Overview

overview

10

Static

static

10

Neon — �...6).exe

windows7_x64

10

Neon — �...6).exe

windows10-2004_x64

10

Neon — �...7).exe

windows7_x64

10

Neon — �...7).exe

windows10-2004_x64

10

Neon — �...8).exe

windows7_x64

10

Neon — �...8).exe

windows10-2004_x64

10

Neon — �...9).exe

windows7_x64

10

Neon — �...9).exe

windows10-2004_x64

10

Neon — �...2).exe

windows7_x64

10

Neon — �...2).exe

windows10-2004_x64

10

Neon — �...0).exe

windows7_x64

10

Neon — �...0).exe

windows10-2004_x64

10

Neon — �...1).exe

windows7_x64

10

Neon — �...1).exe

windows10-2004_x64

10

Neon — �...2).exe

windows7_x64

10

Neon — �...2).exe

windows10-2004_x64

10

Neon — �...3).exe

windows7_x64

10

Neon — �...3).exe

windows10-2004_x64

10

Neon — �...4).exe

windows7_x64

10

Neon — �...4).exe

windows10-2004_x64

10

Neon — �...5).exe

windows7_x64

10

Neon — �...5).exe

windows10-2004_x64

10

Neon — �...6).exe

windows7_x64

10

Neon — �...6).exe

windows10-2004_x64

10

Neon — �...7).exe

windows7_x64

10

Neon — �...7).exe

windows10-2004_x64

10

Neon — �...8).exe

windows7_x64

10

Neon — �...8).exe

windows10-2004_x64

10

Neon — �...9).exe

windows7_x64

10

Neon — �...9).exe

windows10-2004_x64

10

Neon — �...я.exe

windows7_x64

10

Neon — �...я.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    169s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    14-03-2022 14:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Neon — копия (9).exe

  • Size

    274KB

  • MD5

    6d9153402403207366b080ff8154fe03

  • SHA1

    69c7ed7b664cecd5a721677588f0904d381a4a49

  • SHA256

    d7450131c835b2df9dcea263bf7f73d03238698a63b6a6fe9faa35ea59439731

  • SHA512

    1e1704138ec5a8065afcedf78c3225a0ce2ee6c33459f52933c9b447eab18ae9eb457a6bf207b4afbfa7790af2788beee3f3b431cafcb2bc3a5a4f4ab224a952

Score
10/10
44caliberdiscordurlsspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/952308393677291551/Kwqtw7eOhhDiE0L0w2X3Hwo9TDPq265Rqw2_8lcfVw_arvjLeTNzn4AG-J-I4NctgVFh

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detected executables Discord URL observed in first stage droppers 1 IoCs

    DISCORD URLS.

    discordurls
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Neon — копия (9).exe
    "C:\Users\Admin\AppData\Local\Temp\Neon — копия (9).exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1720
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
    1⤵
    • Modifies data under HKEY_USERS
    PID:980

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1720-134-0x000002D2ED9D0000-0x000002D2EDA1A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1720-136-0x000002D2F09B0000-0x000002D2F09B2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1720-135-0x00007FFCEA880000-0x00007FFCEB341000-memory.dmp

    Filesize

    10.8MB

    Download