Overview

overview

10

Static

static

Auto Block.exe

windows7_x64

10

Auto Block.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    61s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    17-06-2022 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Auto Block.exe

  • Size

    2.2MB

  • MD5

    006f5bbb2e6f9ce7d38edad078e753ba

  • SHA1

    ae6bcb7f694bee6e52be7e7dc75a1d9ced78f75f

  • SHA256

    98f61a34d1b53907d24096b09b5530b80ca42ce9dd4c50eafcc6fab3f45a0119

  • SHA512

    f4e6aafe806fc71a728a500fa80cce83044bbe979252228b74e60b88f73ded979e917cbef1a987db176f323b6027298de102f4e867fb99ffe28c1b50d667bfff

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/987320469264928788/XHGBPVVk0PqB5Bug7qHP2xnrZN4CfIIFQe0thEyFCmF2MEQleEN98ae4oIo8Q6KdiaA_

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Auto Block.exe
    "C:\Users\Admin\AppData\Local\Temp\Auto Block.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1088
    • C:\Users\Admin\AppData\Local\Temp\БХ.exe
      "C:\Users\Admin\AppData\Local\Temp\БХ.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4056

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    274KB

    MD5

    9dff4650d113fe21dcc45c13ef90defd

    SHA1

    1d45ce5878d6ed0ac9b03588a9aafad752e15db3

    SHA256

    ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99

    SHA512

    8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    274KB

    MD5

    9dff4650d113fe21dcc45c13ef90defd

    SHA1

    1d45ce5878d6ed0ac9b03588a9aafad752e15db3

    SHA256

    ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99

    SHA512

    8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\БХ.exe
    Filesize

    1.2MB

    MD5

    5fdb43b73957e39125b2005848c23b82

    SHA1

    0769336c1254b44b87c7ec881f73c149ba95d406

    SHA256

    454a12fe83683aede8ee95934b45d7cb4ecde8315496b42e280614dca3b6c299

    SHA512

    5a623d429be286f4c95c0597e766a5723002d752a93eec5f709bc9ce28309dbbe5cdb2cf118360ad607480d5d862ad67d76fdeedadf026d5649777bdf6f7aad0

    Download Submit

  • memory/916-130-0x0000000000400000-0x000000000062F000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1088-131-0x0000000000000000-mapping.dmp

    Download

  • memory/1088-134-0x000002045ED20000-0x000002045ED6A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1088-135-0x00007FF902350000-0x00007FF902E11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1088-136-0x00007FF902350000-0x00007FF902E11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4056-137-0x0000000000000000-mapping.dmp

    Download