Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
31-01-2023 09:09
Behavioral task
behavioral1
Sample
c6094b00a087a57a40c1256a67cebc25.exe
Resource
win7-20220901-en
General
-
Target
c6094b00a087a57a40c1256a67cebc25.exe
-
Size
293KB
-
MD5
c6094b00a087a57a40c1256a67cebc25
-
SHA1
29b100dbc5bc482949e483ebf5969646e417cb17
-
SHA256
0408e2c545d837ff2eb08d92b94f80b6dd11d00b21788bc485c552ee3a2fa1ba
-
SHA512
d9eba8f24dd310690c7145226fab7beab26d197f5b8278ee904cedf5f70f5a11603ab9ba93dcd817c8ecc3ff7fd0a1846982ed230a90a458dbbfe67dc372041e
-
SSDEEP
3072:UNgIOuOIStjInreY8gHMPceeZdTXD4x37OrhYSCIujV8ZmQVDQ1Lh6cl1Lxatuwj:+OuOISqeYnQcpnyOrhYSxuj7F1hxUlF
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1061674520219504781/FE_dV3NzPURAAeRPaaDnLLWfH18ZKFYYq7S0uNsh3rCSOJfn1Q5hlEa183bK1AzyFEKL
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 freegeoip.app 4 freegeoip.app -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
c6094b00a087a57a40c1256a67cebc25.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 c6094b00a087a57a40c1256a67cebc25.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier c6094b00a087a57a40c1256a67cebc25.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
c6094b00a087a57a40c1256a67cebc25.exepid process 1284 c6094b00a087a57a40c1256a67cebc25.exe 1284 c6094b00a087a57a40c1256a67cebc25.exe 1284 c6094b00a087a57a40c1256a67cebc25.exe 1284 c6094b00a087a57a40c1256a67cebc25.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c6094b00a087a57a40c1256a67cebc25.exedescription pid process Token: SeDebugPrivilege 1284 c6094b00a087a57a40c1256a67cebc25.exe