Overview

overview

10

Static

static

10

1c135a7b80...7d.exe

windows7-x64

10

1c135a7b80...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-07-2023 18:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1c135a7b80703354a6d8bac14381447d.exe

  • Size

    274KB

  • MD5

    1c135a7b80703354a6d8bac14381447d

  • SHA1

    7562f7ba852f7ff91b6ef10647417bd54ff55c6c

  • SHA256

    cd8e9641046306857f3a12009ddf442922e32484696b475175c867e8ff580f3e

  • SHA512

    b9cad0723b37ee5612e64873ebddf428b4ace6396a2b301d8a19bc8c49c9084021f8c14da37298e262888ad62f6bbf78866bef152bb30fa8df39e60348396864

  • SSDEEP

    6144:hf+BLtABPDOpJTNN6eTSUdZ/pOlYeJqlA1D0Mk+:4pYSSUdZ/olYet1DY+

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/956477791124205569/zhz-iUwTtwf3ND8UdSeoNmdX8X4ElZBSxqhFrwstZ6oV5o-CWZxANYz737UasCARyImg

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1c135a7b80703354a6d8bac14381447d.exe
    "C:\Users\Admin\AppData\Local\Temp\1c135a7b80703354a6d8bac14381447d.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2984

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    739B

    MD5

    f15ed0d65baadb51f6b722c9e7669506

    SHA1

    6710cbfb1339f6fff08d754f933a50576bc6893f

    SHA256

    e4f7cb93b308dcf7c60209f1624c1424ff87eda6d4b9881707353f8eb00da4ff

    SHA512

    8777b44348e086172e58c2cdac41d4a6cd41ea803cf9b0b8d9263adf5a3614d186d9d08f4c1eed2a13496bfa57abec4a43491dbcf6f46485574b70f8ff9a868d

    Download Submit

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    1KB

    MD5

    17bd2bc5caba4a6f677c6a350d7cf031

    SHA1

    bf55ec5261d385d212225620f219adca79452938

    SHA256

    8149efb62e8492f0d2190ec6aa97b703a50fde314945e737810a63908640df91

    SHA512

    99a254d150d6e4b3497a4377416a6634d2bd61501ba50cc30ea999f9b813809d08e0f01e4463583998237674846b056df89c8bcb401c401e79bcf2329606c3d3

    Download Submit

  • memory/2984-133-0x000001D3D9DA0000-0x000001D3D9DEA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2984-164-0x000001D3DA2D0000-0x000001D3DA2E0000-memory.dmp

    Filesize

    64KB

    Download