Overview

overview

10

Static

static

10

Loader.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    247s
  • max time network
    250s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    09-07-2022 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    274KB

  • MD5

    48de7b41e21e517d1ae57c2d6442b93d

  • SHA1

    bcd876b0784835cfab4165fd434ad13a67db2365

  • SHA256

    0ebbcb753aa42b66281ad10b99681563717aae91ffe95ab927ddb654b86e00ed

  • SHA512

    91cfe55c9034806afa8505dc225569fe1437982a8c67c0539d528426737525d7128f6bdf4fb44050457f5a48a15be28c46134b8d1548f7c977770f54e4eeea87

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/989883604882563072/I6apuRJcmV6wI-bE0eT_u3YoI1Slj3mfLHwULpyZ35AEYu8xHDMfOn1VernNA60NWiN6

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 57 IoCs
  • Suspicious use of SendNotifyMessage 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4888
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4688
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4992

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4888-130-0x000002028F1B0000-0x000002028F1FA000-memory.dmp
      Filesize

      296KB

      Download
    • memory/4888-131-0x00007FFD4C7F0000-0x00007FFD4D2B1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4888-132-0x00007FFD4C7F0000-0x00007FFD4D2B1000-memory.dmp
      Filesize

      10.8MB

      Download