Overview

overview

10

Static

static

3

bdf9e31ace...cd.exe

windows7-x64

10

bdf9e31ace...cd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2023 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdf9e31acebcc108b1cec12cbe2b42cd.exe

  • Size

    1.4MB

  • MD5

    bdf9e31acebcc108b1cec12cbe2b42cd

  • SHA1

    ed352a0648cec64d6ec41614e9eaa48e6b23ce59

  • SHA256

    80a885b212b9c031aba01e908bdfb66d8b17c62e9e8334d4df8dbfa284dc3f6c

  • SHA512

    0f628c2a653ebabf33a4391438fee3ced0c2f790bb7b4b0740cc8b13baad78d16cc905547d480b1f32d5b11adbc9985e2a9557c5a51fc8eb3690e2a4217549f5

  • SSDEEP

    24576:ypwgTYi4Rdcvh4yFNNhlcaEFZVQLib/E42clNClR/m6RseOzvmC7di7WW4LASLKo:9gr54yFNNhlcdFZVQLib/z2clNClR/md

Score
10/10
44caliberspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdf9e31acebcc108b1cec12cbe2b42cd.exe
    "C:\Users\Admin\AppData\Local\Temp\bdf9e31acebcc108b1cec12cbe2b42cd.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4516

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    1KB

    MD5

    e26ac10dc7f861d58a45da78d2d57b0b

    SHA1

    d5a4684f13001082a4333e4d1734ce5aed685b14

    SHA256

    fcd249084778adbe7a1b8d0ba114531cad2ab186d75cd3e31b81be213b87f930

    SHA512

    e5e92f999b3d73bcb0c8a223a4c0f39190ed114153c70904ab21594dd50c60ad3ec01ce14bcfea2ed056f7b47771b3cc0bc87161a566520c32b1ea7a7996bc9c

    Download Submit
  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    465B

    MD5

    0d5123f66172afc3c03aaa43178eefc8

    SHA1

    2e1d515469cbedcd26aab592fc070301e016c243

    SHA256

    0ec324ac9191460f8046771e105fda4a02847065c7b491ababff648e9dced7a9

    SHA512

    425b5a2aebc58aeb5f9fa9c6be899fbcd4c016f31bdf6ea9058f8249367085e09365fce42e3be604379fd50c7ceb1f069a2ba1fbe133a4889da10c7398a7d8ef

    Download Submit
  • memory/4516-0-0x00000000007E0000-0x0000000000956000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/4516-1-0x0000000002AB0000-0x0000000002ABA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4516-18-0x00007FFCA1760000-0x00007FFCA2221000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4516-32-0x0000000002C90000-0x0000000002CA0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4516-125-0x00007FFCA1760000-0x00007FFCA2221000-memory.dmp
    Filesize

    10.8MB

    Download