Analysis

  • max time kernel
    126s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 00:51

General

  • Target

    Yandex.bin.exe

  • Size

    274KB

  • MD5

    40e3881d6c0898f6a5c24940b54a69a2

  • SHA1

    f3da392ee4fb703255eff7ee8a83f23c2bb02987

  • SHA256

    d5c05da57fa20048e35e6ef498b3dd0bcb92eaea3997e8a7009b38b8a15c4e86

  • SHA512

    9013a696cda9be776f0a5ee66aece8716662121e69c5be056c8567eabed8fea91641e50714962438efb57da1b1ff1d4a2c3211e65be10a9e7833e647f700eb8b

  • SSDEEP

    6144:ef+BLtABPDMtBBfn1Y0gIoHOQZafTy8lI1D0Cbg:1tVvgIoHO+x1DRg

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1155120137612034188/cdy5wHbWmzOOyiX6nZbn5OlBuBidB8er7f1281hl7JRUP1iVFGnh9s57SwGqJtsdtgrx

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Yandex.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Yandex.bin.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2928

Network

MITRE ATT&CK Matrix ATT&CK v13

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

2
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt
    Filesize

    770B

    MD5

    09dad1952c946e4af4791d01b85424c5

    SHA1

    ed067b907cbebba3a423da2e3f2f51156129ee05

    SHA256

    0bbb4e80245f0249ff0626adc2c0925a195e36603ae9f85e1fd1c12b64835c90

    SHA512

    93ec360ea8e6eee32ca796179b7ca8c64cab266a1094e710d344332b157af9d4dfa6e598009bbfbd4f5139d30101e104a1d790633dc23069a2703806e39ad4a1

  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    8e9615b094a70d30bce2ceb15947d25f

    SHA1

    3bf4898fddf31c53c89f8f2a7d3ddd0dd1d43270

    SHA256

    2b021e6dea209a308962f9dc8c8af800b37a9beb8e7be57a74db3ba2776a4bf0

    SHA512

    7ae3dafe6017aa288a7398f708de028fe24295249f1a0c5b414043a0cc39842786966d6518897e279e4dd0df316ff1a9817a70f89f0cdb6b5b4a2483ef72a416

  • memory/2928-0-0x0000021FF3F40000-0x0000021FF3F8A000-memory.dmp
    Filesize

    296KB

  • memory/2928-33-0x00007FFD45F90000-0x00007FFD46A51000-memory.dmp
    Filesize

    10.8MB

  • memory/2928-34-0x0000021FF5C90000-0x0000021FF5CA0000-memory.dmp
    Filesize

    64KB

  • memory/2928-122-0x00007FFD45F90000-0x00007FFD46A51000-memory.dmp
    Filesize

    10.8MB

  • memory/2928-123-0x0000021FF5C90000-0x0000021FF5CA0000-memory.dmp
    Filesize

    64KB

  • memory/2928-126-0x00007FFD45F90000-0x00007FFD46A51000-memory.dmp
    Filesize

    10.8MB