Overview

overview

10

Static

static

cheat-engi...04.exe

windows7_x64

10

cheat-engi...04.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    19-05-2022 16:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cheat-engine-7-404.exe

  • Size

    3.0MB

  • MD5

    cdc4636a35c109b43f2898e13e8dc666

  • SHA1

    1c0807042275593c79da97799153b72929dfb2d8

  • SHA256

    347899570bba1cbaa4fe9149d71b7e2e07ea2d930d1bcb9e5762b242dd017887

  • SHA512

    9498fd4c2fc65ae0b1294f4d37f6a0df50d92ffd9709f79ffd9606add19962c7493f68dc7f279e398fecf68d2b57f0f87db5f4d2e7df3f31364cce26dbd0e4ef

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/973294177112686612/4QUQSbqvdZZd-DqEn3jQ1gWfu67yolKc4k1__wufBB-BWQv0dBmUKe8-IpUD-6DotJiV

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-404.exe
    "C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-404.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe
      "C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:820
      • C:\Users\Admin\AppData\Local\Temp\is-P0A5G.tmp\cheat-engine-7-4.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-P0A5G.tmp\cheat-engine-7-4.tmp" /SL5="$1301D0,2408085,845312,C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:964
    • C:\Users\Admin\AppData\Local\Temp\blackangus.exe
      "C:\Users\Admin\AppData\Local\Temp\blackangus.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2192

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\blackangus.exe
    Filesize

    275KB

    MD5

    f77897f8a1db43161bcd5bfe7660fe6e

    SHA1

    b1e7142f586de5a48adcd3a132053e6fc0258bf4

    SHA256

    067205b69d3c39c5553c45fe92408b0b7c69c8a9f5c2108c01524f4fd2fc7de9

    SHA512

    b6b12a311eef32cef295ade3fd642ef63f45ba3f6aa0d5b28cce968f79ed2c6cf324b2810fe51ab09328d3ff5a10c0c7e9f345901cd1af5191bbcb52286c3e0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\blackangus.exe
    Filesize

    275KB

    MD5

    f77897f8a1db43161bcd5bfe7660fe6e

    SHA1

    b1e7142f586de5a48adcd3a132053e6fc0258bf4

    SHA256

    067205b69d3c39c5553c45fe92408b0b7c69c8a9f5c2108c01524f4fd2fc7de9

    SHA512

    b6b12a311eef32cef295ade3fd642ef63f45ba3f6aa0d5b28cce968f79ed2c6cf324b2810fe51ab09328d3ff5a10c0c7e9f345901cd1af5191bbcb52286c3e0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe
    Filesize

    3.2MB

    MD5

    32e0a8e898a4aef3abe2c5c26d2570fb

    SHA1

    0c56076f2d4d905a08dc2e8c85a6fd4d184a0846

    SHA256

    6d0e14d66da69c163f824f8fa7d87de3eea41cdbd48c0973de296cf6d2d0fed3

    SHA512

    1cec6e1dd8eaea6bfc00c48403d3263db6a54d4012b87666da5ac2f83748ef9102ed97c026e185d3c8cc0342c8feafd0a27442dfc19d6d37b69a9d91168ab97d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe
    Filesize

    3.2MB

    MD5

    32e0a8e898a4aef3abe2c5c26d2570fb

    SHA1

    0c56076f2d4d905a08dc2e8c85a6fd4d184a0846

    SHA256

    6d0e14d66da69c163f824f8fa7d87de3eea41cdbd48c0973de296cf6d2d0fed3

    SHA512

    1cec6e1dd8eaea6bfc00c48403d3263db6a54d4012b87666da5ac2f83748ef9102ed97c026e185d3c8cc0342c8feafd0a27442dfc19d6d37b69a9d91168ab97d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-P0A5G.tmp\cheat-engine-7-4.tmp
    Filesize

    2.9MB

    MD5

    9858749c3a44de91503ba1124f98a4f0

    SHA1

    9e871a2a692fe7fa03cbd2b958a48eee9a694758

    SHA256

    058a000842e85dbf501d6fc76fa4a73e13b31102367d06d459c8ba8e7e91a201

    SHA512

    85c8f861cca5adee81d8707627ca008821993c19be35ed86372bd50457ed194d11138e9e34e3e527ef4253857eac372eedd0d7a511ae11927be36eefe39c5dc4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-U8TRS.tmp\botva2.dll
    Filesize

    37KB

    MD5

    67965a5957a61867d661f05ae1f4773e

    SHA1

    f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

    SHA256

    450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

    SHA512

    c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-U8TRS.tmp\botva2.dll
    Filesize

    37KB

    MD5

    67965a5957a61867d661f05ae1f4773e

    SHA1

    f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

    SHA256

    450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

    SHA512

    c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-U8TRS.tmp\zbShieldUtils.dll
    Filesize

    2.0MB

    MD5

    e1f18a22199c6f6aa5d87b24e5b39ef1

    SHA1

    0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

    SHA256

    62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

    SHA512

    5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

    Download Submit

  • memory/820-134-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/820-132-0x0000000000000000-mapping.dmp

    Download

  • memory/820-148-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/964-141-0x0000000000000000-mapping.dmp

    Download

  • memory/964-147-0x0000000002CD0000-0x0000000002CDF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1240-130-0x0000000000230000-0x000000000052E000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1240-131-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2192-140-0x00000162CBE00000-0x00000162CBE4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2192-135-0x0000000000000000-mapping.dmp

    Download

  • memory/2192-144-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp

    Filesize

    10.8MB

    Download