44caliber

General

Target

adada.PNG
Size

76KB
Sample

230407-n3bwgaah3t
MD5

7f27ce967f0c166b8b16ba9760f99acf
SHA1

1d558925b3a10f88f046d553f123102992bdcd43
SHA256

58087009edda7a991e05a6cd97eb1a886cabaecc747a23b184711edcface9011
SHA512

57673dded5e4d203d459348d6211296f0f50d71ed0cf13bd69d214bb03d28adc44ecba8fa7256482832f50497bf761dc360e7f5b309797e506117c1733a3cb3c
SSDEEP

1536:404kejL2F1oapwlO69zertfv4pDCFq9nRlG9O886+B23CgS+KhNT:40Pc6pwl59zertnE5dRlG986+BSC9vhV

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
122112qweewq

Extracted

Family

raccoon

Botnet

13718a923845c0cdab8ce45c585b8d63

C2

http://45.15.156.143/

xor.plain

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/856268306523619338/XvZ9UZ7iH16syfNxW6g_pKMGVgE3CO0QMpSicS1IpfMCJpo17vFJMlhLObAOQRJWSrw9

Targets

- Target
  
  adada.PNG
- Size
  
  76KB
- MD5
  
  7f27ce967f0c166b8b16ba9760f99acf
- SHA1
  
  1d558925b3a10f88f046d553f123102992bdcd43
- SHA256
  
  58087009edda7a991e05a6cd97eb1a886cabaecc747a23b184711edcface9011
- SHA512
  
  57673dded5e4d203d459348d6211296f0f50d71ed0cf13bd69d214bb03d28adc44ecba8fa7256482832f50497bf761dc360e7f5b309797e506117c1733a3cb3c
- SSDEEP
  
  1536:404kejL2F1oapwlO69zertfv4pDCFq9nRlG9O886+B23CgS+KhNT:40Pc6pwl59zertnE5dRlG986+BSC9vhV
Score

10^/10

44caliber hawkeye raccoon 13718a923845c0cdab8ce45c585b8d63 microsoft collection discovery keylogger persistence phishing spyware stealer trojan
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- HawkEye
  HawkEye is a malware kit that has seen continuous development since at least 2013.
  keylogger trojan stealer spyware hawkeye
- Raccoon
  Raccoon is an infostealer written in C++ and first seen in 2019.
  stealer raccoon
- NirSoft MailPassView
  Password recovery tool for various email clients
- NirSoft WebBrowserPassView
  Password recovery tool for various web browsers
- Nirsoft
- Downloads MZ/PE file
- Drops file in Drivers directory
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Uses the VBS compiler for execution
- Accesses Microsoft Outlook accounts
  collection
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Detected potential entity reuse from brand microsoft.
  phishing microsoft
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1