Overview

overview

10

Static

static

86523374.exe

windows7_x64

10

86523374.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    86523374.exe

  • Size

    5.2MB

  • Sample

    220320-fzvv6sheb3

  • MD5

    23c2521d2d7f41cdc515db9c7a7d6dcb

  • SHA1

    ba422cc6f49b1639d35d61ea9ddec24149649929

  • SHA256

    e2d81a70b783df979b49f9caf84b20076533e37068b2db60e6d589eec5bacee4

  • SHA512

    486ce40687b16f67d8f1473ecc31aadd979fff43bc836b48d502efcf5eb91e1de60f3e47c0e1df0592b17bf7992016c13534fdd2c5afb2b3f1f4482262340bfa

Score
10/10
44caliberxmrigevasionminerpersistencespywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/934716186313240606/NIuB64dK4IPafrX9FRy2wNNRrBnOxvdLjio6Ou2fEKxC9HrdYgZQcnvkOx-a4O9pNzdW

Targets

    • Target

      86523374.exe

    • Size

      5.2MB

    • MD5

      23c2521d2d7f41cdc515db9c7a7d6dcb

    • SHA1

      ba422cc6f49b1639d35d61ea9ddec24149649929

    • SHA256

      e2d81a70b783df979b49f9caf84b20076533e37068b2db60e6d589eec5bacee4

    • SHA512

      486ce40687b16f67d8f1473ecc31aadd979fff43bc836b48d502efcf5eb91e1de60f3e47c0e1df0592b17bf7992016c13534fdd2c5afb2b3f1f4482262340bfa

    Score
    10/10
    44caliberxmrigevasionminerpersistencespywarestealer

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner Payload

      miner

    • Executes dropped EXE

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Tasks