Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
14/03/2022, 14:23 UTC
General
-
Target
Neon — копия (8).exe
-
Size
274KB
-
MD5
6d9153402403207366b080ff8154fe03
-
SHA1
69c7ed7b664cecd5a721677588f0904d381a4a49
-
SHA256
d7450131c835b2df9dcea263bf7f73d03238698a63b6a6fe9faa35ea59439731
-
SHA512
1e1704138ec5a8065afcedf78c3225a0ce2ee6c33459f52933c9b447eab18ae9eb457a6bf207b4afbfa7790af2788beee3f3b431cafcb2bc3a5a4f4ab224a952
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/952308393677291551/Kwqtw7eOhhDiE0L0w2X3Hwo9TDPq265Rqw2_8lcfVw_arvjLeTNzn4AG-J-I4NctgVFh
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Detected executables Discord URL observed in first stage droppers 1 IoCs
DISCORD URLS.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Neon — копия (8).exe"C:\Users\Admin\AppData\Local\Temp\Neon — копия (8).exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
-
DNSfreegeoip.appRemote address:8.8.8.8:53Requestfreegeoip.appIN AResponsefreegeoip.appIN A188.114.97.0freegeoip.appIN A188.114.96.0 -
GEThttps://freegeoip.app/xml/Remote address:188.114.97.0:443RequestGET /xml/ HTTP/1.1
Host: freegeoip.app
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Date: Mon, 14 Mar 2022 14:35:18 GMT
Content-Type: application/xml
Content-Length: 334
Connection: keep-alive
RateLimit-Limit: 1200
RateLimit-Remaining: 1136
RateLimit-Reset: 1482
X-RateLimit-Limit-Hour: 1200
X-RateLimit-Remaining-Hour: 1136
Vary: Origin
vary: Origin
X-Database-Date: Thu, 24 Feb 2022 15:28:15 GMT
Access-Control-Allow-Origin: *
X-Kong-Upstream-Latency: 1
X-Kong-Proxy-Latency: 1
Via: kong/2.5.1
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lL5NHKvR9HFEU%2FoIaFeLHxKQMqO83ehpmmnZfVBNP%2FLzgPf9SwP6yNylvuqCQkwthJ8Hl20fOLsL02Hb8pi%2BNQKfGnwHHi48r0UDyt3MvjfRX%2B9L46d8iFCQBThxQ%2BOe"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6ebdbc30cc3a4c49-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
-
DNS15.89.54.20.in-addr.arpaRemote address:8.8.8.8:53Request15.89.54.20.in-addr.arpaIN PTRResponse
-
DNS9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpaRemote address:8.8.8.8:53Request9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
188.114.97.0:443https://freegeoip.app/xml/tls, http
HTTP Request
GET https://freegeoip.app/xml/HTTP Response
200 -
8.248.5.254:80 -
8.248.5.254:80
-
8.8.8.8:53freegeoip.appdns
DNS Request
freegeoip.app
DNS Response
188.114.97.0188.114.96.0
-
8.8.8.8:5315.89.54.20.in-addr.arpadns
DNS Request
15.89.54.20.in-addr.arpa
-
8.8.8.8:539.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpadns
DNS Request
9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
296KB
-
Filesize
8KB
-
Filesize
10.8MB