44caliber | d0a927970e230756281222c063f1a06b4637623794a26843381e4de3df3c277f | Triage

Submit
Reports

Overview

overview

Static

static

D0A927970E...26.exe

windows7_x64

D0A927970E...26.exe

windows10-2004_x64

Sharing

General

Target

D0A927970E230756281222C063F1A06B4637623794A26.exe
Size

10.5MB
Sample

220417-nc45bshbf9
MD5

9e63a0aa4f26539beeccb7180568fc4e
SHA1

649f49bfa20647858a8073a9416648b76773cfc5
SHA256

d0a927970e230756281222c063f1a06b4637623794a26843381e4de3df3c277f
SHA512

a3acd7ec1400ccc482239440450ef8df6719dd29ce6290b9f47764030a4e5b47ceb97ce74c71bb156409848e85ceaa38069d2d4113f4043883ae0a28053a546b

Score

10^/10

44caliber njrat soryman evasion persistence pyinstaller stealer trojan

Static task

static1

pyinstaller 44caliber

Behavioral task

behavioral1

Sample

D0A927970E230756281222C063F1A06B4637623794A26.exe

Resource

win7-20220414-en

44caliber njrat soryman evasion persistence stealer trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

D0A927970E230756281222C063F1A06B4637623794A26.exe

Resource

win10v2004-20220414-en

44caliber njrat soryman evasion persistence stealer trojan

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

SoryMan

C2

us-west-11608.packetriot.net:22794

Mutex

9dc6936092ebce7762ab0f2981bc4ba4

Attributes

reg_key
9dc6936092ebce7762ab0f2981bc4ba4
splitter
@!#&^%$

Targets

- Target
  
  D0A927970E230756281222C063F1A06B4637623794A26.exe
- Size
  
  10.5MB
- MD5
  
  9e63a0aa4f26539beeccb7180568fc4e
- SHA1
  
  649f49bfa20647858a8073a9416648b76773cfc5
- SHA256
  
  d0a927970e230756281222c063f1a06b4637623794a26843381e4de3df3c277f
- SHA512
  
  a3acd7ec1400ccc482239440450ef8df6719dd29ce6290b9f47764030a4e5b47ceb97ce74c71bb156409848e85ceaa38069d2d4113f4043883ae0a28053a546b
Score

10^/10

44caliber njrat soryman evasion persistence stealer trojan
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- Contains code to disable Windows Defender
  A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- njRAT/Bladabindi
  Widely used RAT written in .NET.
  trojan njrat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

pyinstaller44caliber

behavioral1

44calibernjratsorymanevasionpersistencestealertrojan

behavioral2

44calibernjratsorymanevasionpersistencestealertrojan

© 2018-2024

Terms | Privacy