1737520a32e/reports/6a951809-b499-4b97-b37b-c5e58c9ccaeb/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BlackGuard Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/dbbda377-6bc5-480c-8378-95cd18220c20
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1146906
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 779639 Sample: 2qlPnQB9U0.exe Startdate: 07/01/2023 Architecture: WINDOWS Score: 60 42 Snort IDS alert for network traffic 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 8 other signatures 2->48 8 2qlPnQB9U0.exe 18 68 2->8         started        13 2qlPnQB9U0.exe 3 2->13         started        15 2qlPnQB9U0.exe 2 2->15         started        process3 dnsIp4 38 45.15.156.9, 49702, 49706, 49708 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 8->38 40 ipwhois.app 195.201.57.90, 443, 49703, 49709 HETZNER-ASDE Germany 8->40 30 C:\Users\user\Desktop\...\SQLite.Interop.dll, PE32 8->30 dropped 32 C:\Users\user\Desktop\...\SQLite.Interop.dll, PE32+ 8->32 dropped 34 C:\Users\user\AppData\Local\Temp\Inst.exe, PE32 8->34 dropped 58 Tries to steal Mail credentials (via file / registry access) 8->58 60 Tries to harvest and steal browser information (history, passwords, etc) 8->60 17 Inst.exe 10 8->17         started        36 C:\Users\user\AppData\...\2qlPnQB9U0.exe.log, CSV 13->36 dropped file5 signatures6 process7 file8 26 C:\Users\user\AppData\Local\...\rdpwrap.dll, PE32+ 17->26 dropped 28 C:\Users\user\AppData\Local\Temp\check.exe, PE32 17->28 dropped 50 Multi AV Scanner detection for dropped file 17->50 52 Machine Learning detection for dropped file 17->52 21 check.exe 2 17->21         started        signatures9 process10 signatures11 54 Antivirus detection for dropped file 21->54 56 Multi AV Scanner detection for dropped file 21->56 24 conhost.exe 21->24         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-01-05 20:44:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
50
AV detection:
21 of 40 (52.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=axbjsgs6ukokvgo36iskv4onjnot3ccdaemmn7knddltcmgfiqzq._file
Verdict:
malicious
Similar samples:
0479683ff6d420fc73b1b229615dce2b94d896ca839747e2c7ca94a258b8ccfd
BlackGuard
1166e3200fd3a2a7e448f8129fbebdd7266a85393e8d6596ee6f89653adba1d0
BlackGuard
3bccf05eee144854cca885ab816b75f6ce8135dd35792c6fd4470d4f7dbf9d1e
BlackGuard
430ff29b0c10268ae2db7594fcb18c00241d4481068089f3becf3a7b1b8fb8b0
BlackGuard
533be061fa24c8041cdf7bd850a18090f02e9d96016a954dd4373860106cad40
BlackGuard
5a6f5d425060a2bfc152e1c2673991151e8863354deb3c4febd60ce42a80f35e
BlackGuard
5b97dac5b556f97822f278cd3110dc70ec347bfc624d09d204489b21e554af46
BlackGuard
5f031f346380c107df7bcb2af95a4a9cc23e1446bb2b9986db5f88af8749a400
BlackGuard
a44e7420e441548adddf0d79cc51e46211ebfa7dde08e5c95211eb3f95d0e570
BlackGuard
+ 2'878 additional samples on MalwareBazaar
Result
Malware family:
blackguard
Create hunting rule
Score:
  10/10
Tags:
family:blackguard collection evasion persistence spyware stealer
Link:
https://tria.ge/reports/230107-hqdxeach88/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Modifies WinLogon
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets file execution options in registry
BlackGuard
Malware Config
C2 Extraction:
http://45.15.156.9
Unpacked files
SH256 hash:
05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433
MD5 hash:
4ecc21c7a2aadaf74dfac9e52723d41e
SHA1 hash:
1e39e52aefb0b5c7fa16aaf9c9d870150482a4eb
Link:
https://www.unpac.me/results/89b87591-5c50-455d-a3aa-4e63271e933a/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/05c2991a5ea2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/05c2991a5ea29caa99dbf224aaf1cd4b5d3d88430118c6fd4d18d73130c54433

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackGuard_Rule
Create hunting rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/350398/

Comments