MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162
SHA3-384 hash: 7366706612fdef215edef74accc8d43d1ddcba816cab785ecb47a66f87fae846dac06ba316d84497e9288b35cab45dd1
SHA1 hash: 030889ffae25d113a8bb4265f4a1b8461f51b1f9
MD5 hash: 6cac397492e6bc73d6392ced2325f115
humanhash: yellow-robin-sierra-skylark
File name:6cac397492e6bc73d6392ced2325f115.exe
Download: download sample
Signature BlackGuard
Create hunting rule
File size:5'848'416 bytes
First seen:2023-07-27 06:37:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 98304:e55jJI0tISNT/YdeZazBT+2WKYpTFjU/Lr6yPjlCM5Q2F3Bi0+:e5lJI0RZazVCTFjgLrXQMi2F3J+
Threatray 114 similar samples on MalwareBazaar
TLSH T1454633023BF95BB8E31244B097476A7AAAFAE630075841CF6B504F112C759E1AF79B4C
TrID 43.3% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
27.6% (.EXE) Win64 Executable (generic) (10523/12/4)
13.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.3% (.EXE) OS/2 Executable (generic) (2029/13)
5.2% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon 8e33694d69bd4db2 (1 x BlackGuard)
Reporter abuse_ch
Tags:BlackGuard exe signed

Code Signing Certificate

Organisation:w5h3hw345hw35hw5
Issuer:w5h3hw345hw35hw5
Algorithm:sha256WithRSAEncryption
Valid from:2023-07-22T00:00:00Z
Valid to:2025-07-22T00:00:00Z
Serial number: 0882ef2654617d56
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 0bee1c11f2065bb755c4b6b0b5197f231e3b175edcf72f917224c1c5a9597de8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6cac397492e6bc73d6392ced2325f115.exe
Verdict:
Malicious activity
Analysis date:
2023-07-27 06:40:02 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/9a926410-4314-484d-b79f-4d344cb6c47e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/434644/
Detection(s):
Win.Keylogger.Gencbl-9969771-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Unauthorized injection to a recently created process
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
keylogger lolbin overlay packed shell32
Link:
https://www.filescan.io/uploads/64c21094907b8030b17b388b/reports/60e4e8e8-0772-4c84-a014-9a6569f053cc/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/50ce1431-24c0-4e9e-bcfa-4d748e46924d
Result
Threat name:
BlackGuard
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1280857
Signature
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Creates executable files without a name
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Opens network shares
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected BlackGuard
Yara detected Costura Assembly Loader
Yara detected Telegram RAT
Yara detected ZipBomb
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1280857 Sample: 3r3usOVGsa.exe Startdate: 27/07/2023 Architecture: WINDOWS Score: 100 54 ipwhois.app 2->54 70 Found malware configuration 2->70 72 Antivirus detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 6 other signatures 2->76 10 3r3usOVGsa.exe 8 2->10         started        14 .exe 2->14         started        16 .exe 2->16         started        signatures3 process4 file5 50 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 10->50 dropped 52 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 10->52 dropped 80 Contains functionality to register a low level keyboard hook 10->80 18 cmd.exe 2 10->18         started        signatures6 process7 process8 20 build.exe 14 7 18->20         started        25 7z.exe 2 18->25         started        27 7z.exe 3 18->27         started        29 13 other processes 18->29 dnsIp9 56 194.50.153.136, 49708, 49719, 49731 GAZ-IS-ASRU United Kingdom 20->56 58 ipwhois.app 195.201.57.90, 443, 49709, 49710 HETZNER-ASDE Germany 20->58 46 C:\ProgramData\.exe, PE32 20->46 dropped 78 Creates executable files without a name 20->78 31 .exe 58 20->31         started        36 cmd.exe 20->36         started        48 C:\Users\user\AppData\Local\...\build.exe, PE32 25->48 dropped file10 signatures11 process12 dnsIp13 60 ipwhois.app 31->60 42 C:\Users\user\...\DotNetZip-2b4qirnz.tmp, Zip 31->42 dropped 44 C:\Users\user\AppData\Local\...\Cookies, SQLite 31->44 dropped 62 Antivirus detection for dropped file 31->62 64 Tries to steal Mail credentials (via file / registry access) 31->64 66 Machine Learning detection for dropped file 31->66 68 3 other signatures 31->68 38 conhost.exe 36->38         started        40 timeout.exe 36->40         started        file14 signatures15 process16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-27 03:27:36 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gdxpfm7bwuewq2g6tmktxwaeuauvxeq7oev53rj63lwlot6afra._file
Verdict:
malicious
Similar samples:
1adae771c3a7056ccc55bb3805a43d8560b8117007403021d9a0799178a38d32
BlackGuard
2767d4128fc88d587b6681fcff44a8694833e95da510eca60750540e42f2e418
BlackGuard
4766063b1078d7f10cf8ba01b2a6116ecccd9a617f1ad2e0912a869d0c42772c
BlackGuard
4c5c389d0f6cbdaf6fd89585559d71a37e061e7678aa1a5391d82657f8890569
BlackGuard
7ca339f9bf73ef302951d7ea7ef6089ab670c82e98837b8c684a2591c611b6fd
BlackGuard
86f5b4f32c68f9337a19363da77d77b6275923da37d2e4144b8f0740620fd3ac
BlackGuard
8a1057cf8e0ae58585534119e5edb46f5de02b2119edf91e77a0b24a045596de
BlackGuard
dd528eb464db46cd69a3a373f5cde4c4e48afb7116fb8e91eea3a1caacc800f5
BlackGuard
+ 104 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection persistence spyware stealer
Link:
https://tria.ge/reports/230727-hdh1laab38/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Accesses Microsoft Outlook profiles
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c3215fb9cf5ac0911ae3c9fdf576a233dba6d4c705a17bc182b4c4731d992449
MD5 hash:
9b4eca6c8ee38e598afb590595007b40
SHA1 hash:
f66d0f6a9cd49beb0ecc04bc591ed78309ee8b21
Link:
https://www.unpac.me/results/1e713fae-2189-43e7-832d-7fabbdaefb11/
SH256 hash:
e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162
MD5 hash:
6cac397492e6bc73d6392ced2325f115
SHA1 hash:
030889ffae25d113a8bb4265f4a1b8461f51b1f9
Link:
https://www.unpac.me/results/1e713fae-2189-43e7-832d-7fabbdaefb11/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BlackGuard

Executable exe e98777959f0da84b4346f4d8a9dec025014adc90fb895eee29f6d765ba7e0162

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2690774/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/434644/

Comments