Overview

overview

10

Static

static

10

3ac95607d6...76.exe

windows7-x64

10

3ac95607d6...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-08-2022 20:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ac95607d654c3a0457075744e46c2277e7be98ddb21f1e4c29a98fa6c562876.exe

  • Size

    303KB

  • MD5

    74a7ff4c9395b44c406ca8e7ed5dee9b

  • SHA1

    9f2a294a86246658dfae747001e551575e8855d9

  • SHA256

    3ac95607d654c3a0457075744e46c2277e7be98ddb21f1e4c29a98fa6c562876

  • SHA512

    39417987022f08a292cacc47f230db45089c9f92222de407022ae92900ffa13068b3c391881297131f8625347ae088ea0c48279b5d89bbc4d5b6e2a33ad1bf64

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/991370448359149568/RQxL-Wum2YoYSXPZfI3xuNcwtnpuYnQk8G0BlkCMwdJqrQOP34mG0-uNULXiYZDZOObD

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ac95607d654c3a0457075744e46c2277e7be98ddb21f1e4c29a98fa6c562876.exe
    "C:\Users\Admin\AppData\Local\Temp\3ac95607d654c3a0457075744e46c2277e7be98ddb21f1e4c29a98fa6c562876.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1560
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1560 -s 1628
      2⤵
      • Program crash
      PID:1368
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 408 -p 1560 -ip 1560
    1⤵
      PID:4928

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1560-132-0x0000022C2EA80000-0x0000022C2EAD2000-memory.dmp
      Filesize

      328KB

      Download
    • memory/1560-133-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1560-134-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp
      Filesize

      10.8MB

      Download