Overview

overview

10

Static

static

setup.exe

windows7-x64

10

setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    40s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    23-11-2022 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.0MB

  • MD5

    068b814729f1551a3c70948c272aab19

  • SHA1

    df09efe5bf2dc3becd036fc093e2d55a15420784

  • SHA256

    428b9f5ed5e3be5456fa65110d9a815fd6f75a8c41764874baa4c88b90397ca2

  • SHA512

    16093eb09d49b0e20c87fa0c8632861083402ccad9f30a5d6ba9cb04d3b5d7b270831fb88d1448e08cca7efa3ad435bd81919e5a9c2214c9a87602cd2dac6781

  • SSDEEP

    24576:ZEKhoSmPiUn1jPT6oo8Ox9IXiwdLCoFVkl31VVTK:6Khq198KyqFVk5V

Score
10/10
44caliberasyncratratspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1043626101374722138/8xjZH2IjxwGT5aAEHFsAIW0nkW0RHIIuUmTxgat5PUV7dxRM1ocpOk0zFZpczNcvlCjk

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • Async RAT payload 10 IoCs
    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 1416 -s 1180
        3⤵
        • Program crash
        PID:1696
    • C:\Users\Admin\AppData\Local\Temp\Install.exe
      "C:\Users\Admin\AppData\Local\Temp\Install.exe"
      2⤵
      • Executes dropped EXE
      PID:1204
    • C:\Users\Admin\AppData\Local\Temp\NoInstall.exe
      "C:\Users\Admin\AppData\Local\Temp\NoInstall.exe"
      2⤵
      • Executes dropped EXE
      PID:1132
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    305KB

    MD5

    3c15c850db18c3ead48ab1929a5aa925

    SHA1

    e2bdd8fe8b6f48fa55d6fce766456b825e16cb26

    SHA256

    190c982b8df7adb7a1c7a1ba5f2582cc8c1f3de4dfad31b42ca914ed31f6d8d2

    SHA512

    1300336b1d3b1ecc4b6f99bf5dbff65260405154b55e882badc45ef10460d0a3eaba9b5b9fcc9f6f6b18cf9dc55f77c127a84000aaeb008111903e292efa8989

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    305KB

    MD5

    3c15c850db18c3ead48ab1929a5aa925

    SHA1

    e2bdd8fe8b6f48fa55d6fce766456b825e16cb26

    SHA256

    190c982b8df7adb7a1c7a1ba5f2582cc8c1f3de4dfad31b42ca914ed31f6d8d2

    SHA512

    1300336b1d3b1ecc4b6f99bf5dbff65260405154b55e882badc45ef10460d0a3eaba9b5b9fcc9f6f6b18cf9dc55f77c127a84000aaeb008111903e292efa8989

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    48KB

    MD5

    d96a7317fb4d70cbe07a8fb364adbc21

    SHA1

    5f674dcb3f9ccdafb94a0d983af4a959be9b4e05

    SHA256

    85f48626e6bee0b259faa4bb80e4af57c4466e1c2b5ed9e17ea02e2b59d83b40

    SHA512

    cc49023ba6a799d02eba8d3119c66e5533be4e3d9e59455702b4c69e852fb4655c1ddb6498b33aa3c88d88c2da1435b5e00226e71c68b38084b82d3fdc0a2e77

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    48KB

    MD5

    d96a7317fb4d70cbe07a8fb364adbc21

    SHA1

    5f674dcb3f9ccdafb94a0d983af4a959be9b4e05

    SHA256

    85f48626e6bee0b259faa4bb80e4af57c4466e1c2b5ed9e17ea02e2b59d83b40

    SHA512

    cc49023ba6a799d02eba8d3119c66e5533be4e3d9e59455702b4c69e852fb4655c1ddb6498b33aa3c88d88c2da1435b5e00226e71c68b38084b82d3fdc0a2e77

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\NoInstall.exe
    Filesize

    48KB

    MD5

    8732042e1be56177b23d3c87a08d2220

    SHA1

    ba4b8314ad52256d66dcb83d79ac31da48a25d62

    SHA256

    d8062dac6b24dff7d13472a8805634e42b99824b270b06c8c1ab9d91a3c83cf2

    SHA512

    8f5600b6388bbdc0f5a4ba54ee1f786e50fdcd91728cefdde3ea0635e8726a59894fd8949cf5b027d848ccec77597ec67b73e58879541521e99f94e675fff89c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\NoInstall.exe
    Filesize

    48KB

    MD5

    8732042e1be56177b23d3c87a08d2220

    SHA1

    ba4b8314ad52256d66dcb83d79ac31da48a25d62

    SHA256

    d8062dac6b24dff7d13472a8805634e42b99824b270b06c8c1ab9d91a3c83cf2

    SHA512

    8f5600b6388bbdc0f5a4ba54ee1f786e50fdcd91728cefdde3ea0635e8726a59894fd8949cf5b027d848ccec77597ec67b73e58879541521e99f94e675fff89c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Insidious.exe
    Filesize

    305KB

    MD5

    3c15c850db18c3ead48ab1929a5aa925

    SHA1

    e2bdd8fe8b6f48fa55d6fce766456b825e16cb26

    SHA256

    190c982b8df7adb7a1c7a1ba5f2582cc8c1f3de4dfad31b42ca914ed31f6d8d2

    SHA512

    1300336b1d3b1ecc4b6f99bf5dbff65260405154b55e882badc45ef10460d0a3eaba9b5b9fcc9f6f6b18cf9dc55f77c127a84000aaeb008111903e292efa8989

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Install.exe
    Filesize

    48KB

    MD5

    d96a7317fb4d70cbe07a8fb364adbc21

    SHA1

    5f674dcb3f9ccdafb94a0d983af4a959be9b4e05

    SHA256

    85f48626e6bee0b259faa4bb80e4af57c4466e1c2b5ed9e17ea02e2b59d83b40

    SHA512

    cc49023ba6a799d02eba8d3119c66e5533be4e3d9e59455702b4c69e852fb4655c1ddb6498b33aa3c88d88c2da1435b5e00226e71c68b38084b82d3fdc0a2e77

    Download Submit
  • \Users\Admin\AppData\Local\Temp\NoInstall.exe
    Filesize

    48KB

    MD5

    8732042e1be56177b23d3c87a08d2220

    SHA1

    ba4b8314ad52256d66dcb83d79ac31da48a25d62

    SHA256

    d8062dac6b24dff7d13472a8805634e42b99824b270b06c8c1ab9d91a3c83cf2

    SHA512

    8f5600b6388bbdc0f5a4ba54ee1f786e50fdcd91728cefdde3ea0635e8726a59894fd8949cf5b027d848ccec77597ec67b73e58879541521e99f94e675fff89c

    Download Submit
  • memory/1132-71-0x0000000000950000-0x0000000000962000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1132-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1204-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1204-73-0x0000000000A90000-0x0000000000AA2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1416-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1416-72-0x0000000000390000-0x00000000003E2000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1612-55-0x0000000000400000-0x0000000000503000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1696-74-0x0000000000000000-mapping.dmp
    Download
  • memory/1948-56-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1948-57-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download
  • memory/1948-58-0x0000000140000000-0x00000001405E8000-memory.dmp
    Filesize

    5.9MB

    Download