Analysis
-
max time kernel
4294180s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
14-03-2022 20:45
Static task
static1
Behavioral task
behavioral1
Sample
inside3.exe
Resource
win7-20220311-en
General
-
Target
inside3.exe
-
Size
282KB
-
MD5
0238e5a4b41c4dcff77e8b01e88bed22
-
SHA1
9c265d639104a538f708d5aaef6fcb9b61a8048f
-
SHA256
a63d0da5401d3f5d28a9e8ac8c6a6fe7ba7eb7b1e1e60d1ec47a3eb7dd079808
-
SHA512
4add1b607fdfd4159745a7ed1fb02543ce210b9e36996ea404c05fc491bce2471c452cbf0aad3de0b1f1f563ca23f843ef77d9d85ffc6828b6924c4fa34b4bac
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/943188844625428520/64LwO5Gsh0pUZCcm80BNwTcVPihRnEmr1rZOPj02k6T5sRc5Lq4sdaB2KyttNgJHeX3T
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 freegeoip.app 5 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
inside3.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 inside3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier inside3.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
inside3.exepid process 1816 inside3.exe 1816 inside3.exe 1816 inside3.exe 1816 inside3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
inside3.exedescription pid process Token: SeDebugPrivilege 1816 inside3.exe