Analysis
-
max time kernel
42s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
19-05-2022 16:28
Static task
static1
Behavioral task
behavioral1
Sample
0x0008000000014348-68.exe
Resource
win7-20220414-en
General
-
Target
0x0008000000014348-68.exe
-
Size
275KB
-
MD5
f77897f8a1db43161bcd5bfe7660fe6e
-
SHA1
b1e7142f586de5a48adcd3a132053e6fc0258bf4
-
SHA256
067205b69d3c39c5553c45fe92408b0b7c69c8a9f5c2108c01524f4fd2fc7de9
-
SHA512
b6b12a311eef32cef295ade3fd642ef63f45ba3f6aa0d5b28cce968f79ed2c6cf324b2810fe51ab09328d3ff5a10c0c7e9f345901cd1af5191bbcb52286c3e0f
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/973294177112686612/4QUQSbqvdZZd-DqEn3jQ1gWfu67yolKc4k1__wufBB-BWQv0dBmUKe8-IpUD-6DotJiV
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 freegeoip.app 4 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0x0008000000014348-68.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 0x0008000000014348-68.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 0x0008000000014348-68.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0x0008000000014348-68.exepid process 1880 0x0008000000014348-68.exe 1880 0x0008000000014348-68.exe 1880 0x0008000000014348-68.exe 1880 0x0008000000014348-68.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0x0008000000014348-68.exedescription pid process Token: SeDebugPrivilege 1880 0x0008000000014348-68.exe