Overview

overview

10

Static

static

3

5d4fa5abb6...b2.exe

windows7-x64

10

5d4fa5abb6...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2023 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5d4fa5abb66889e91507124cbdfe40b2.exe

  • Size

    3.4MB

  • MD5

    5d4fa5abb66889e91507124cbdfe40b2

  • SHA1

    e1832578c89188f63141428b3ff8afd0c3055bc2

  • SHA256

    90a0c78f4feaee2f1b928d281637318459ad28552eae36919b02137d3340025c

  • SHA512

    007d36566e559919c5be457d2c4627d0d966bfc326910174ce54fa9f55c7618d1d8bdbd9dc3397cfdbfe94f5c51d9f07d979793415dc67c437d57f235f2a2d49

  • SSDEEP

    98304:nrgqc2GNBkbGr05GkBoFT9nClofZbBI0mR:kqc2SBAGr05GNFVZqLR

Score
10/10
44caliberspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5d4fa5abb66889e91507124cbdfe40b2.exe
    "C:\Users\Admin\AppData\Local\Temp\5d4fa5abb66889e91507124cbdfe40b2.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    731B

    MD5

    903862d3b1f67014b51a2a99dd29a49c

    SHA1

    1f7f77222906a550cd3aee053d12f569f2d9038f

    SHA256

    5500e6531d31907c23852811b9a1f88a56ec801b819113897d81cb89c2c1e947

    SHA512

    3ed73091e1c86956fa57c81420697a6ca417d5b1ec6603af243a4af25ccd0b177a25657f9a49295eee5642e9a945e6ecc768e086618b50ca68276ed930f30747

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    e3d85c1e4964e1a92670ad4461a9f526

    SHA1

    cd4259a94bd44fb16ef348ec99155618e00c7a42

    SHA256

    494e14067488393603e52c69d266bd28cacdb127b9aaf60a103c28eefb553bf1

    SHA512

    7fd82d50171c6a166e8f993032b3a9374d64f5a36772adf6c8ee27dfdb0296803bd295414ab8f96445c151c8ef8de38e2cea91d9b267d0131ef40212ace99584

    Download Submit
  • memory/3964-0-0x0000000000E70000-0x00000000011E6000-memory.dmp
    Filesize

    3.5MB

    Download
  • memory/3964-1-0x0000000001980000-0x000000000198A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3964-2-0x00007FFC13570000-0x00007FFC14031000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3964-6-0x000000001BF10000-0x000000001BF20000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3964-124-0x00007FFC13570000-0x00007FFC14031000-memory.dmp
    Filesize

    10.8MB

    Download