Overview

overview

10

Static

static

10

ac8be183ac...ae.exe

windows7_x64

10

ac8be183ac...ae.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    51s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220331-en
  • submitted
    08-04-2022 08:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ac8be183acf3079cd5475f8c170a98ae.exe

  • Size

    2.9MB

  • MD5

    ac8be183acf3079cd5475f8c170a98ae

  • SHA1

    4eab4aba5e2888496a267f2e755c5fbd29a5c25d

  • SHA256

    c7ad74775251731d6ffc24878658341b5a3b3398a5480ab113f80af42eda32c3

  • SHA512

    d3c80ff0ee04ecf898a0951433bf4e1dba25a214f4b1d902bc8e0a79a1b08bacc6813cd30c40a7a3f6cd10312b49850475f61f2f33886ad2797f25c37cfa54f3

Score
10/10
44caliberorcusoldratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

old

C2

tools.3utilities.com:17650

Mutex

3e72d23ec7f64b6aab470ad129f9a745

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\vcredist\vcredistapp.exe

  • reconnect_delay

    10000

  • registry_keyname

    vcredistappreg

  • taskscheduler_taskname

    vcredistappsch

  • watchdog_path

    Temp\vcredistapp.exe

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/959366883545579581/Z1Be8qUrtXUbCZydkDEnV1VMcMYEDqpAE1fFmNhN26L5vd4nrcJOGi-iQnD-msZc-BJX

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ac8be183acf3079cd5475f8c170a98ae.exe
    "C:\Users\Admin\AppData\Local\Temp\ac8be183acf3079cd5475f8c170a98ae.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Users\Admin\AppData\Local\Temp\libchrome.exe
      "C:\Users\Admin\AppData\Local\Temp\libchrome.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\libchrome.exe
    Filesize

    274KB

    MD5

    f0a6137751223c932f77f1807ad0805e

    SHA1

    af5befc8e36c8c062ef96ad57e8e1a1f39a2f675

    SHA256

    2105779b2f3e3f454cea059d25484b9ef423a0318abc7c8cbe04289e393e8697

    SHA512

    c4096757420b11bc3748522202efb0d8ee1ecd09e7b773505a96124a339e40951533432d02dfbc929380f8a15160ed2911018dee56b2af7db4d6d9222e4dee4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\libchrome.exe
    Filesize

    274KB

    MD5

    f0a6137751223c932f77f1807ad0805e

    SHA1

    af5befc8e36c8c062ef96ad57e8e1a1f39a2f675

    SHA256

    2105779b2f3e3f454cea059d25484b9ef423a0318abc7c8cbe04289e393e8697

    SHA512

    c4096757420b11bc3748522202efb0d8ee1ecd09e7b773505a96124a339e40951533432d02dfbc929380f8a15160ed2911018dee56b2af7db4d6d9222e4dee4a

    Download Submit
  • \Users\Admin\AppData\Local\Temp\libchrome.exe
    Filesize

    274KB

    MD5

    f0a6137751223c932f77f1807ad0805e

    SHA1

    af5befc8e36c8c062ef96ad57e8e1a1f39a2f675

    SHA256

    2105779b2f3e3f454cea059d25484b9ef423a0318abc7c8cbe04289e393e8697

    SHA512

    c4096757420b11bc3748522202efb0d8ee1ecd09e7b773505a96124a339e40951533432d02dfbc929380f8a15160ed2911018dee56b2af7db4d6d9222e4dee4a

    Download Submit
  • memory/1152-61-0x0000000000000000-mapping.dmp
    Download
  • memory/1152-64-0x0000000000B40000-0x0000000000B8A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/1152-65-0x000000001B170000-0x000000001B172000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-54-0x0000000000A50000-0x0000000000D44000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1528-55-0x00000000004C0000-0x00000000004CE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1528-56-0x0000000004640000-0x000000000469C000-memory.dmp
    Filesize

    368KB

    Download
  • memory/1528-57-0x0000000002270000-0x0000000002282000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1528-58-0x0000000004450000-0x0000000004468000-memory.dmp
    Filesize

    96KB

    Download
  • memory/1528-59-0x0000000004490000-0x00000000044A0000-memory.dmp
    Filesize

    64KB

    Download