MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BlackGuard


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de
SHA3-384 hash: 6c6120f000b925a1a461ae33da012d3ff7e5fa0bcfd4751e30e6c9bfd5d9024155ff2320c0b61def0787c0d1d57635d0
SHA1 hash: a6ba1bfd326034d363f003def9600e4b3f8a3c99
MD5 hash: 146ffe4774086772bb8dc8af417d1bee
humanhash: coffee-hydrogen-tennessee-mississippi
File name:file
Download: download sample
Signature BlackGuard
Create hunting rule
File size:7'196'672 bytes
First seen:2023-01-21 19:23:11 UTC
Last seen:2023-01-22 12:46:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:5iyaKXumYgc4UC0td7fAYMQSlV4AnEjdGS1YVrsk9N8ivyhAdsPSQxNU3r:o5KmgfUCEvyVN8iNISeU7
Threatray 6'226 similar samples on MalwareBazaar
TLSH T1F6760107B39101A8D9A741B891BA6BEBEA703C19531057DF63E02DB95F336D2363E316
TrID 48.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
28.5% (.EXE) InstallShield setup (43053/19/16)
6.9% (.EXE) Win64 Executable (generic) (10523/12/4)
4.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon f0cca2f8dce8c4f0 (1 x RedLineStealer, 1 x AsyncRAT, 1 x BlackGuard)
Reporter andretavare5
Tags:BlackGuard exe


Avatar
andretavare5
Sample downloaded from https://vk.com/doc139074685_654736174?hash=IkUs40kVfI74SX8nQIbIOCtYJTUCZxfXIzNJKU8V0bX&dl=GEZTSMBXGQ3DQNI:1674327395:YFb6YVaAzdQiKX49ZNZ29vErxLgROwVjxSaNb9NnGmX&api=1&no_preview=1#build142

Intelligence

File Origin
# of uploads :
19
# of downloads :
248
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-21 19:24:25 UTC
Tags:
installer evasion stealer
Link:
https://app.any.run/tasks/4dfb8636-545d-478b-816b-53d69d664028

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355423/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44081008.21193.10752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %temp% directory
Reading critical registry keys
Moving a recently created file
Creating a process from a recently created file
Creating a window
Searching for the window
Searching for synchronization primitives
Launching a service
Creating a file in the Program Files subdirectories
Launching the process to change the firewall settings
Loading a system driver
Running batch commands
Launching a process
Launching the process to interact with network services
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun for a service
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware packed rat setupapi.dll shdocvw.dll shell32.dll
Link:
https://www.filescan.io/uploads/63cc3bd3447edb203a00222e/reports/fcee442f-12e9-49bc-bbcb-5f5dff36a7a6/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BlackGuard Stealer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7aabd0a9-efff-4ce2-aedf-def585947103
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156272
Signature
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds a new user with administrator rights
Antivirus detection for dropped file
Contains functionality to hide user accounts
Found many strings related to Crypto-Wallets (likely being stolen)
Hides user accounts
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789004 Sample: file.exe Startdate: 21/01/2023 Architecture: WINDOWS Score: 100 83 Multi AV Scanner detection for dropped file 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 .NET source code references suspicious native API functions 2->87 89 6 other signatures 2->89 10 file.exe 18 66 2->10         started        15 file.exe 3 2->15         started        17 file.exe 2 2->17         started        19 3 other processes 2->19 process3 dnsIp4 79 ipwhois.app 195.201.57.90, 49705, 49722, 49725 HETZNER-ASDE Germany 10->79 81 uchpulumick.shop 107.175.38.71, 443, 49696, 49697 AS-COLOCROSSINGUS United States 10->81 69 C:\Users\user\Desktop\...\SQLite.Interop.dll, PE32 10->69 dropped 71 C:\Users\user\Desktop\...\SQLite.Interop.dll, PE32+ 10->71 dropped 73 C:\Users\user\AppData\Local\Temp\Inst.exe, PE32 10->73 dropped 107 Tries to steal Mail credentials (via file / registry access) 10->107 109 Tries to harvest and steal browser information (history, passwords, etc) 10->109 21 Inst.exe 11 10->21         started        75 C:\Users\user\AppData\Local\...\file.exe.log, CSV 15->75 dropped file5 signatures6 process7 file8 63 C:\Users\user\AppData\Local\...\rdpwrap.dll, PE32+ 21->63 dropped 65 C:\Users\user\AppData\...\check_update.exe, PE32 21->65 dropped 67 C:\Users\user\AppData\Local\Temp\check.exe, PE32 21->67 dropped 91 Multi AV Scanner detection for dropped file 21->91 93 Machine Learning detection for dropped file 21->93 25 check_update.exe 21->25         started        28 check.exe 2 4 21->28         started        signatures9 process10 file11 97 Antivirus detection for dropped file 25->97 99 Machine Learning detection for dropped file 25->99 31 cmd.exe 25->31         started        77 C:\Program Files\RDP Wrapper\rdpwrap.dll, PE32+ 28->77 dropped 101 Multi AV Scanner detection for dropped file 28->101 103 Uses netsh to modify the Windows network and firewall settings 28->103 105 Modifies the windows firewall 28->105 34 conhost.exe 28->34         started        36 netsh.exe 28->36         started        signatures12 process13 signatures14 111 Uses cmd line tools excessively to alter registry or file data 31->111 113 Adds a directory exclusion to Windows Defender 31->113 115 Adds a new user with administrator rights 31->115 38 reg.exe 31->38         started        41 cmd.exe 31->41         started        43 cmd.exe 31->43         started        45 13 other processes 31->45 process15 signatures16 95 Hides user accounts 38->95 47 WMIC.exe 41->47         started        49 find.exe 41->49         started        51 WMIC.exe 43->51         started        53 find.exe 43->53         started        55 net1.exe 45->55         started        57 net1.exe 45->57         started        59 net1.exe 45->59         started        61 net1.exe 45->61         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 19:24:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
26
AV detection:
17 of 26 (65.38%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=72yjb7rkagf2ohznwmbkeu4zrntpszk2bwb7qdnvcjqebe5o5hpa._file
Verdict:
malicious
Similar samples:
3fd0837381babda7ef617b810457f0db32bd7c1f7e345480e6c525050ca818fa
BlackGuard
77866060d47be3f2b4395314cfa66b7f9faf4007b72bfcb0cb406e4207e64aad
BlackGuard
7ee182a4e061b93eaa096b87b0914d115f5c49d2812a6c81c62a836892adc359
BlackGuard
8785300bc02bbf034417c477db91c121123b31b1eaf24fc0f74ee11e11ec058c
BlackGuard
a71ca3a4994f11007ef42e19b763773a49f7067daf28b3ca16e81a65a4fd4dd4
BlackGuard
b043820fef215c161bb53c9c1fa9a2cd221cecc4bae58103a9327c575697760d
BlackGuard
b840f10ae378fa15f8570f6eb208e2f280618bd49ade560eca00c93b6a4bd7d9
BlackGuard
d3d91b831503504e524659f07a1c31d2bc74d0637f6468667ed14382a8ca84d5
BlackGuard
+ 6'216 additional samples on MalwareBazaar
Result
Malware family:
blackguard
Create hunting rule
Score:
  10/10
Tags:
family:blackguard collection evasion persistence spyware stealer
Link:
https://tria.ge/reports/230121-x4czlade38/
Behaviour
Modifies system certificate store
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Views/modifies file attributes
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in System32 directory
Accesses Microsoft Outlook profiles
Adds Run key to start application
Modifies WinLogon
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies Windows Firewall
Sets DLL path for service in the registry
Sets file to hidden
Grants admin privileges
BlackGuard
Malware Config
C2 Extraction:
https://ipwhois.app/xml/
Unpacked files
SH256 hash:
feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de
MD5 hash:
146ffe4774086772bb8dc8af417d1bee
SHA1 hash:
a6ba1bfd326034d363f003def9600e4b3f8a3c99
Link:
https://www.unpac.me/results/c1ee530b-e4cf-40e6-8c77-0106d7fb330e/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/feb090fe2a01/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/feb090fe2a018ba71f2db302a253998b66f9655a0d83f80db512604093aee9de

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BlackGuard_Rule
Create hunting rule
Author:Jiho Kim
Description:Yara rule for BlackGuarad Stealer v1.0 - v3.0
Reference:https://www.virustotal.com/gui/file/67843d45ba538eca29c63c3259d697f7e2ba84a3da941295b9207cdb01c85b71/detection
Rule name:INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
Create hunting rule
Author:ditekSHen
Description:Detects executables containing SQL queries to confidential data stores. Observed in infostealers
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:pe_imphash
Create hunting rule
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/355423/

Comments