Manuel Statik Analiz — BlackGuard / UnixStealer | Tehdit: KRITIK
文件 Kimliği
| SHA256 | 0d6f87aa18262050daa0eabad676c549459b8e8722a3e5f1c4b9d2e7f0a6b3c8 |
|---|---|
| 文件名 | Build.exe |
| 大小 | 303.617 byte |
| String Sayisi | 3.520 |
Geliştirici PDB İzi
C:\Users\brtig\OneDrive\Desktop\Src\UnixStealer\UnixStealer\obj\Release\UnixStealer.pdb -- Kullanici adi: brtig -- Proje adi: UnixStealer (Windows malware icin yaniltici isim)
Telegram C2 -- DOGRULANMIS
https://api.telegram.org/bot[TOKEN]/sendMessage -- Bot token + sendMessage = Telegram bot C2!
Diger IOC
http://ip-api.com/line/ -- GeoIP konum tespiti https://api.vimeworld.ru/user/ -- Rus Minecraft API (C2 olabilir) bhf.io -- Rus siber suc forumu referansi GrabCookies -- Cerez hırsızlığı modulu UnixStealer.Edge / EdgePath -- Edge tarayici hedefi
IOC
| SHA256 | 0d6f87aa18262050daa0eabad676c549459b8e8722a3e5f1c4b9d2e7f0a6b3c8 |
|---|---|
| C2 | Telegram Bot (api.telegram.org) |
| PDB | brtig / UnixStealer |
BlackGuard — 恶意软件档案
BlackGuard .NET MaaS stealer 2022. $200/ay. 22+ kripto cuzdani. Rus dark web.
恶意软件类型
Infostealer
编程语言
C#/.NET
C2协议
HTTP
目标系统
Windows
技术细节
.NET, HTTPS C2 (Telegram/Discord C2 dead drop da destekli), browser stealer, kripto wallet stealer, VPN/FTP stealer, Discord/Steam token, USB propagation, clipper, screenshot
能力与行为
Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı
IOC列表 (1 个指标)
IOC — BlackGuard
# SHA256
0d6f87aa18262050daa0eabad676c549459b8e8722a3e5f1c4b9d2e7f0a6b3c8
| 类型 | 值 | 备注 |
|---|---|---|
| sha256 | 0d6f87aa18262050daa0eabad676c549459b8e8722a3e5f1c4b9d2e7f0a6b3c8 |
C2服务器 (该家族共有 2 台已记录服务器)
| 地址 | 类型 | 端口 | 协议 | 状态 | 国家 |
|---|---|---|---|---|---|
| blackguard.shop | domain | 443 | HTTPS | active | — |
| 5.182.86.125 | ip | 1337 | TCP | inactive | RU |
C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。