Overview

overview

10

Static

static

10

640d2a93bf...83.exe

windows7-x64

10

640d2a93bf...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231201-en
  • resource tags

    arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe

  • Size

    274KB

  • MD5

    d6ae2f2cb1539dea4bb4d9ea9d5d5cce

  • SHA1

    bc2ac2bc2d1ee035b65dbd43a4c0d134c51a3eeb

  • SHA256

    640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83

  • SHA512

    59c2d4eafcf67f91ee31104cb04be363ffbfadbe5a9667c0849584e666dffd4529f5c7dfd16905d63f9e2fa310c820aec20de7455ec753a48ab538885ac10ebd

  • SSDEEP

    6144:vf+BLtABPDMtBBfn1Y0gIoHOQpafTyElI1D0pEA:otVvgIoHOOp1DxA

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/1179802952609837118/VQL2SnbY3OQKym01HTNlPaUzF5_zZWpyG0uR_TQhE0OllmdOQS7zEdjJ2Yw63bcoH9rt

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe
    "C:\Users\Admin\AppData\Local\Temp\640d2a93bfc8e562453b35303ae4ec3c40c0de5b67eef3c28b1d1d498fa40f83.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2180

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt
    Filesize

    429B

    MD5

    fdc2b8dadca1a86929ecf57d4cf6ea89

    SHA1

    0cb927e9132f29565aefe4e8d0c510419135a596

    SHA256

    2b9aad53e9e68f588102e507688b7f1dd907c10bd9fe9f81cb5c0ecf0fac2f7e

    SHA512

    fc8b53d249ebef4a2543ebcde83eb6e6ddb81636c07544b4d5c8cdd38f805f60cc01fd9200de200820f55bc22bcedce2ffc73e24d0625c650bcb88d1cc02010f

    Download Submit

  • memory/2180-0-0x0000000000F40000-0x0000000000F8A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2180-1-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2180-2-0x000000001B410000-0x000000001B490000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2180-48-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

    Filesize

    9.9MB

    Download