Analysis

  • max time kernel
    4294181s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20220223-en
  • submitted
    01-03-2022 18:14

General

  • Target

    f4e2d60c89b54fb08cc1c076c24ddc32eb9c76edd755d0482393ece4ec7cc88c.exe

  • Size

    274KB

  • MD5

    12f3e4333d55b5d594b92ce287f07cba

  • SHA1

    cd61c5c8d69eae04e6664fc73de00b321cd6e0ad

  • SHA256

    f4e2d60c89b54fb08cc1c076c24ddc32eb9c76edd755d0482393ece4ec7cc88c

  • SHA512

    db636c9840e7848c42c848378bd67f7b709ec8ed23054e52b91c1a83a87016fd6aa13a88d2255d3f7513f339cd47caca9b7b3539164d0d5c0c8599862d7a6417

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/944694495864324096/JxSzUctA9w9IsAKny1lOVf3Zmy8rRcGtIlJwQG2L-mP1ThdvUPHl6Hed3NdVLXwrPJ4m

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4e2d60c89b54fb08cc1c076c24ddc32eb9c76edd755d0482393ece4ec7cc88c.exe
    "C:\Users\Admin\AppData\Local\Temp\f4e2d60c89b54fb08cc1c076c24ddc32eb9c76edd755d0482393ece4ec7cc88c.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:756

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/756-54-0x0000000000F80000-0x0000000000FCA000-memory.dmp

    Filesize

    296KB

  • memory/756-55-0x000007FEF4CD3000-0x000007FEF4CD4000-memory.dmp

    Filesize

    4KB

  • memory/756-56-0x000000001B150000-0x000000001B152000-memory.dmp

    Filesize

    8KB