Analysis

  • max time kernel
    42s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-05-2022 16:28

General

  • Target

    0x0008000000014348-68.exe

  • Size

    275KB

  • MD5

    f77897f8a1db43161bcd5bfe7660fe6e

  • SHA1

    b1e7142f586de5a48adcd3a132053e6fc0258bf4

  • SHA256

    067205b69d3c39c5553c45fe92408b0b7c69c8a9f5c2108c01524f4fd2fc7de9

  • SHA512

    b6b12a311eef32cef295ade3fd642ef63f45ba3f6aa0d5b28cce968f79ed2c6cf324b2810fe51ab09328d3ff5a10c0c7e9f345901cd1af5191bbcb52286c3e0f

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/973294177112686612/4QUQSbqvdZZd-DqEn3jQ1gWfu67yolKc4k1__wufBB-BWQv0dBmUKe8-IpUD-6DotJiV

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x0008000000014348-68.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0008000000014348-68.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1880-54-0x00000000000F0000-0x000000000013C000-memory.dmp

    Filesize

    304KB