Analysis
-
max time kernel
51s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220331-en -
submitted
08-04-2022 08:54
General
-
Target
ac8be183acf3079cd5475f8c170a98ae.exe
-
Size
2.9MB
-
MD5
ac8be183acf3079cd5475f8c170a98ae
-
SHA1
4eab4aba5e2888496a267f2e755c5fbd29a5c25d
-
SHA256
c7ad74775251731d6ffc24878658341b5a3b3398a5480ab113f80af42eda32c3
-
SHA512
d3c80ff0ee04ecf898a0951433bf4e1dba25a214f4b1d902bc8e0a79a1b08bacc6813cd30c40a7a3f6cd10312b49850475f61f2f33886ad2797f25c37cfa54f3
Malware Config
Extracted
orcus
old
tools.3utilities.com:17650
3e72d23ec7f64b6aab470ad129f9a745
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%programfiles%\vcredist\vcredistapp.exe
-
reconnect_delay
10000
-
registry_keyname
vcredistappreg
-
taskscheduler_taskname
vcredistappsch
-
watchdog_path
Temp\vcredistapp.exe
Extracted
44caliber
https://discord.com/api/webhooks/959366883545579581/Z1Be8qUrtXUbCZydkDEnV1VMcMYEDqpAE1fFmNhN26L5vd4nrcJOGi-iQnD-msZc-BJX
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac8be183acf3079cd5475f8c170a98ae.exe"C:\Users\Admin\AppData\Local\Temp\ac8be183acf3079cd5475f8c170a98ae.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\libchrome.exe"C:\Users\Admin\AppData\Local\Temp\libchrome.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5f0a6137751223c932f77f1807ad0805e
SHA1af5befc8e36c8c062ef96ad57e8e1a1f39a2f675
SHA2562105779b2f3e3f454cea059d25484b9ef423a0318abc7c8cbe04289e393e8697
SHA512c4096757420b11bc3748522202efb0d8ee1ecd09e7b773505a96124a339e40951533432d02dfbc929380f8a15160ed2911018dee56b2af7db4d6d9222e4dee4a
-
Filesize
274KB
MD5f0a6137751223c932f77f1807ad0805e
SHA1af5befc8e36c8c062ef96ad57e8e1a1f39a2f675
SHA2562105779b2f3e3f454cea059d25484b9ef423a0318abc7c8cbe04289e393e8697
SHA512c4096757420b11bc3748522202efb0d8ee1ecd09e7b773505a96124a339e40951533432d02dfbc929380f8a15160ed2911018dee56b2af7db4d6d9222e4dee4a
-
Filesize
274KB
MD5f0a6137751223c932f77f1807ad0805e
SHA1af5befc8e36c8c062ef96ad57e8e1a1f39a2f675
SHA2562105779b2f3e3f454cea059d25484b9ef423a0318abc7c8cbe04289e393e8697
SHA512c4096757420b11bc3748522202efb0d8ee1ecd09e7b773505a96124a339e40951533432d02dfbc929380f8a15160ed2911018dee56b2af7db4d6d9222e4dee4a
-
-
Filesize
296KB
-
Filesize
8KB
-
Filesize
3.0MB
-
Filesize
56KB
-
Filesize
368KB
-
Filesize
72KB
-
Filesize
96KB
-
Filesize
64KB