MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33973d9455b047252dfdebb2227d9700c3fdbb7c662af7f26193c6d9ba5c45d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 10


Intelligence 10 IOCs 1 YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 33973d9455b047252dfdebb2227d9700c3fdbb7c662af7f26193c6d9ba5c45d8
SHA3-384 hash: afa640255c9610e54beec2c518ff44c0d30571d13c933205014b4a8e583d1b04533455cf7840784383739de35cf46942
SHA1 hash: 650eaa5067609d1f8bda29b77bbce232ba0c86be
MD5 hash: aa696b8f6900e5820d262ab679be0c11
humanhash: mike-failed-pizza-music
File name:aa696b8f6900e5820d262ab679be0c11.exe
Download: download sample
Signature BlackGuard
Create hunting rule
File size:3'348'992 bytes
First seen:2022-05-06 08:41:18 UTC
Last seen:2022-05-06 09:38:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bc70c4fa605f17c85050b7c7b6d42e44 (15 x njrat, 12 x RedLineStealer, 10 x AgentTesla)
ssdeep 98304:QGu33TjGw8nVBTj60kXogSxbEc1VoGrz:QG83FkV1jbqSxbEcwGP
TLSH T15AF5330702C8E772E6F803F105F4A3631232FE9656AFE58E2A4899C5CCB52555C39B7B
TrID 38.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.5% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.0% (.EXE) Win64 Executable (generic) (10523/12/4)
8.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0cca285a0a2ccf0 (1 x BlackGuard)
Reporter abuse_ch
Tags:BlackGuard exe


Avatar
abuse_ch
None C2:
http://45.67.230.199/files/upgrade.php

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
http://45.67.230.199/files/upgrade.php https://threatfox.abuse.ch/ioc/548404/

Intelligence

File Origin
# of uploads :
2
# of downloads :
308
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
aa696b8f6900e5820d262ab679be0c11.exe
Verdict:
Malicious activity
Analysis date:
2022-05-06 08:50:51 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1627c0cf-1b79-461e-a3d6-fc7058fff3ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269043/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39608631.19868.19425.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
DNS request
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/16521/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
advpack.dll control.exe packed rundll32.exe setupapi.dll shell32.dll
Link:
https://www.filescan.io/uploads/6274df4ab119a5f609a7cf9a/reports/3b520e6b-ba87-45e0-a002-9555df426822/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/69cb5cfc-6e98-4496-a62d-0d5b1d19fc8e
Result
Threat name:
BlackGuard
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988985
Signature
.NET source code references suspicious native API functions
Antivirus detection for dropped file
Antivirus detection for URL or domain
Deletes itself after installation
DLL reload attack detected
Drops PE files with a suspicious file extension
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected BlackGuard
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 621482 Sample: 1Wf5uDYTFI.exe Startdate: 06/05/2022 Architecture: WINDOWS Score: 100 76 Antivirus detection for URL or domain 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Yara detected BlackGuard 2->80 82 2 other signatures 2->82 11 1Wf5uDYTFI.exe 1 5 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 cmd.exe 1 11->15         started        17 cmd.exe 1 11->17         started        signatures5 20 cmd.exe 2 15->20         started        24 conhost.exe 15->24         started        68 Obfuscated command line found 17->68 70 Uses ping.exe to sleep 17->70 72 Drops PE files with a suspicious file extension 17->72 74 Uses ping.exe to check the status of other devices and networks 17->74 26 conhost.exe 17->26         started        process6 file7 52 C:\Users\user\AppData\...\Difendo.exe.pif, PE32 20->52 dropped 84 Obfuscated command line found 20->84 86 Uses ping.exe to sleep 20->86 28 Difendo.exe.pif 1 20->28         started        33 tasklist.exe 1 20->33         started        35 tasklist.exe 1 20->35         started        37 4 other processes 20->37 signatures8 process9 dnsIp10 66 yOvHnXTbbxegWsnglFjixaYcC.yOvHnXTbbxegWsnglFjixaYcC 28->66 60 C:\Users\user\AppData\Local\...\wOhWayld.dll, PE32 28->60 dropped 96 DLL reload attack detected 28->96 98 Deletes itself after installation 28->98 39 jsc.exe 15 7 28->39         started        file11 signatures12 process13 dnsIp14 62 45.67.230.199, 49796, 49817, 49822 WEBHOST1-ASRU Moldova Republic of 39->62 54 C:\Users\user\AppData\Local\...\putty.exe, PE32 39->54 dropped 43 putty.exe 14 41 39->43         started        file15 process16 dnsIp17 64 ipwhois.app 136.243.172.101, 443, 49800, 49803 HETZNER-ASDE Germany 43->64 56 C:\Users\user\AppData\...\SQLite.Interop.dll, PE32 43->56 dropped 58 C:\Users\user\AppData\...\SQLite.Interop.dll, PE32+ 43->58 dropped 88 Antivirus detection for dropped file 43->88 90 Tries to steal Mail credentials (via file / registry access) 43->90 92 Machine Learning detection for dropped file 43->92 94 Tries to harvest and steal browser information (history, passwords, etc) 43->94 48 chrome.exe 43->48         started        50 chrome.exe 43->50         started        file18 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/33973d9455b047252dfdebb2227d9700c3fdbb7c662af7f26193c6d9ba5c45d8/
Threat name:
Win32.Spyware.Blackguard
Create hunting rule
Status:
Malicious
First seen:
2022-05-03 00:55:22 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
14 of 25 (56.00%)
Threat level:
  2/5
Verdict:
malicious
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection persistence spyware stealer suricata
Link:
https://tria.ge/reports/220506-kl1lqahfe5/
Behaviour
Enumerates processes with tasklist
Enumerates system info in registry
Modifies registry class
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Downloads MZ/PE file
Executes dropped EXE
suricata: ET MALWARE BlackGuard_v2 Data Exfiltration Observed
suricata: ET MALWARE MSIL/BlackGuard Stealer Exfil Activity
Unpacked files
SH256 hash:
acbc5dd80233eab111edbedcba2d301be5be72b47cdd0d659c0adf064d3a6924
MD5 hash:
494788a40dcd5f2b0048552c2f86e285
SHA1 hash:
df96cb33c7aaa2f7dcd1b1d417150f879d5d6929
Link:
https://www.unpac.me/results/eaf0a26f-862a-48da-bfc3-e7e0c0cf4c50/
SH256 hash:
33973d9455b047252dfdebb2227d9700c3fdbb7c662af7f26193c6d9ba5c45d8
MD5 hash:
aa696b8f6900e5820d262ab679be0c11
SHA1 hash:
650eaa5067609d1f8bda29b77bbce232ba0c86be
Link:
https://www.unpac.me/results/eaf0a26f-862a-48da-bfc3-e7e0c0cf4c50/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/33973d9455b0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/33973d9455b047252dfdebb2227d9700c3fdbb7c662af7f26193c6d9ba5c45d8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269043/

Comments