MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 8


Intelligence 8 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44
SHA3-384 hash: 6d52bc036e1f59dfa6073f6696fef61b22a065fbd65390708baf0481cec159da88b23396a3e91d0cccfb2a960d1d7fe2
SHA1 hash: 708700eed0aecab74a4198dd59ffc49fb81d4523
MD5 hash: ae84bf01058b29c178ae724df445c0c8
humanhash: asparagus-florida-mirror-blue
File name:bilds.exe
Download: download sample
Signature BlackGuard
Create hunting rule
File size:641'536 bytes
First seen:2022-03-06 12:28:26 UTC
Last seen:2022-03-06 14:43:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:loL6hD2x/HAWbR2zS4sisO1A83u2BSDoCqKc8:Y6uHAW92zt/sWu2BSMCqD8
Threatray 262 similar samples on MalwareBazaar
TLSH T112D48B0E25CD3104F37AD67E43C6413D036372D2803B9E27E6BDAA578BC36946B9179A
File icon (PE):PE icon
dhash icon 88aab2cccccc7170 (5 x BlackGuard)
Reporter 3xp0rtblog
Tags:BlackGuard exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
493
Origin country :
n/a
Vendor Threat Intelligence
Detection:
PredatorTheThief
Create hunting rule
Link:
https://www.capesandbox.com/analysis/247668/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.1643.19.29812.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
DNS request
Creating a file in the %temp% directory
Reading critical registry keys
Creating a file
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Moving a recently created file
Stealing user critical data
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8c13881-2b16-4b2e-8493-95bd85853a67
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/951408
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Telegram RAT
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2022-03-06 01:41:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
20 of 27 (74.07%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
18db274624914ee6388bda20233db28307be4873bc053e05ad8f6761b217136f
BlackGuard
216c960ac6ef399e7ff33b18c03777237ced76d59ce0f8bb4d5f9a22e85b3bd8
BlackGuard
26ebf8a0830652c9ea0de64dc0dca6d62caffc0aaa34abf43e7c410095c502ce
BlackGuard
52bd68ea60e7171ed2413cd5292b74ac9872928a1a723405fb73ad57419c5bc6
BlackGuard
698e4beeba26363e632cbbb833fc8000cf85ab5449627bf0edc8203f05a64fa1
BlackGuard
76b90299713b5d4ffd3c92b2cd66b3de68148c3133f927dfa385b075fd00d5b1
BlackGuard
877f6bcd0f2061c42367abe8ab4fd83e4f151783466f6791399c3f7133af07f9
BlackGuard
bac6c21248d28323222b888c176062e52ec0f486c7238e9d68ac60cb31e24207
BlackGuard
eeb0c6a760a7c9d17c02dbacf4f4715917caf3d111209ce29b67b366dc8b9dd9
BlackGuard
f2d25cb96d3411e4696f8f5401cb8f1af0d83bf3c6b69f511f1a694b1a86b74d
BlackGuard
+ 252 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/220306-pnw4jaccal/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
98997c39955ffb5fb514500764e26ba05e9cbf7394c38c4a77751b8be9f257f9
MD5 hash:
e54bd91fc3aad28880838d8255886b61
SHA1 hash:
43d835c8309593d4c1aeea09e120eee0d97d9654
Link:
https://www.unpac.me/results/53b100eb-e65b-4452-a032-146db2f898de/
SH256 hash:
3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44
MD5 hash:
ae84bf01058b29c178ae724df445c0c8
SHA1 hash:
708700eed0aecab74a4198dd59ffc49fb81d4523
Link:
https://www.unpac.me/results/53b100eb-e65b-4452-a032-146db2f898de/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3c5a8e9820b549a70a353997bbce4fe16956dbab22dedde2f358f0f10930cf44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:grakate_stealer_nov_2021
Create hunting rule
Rule name:INDICATOR_EXE_Packed_Fody
Create hunting rule
Author:ditekSHen
Description:Detects executables manipulated with Fody
Rule name:INDICATOR_SUSPICIOUS_EXE_Discord_Regex
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing Discord tokens regular expressions
Rule name:INDICATOR_SUSPICIOUS_EXE_Embedded_Gzip_B64Encoded_File
Create hunting rule
Author:ditekSHen
Description:Detects executables containing bas64 encoded gzip files
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/3xp0rtblog/status/1500119223812730884
Cape
Cape
https://www.capesandbox.com/analysis/247668/

Comments