Analysis
-
max time kernel
137s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
28-12-2023 22:35
General
-
Target
fd2f11c31192e8efe0eb4b37d1a5e1b6.exe
-
Size
9.5MB
-
MD5
fd2f11c31192e8efe0eb4b37d1a5e1b6
-
SHA1
48b2610a347ae04cd61cd33100715ca5476e1951
-
SHA256
a15c3b6773fa9d8db715f8c557c76c95e8f84db0fa5046ed7a01589bfdc778b5
-
SHA512
39a5e38dfb04b462e167462e78fe9cf018215cd8e9fcc7e1cf67e6ea93f99176af49995ed9c987899f140fe32faeda6757a2e814944b899454e771f183b04afa
-
SSDEEP
196608:0FSJAB+ZcpS+S6SrGTsD2dmmhGlkrwPgZS7rjsn6P44Nm:0FS+Bkc0+Fe6dmracMR7
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/868513655556292688/7ViWQKXofSCTi8VWoHEcGeQK61RUEBYfnsE72cu6TJnpHYwlgzbrVI5gQn_jpfUMFoS5
Signatures
-
44Caliber
An open source infostealer written in C#.
-
Modifies file permissions 1 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd2f11c31192e8efe0eb4b37d1a5e1b6.exe"C:\Users\Admin\AppData\Local\Temp\fd2f11c31192e8efe0eb4b37d1a5e1b6.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe"C:\Users\Admin\AppData\Local\Temp\InterialoaderNOP.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"C:\Users\Admin\AppData\Local\Temp\Interialoader.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"C:\Users\Admin\AppData\Local\Temp\Interia loader.exe"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Services" /tr '"C:\Users\Admin\AppData\Roaming\Services.exe"'6⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"5⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%cd%' & powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Set-MpPreference -DisableArchiveScanning $true & powershell -Command Set-MpPreference -DisableBehaviorMonitoring $true & powershell -Command Set-MpPreference -DisableRealtimeMonitoring $true & powershell -Command Set-MpPreference -DisableScriptScanning $true & powershell -Command Set-MpPreference -DisableIntrusionPreventionSystem $true & powershell -Command Set-MpPreference -DisableIOAVProtection $true & powershell -Command Set-MpPreference -EnableControlledFolderAccess Disabled & powershell -Command Set-MpPreference -EnableNetworkProtection AuditMode -Force & powershell -Command Set-MpPreference -MAPSReporting Disabled & powershell -Command Set-MpPreference -SubmitSamplesConsent NeverSend & sc config WinDefend start=disabled & sc stop WinDefend & powershell -Command Stop-Service WinDefend & powershell -Command Set-Service WinDefend -StartupType Disabled & powershell -Command Uninstall-WindowsFeature -Name Windows-Defender & powershell -Command Remove-WindowsFeature Windows-Defender, Windows-Defender-GUI & Dism /online /Disable-Feature /FeatureName:Windows-Defender /Remove /NoRestart /quiet & Wmic Product where name="Eset Security" call uninstall & exit6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'7⤵
-
C:\Users\Admin\AppData\Roaming\Services.exe"C:\Users\Admin\AppData\Roaming\Services.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\Insidious.exe"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"4⤵
-
C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Config.exe"C:\Users\Admin\AppData\Local\Temp\Config.exe"2⤵
-
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\InteriaVis.exe" org.develnext.jphp.ext.javafx.FXLauncher1⤵
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD529e11c6a253d035cc1692a39f30af480
SHA1da4086b3cc166ca13942503b5d4be5b9924f9de8
SHA2564f2099cf3c69802288b7b21368f99b182a924c1f71b25df7803f8f9f03714d32
SHA51238cbe9fd3d4c6feda858c0823d6e90070f200067190ec307184e74248fb61c8ee74ae061ef4a4d3d700e50be3b26eba50c1b56bc1cb9244ce0aa2aacd8a6a927
-
Filesize
84KB
MD58cb71f698089c6823d47c394f4b1e911
SHA1d8ac4c285d40520e4f38231f02cb1ed13455897e
SHA256ffe04c4950c5b4f5d008e1e5a24d86052e5699e2a7c33d3375676f182357cb26
SHA512aa89d4b0ad56ac3ed93f48f322493b3f7cd7c407589b44a80dc2964a2b0aa744d8788e099b0ad86d5ea339b10f1391c0ba2e7778802a800e1958ccbeea373697
-
Filesize
20KB
MD5af379b8f5b304de208f88e6ac9754de8
SHA16ca328253204d843898c6b6c41229c22d81c7dbe
SHA256dea450b41fc31d3228bac6e4898a4767ecd4732cf3b7f9c55ccceb8271b1c07e
SHA512c6b94937f877b2a56423c51bc5d1c3efa1848813a850bff25a692a109a91230078dbc0511b79050e6ce3cbf7e5d722e5709f0e0593787f23fa21c4249db6c9e5
-
Filesize
36KB
MD57642012870b7e67ddb136ccfd8103de5
SHA17089efa79c3429e8450c3127d769c1d3453f373d
SHA256413d37a3765860a0f9390a468818fcffa3d234159fa48d9323e39e08fbf4ab06
SHA5122f34a84c738efe441bbaebeeefc6c3b75a521192b17bc3580235770ad4415b292954c6770dab35ec2c20a8c16d231ccd7e376c280afe8a3b8757d5554d3fbcbd
-
Filesize
44KB
MD55fa4cd8740f379a6f57936efd3394bc9
SHA1704c94dab4a541fb7fbab092db412630886d204b
SHA2560925c4055d3f5e4ddefc099d1b16ea6dd7e8dcccd107d903d3d5a5579fe6a887
SHA512314873fa509165f2facbc59747ff186871d4b618a9e7139dc620b8c1f5635b0b771738335ca6c4fa482c8ed904f9c6afa278ce64eb713ece493b2becdccbe37f
-
Filesize
86KB
MD5c2146dff3d942e334576b4ea8bc455ce
SHA1913f53c44d1ff2d56b0b6c6f7e9b4eca3bd02279
SHA256caceb3926dd6994665f410f25027910f15100c7c3d573b2c57829fe78cb7f40a
SHA51217f77d984f5f98c154372a547db4ab142f29671ae6f110d0c786819841fe75dcc10f88fcfe9f5edfdb2e372043ece586b43f0749d8494d91f335a7a210a6b60b
-
Filesize
108KB
MD5d10fa7bd6ab26b292c24d5caf34b84d6
SHA15d2f666931fe3a87b22ee6d98bec7aad703a3f78
SHA25602377ad49c6a9515e70b0d33ebf31d151ee7c3bbcb5a105cd9cf1d9f54b5e4d8
SHA512333bd95219f669b4f37fb93a8d0445d37466380497cb3808f4bee6d427b78bb09cbf6ae1545526f1d833304d0da5d423695e64b374df9bdaf2d5dd188c269b97
-
Filesize
112KB
MD51aa941cc5ef8615aa7de53639ec4bbfe
SHA1d7182353192cb28198367d7099047a3e3e689cbd
SHA2568ee2f968220e354ddb47a6452f689740fb51297a74a883efdc7a2edabfbe2cc3
SHA512389fcba2485512399a9ed0dcba3c30bc32df7460179acffb0cb5f39e94ed82c27dc2d4cb278e980dfabfbfa84019a5546b7fc53a0203e25090c8d01d769d3ab7
-
Filesize
56KB
MD5b4294e58c78091c9e8842861253a1485
SHA12f806f1698e689cd86fa6b9736478b09b448a76e
SHA2560a7f1c073b0885b339393f99bbd4583f0c2ad7d965cefb95a4669122588af03e
SHA512ff2172127c94b3237635a3edc018b931b2fc4b752f0a0885af6c44d54fa80d1e3c3d2ef78c7719cfc8e2afef4120dbe7d513cda2e30039165d7e5e6db3b97eda
-
Filesize
130KB
MD5b8c480cd3985510ec432aeab8ce6145d
SHA1ea54074e1dfc8367e665c774d7e40ab9bc40595c
SHA256064b6bc2393b7c540eea814fc827b76ea26f33e7bedd31b0688f49b1c85c0543
SHA512b0e582aa1554f5288e3d5ab5562d42352f202435238ece8f43afb698e0547fdbac527db5f13e93d5d0573a7927531ff973afae41c2db2ed94c7d008fbbc37718
-
Filesize
92KB
MD54975ad560819a26c969b36d25cdb61a5
SHA16655e772d6f5c08f938ae79395792df6d1078e67
SHA2562d3ea58c8ebc0b36bd4ad71e26630c0d2f504568e018665e68ee3fd45748470c
SHA512eeed7befbd717177c7b803607ca0e63394d9df22375acf376d30a8b09afb599295df221c42fbd5ace6269ba0a22a540d7dec9b38aaf5fcef8a7be6d7e44b4e0a
-
Filesize
57KB
MD5e1577a8768e09c326d0ae8b4b7285b1c
SHA1fcdc2f0070225f6ce010aea8284f84b6d9dd2f15
SHA256bbd6714bedb78e8f2abcad9deca72c243b82a33d9b56cdee1abae108b3db14aa
SHA51229f352c3e40b8d940c1b9c5b8cbbf9ad0c1ed3ff1085cb7705877538c429fd30c9ee0beb9e228de330ecccf1e13858a6cfe029bb0b003017523b64a196a32916
-
Filesize
96KB
MD51284875d67f61e2e3e84e78c7e0e2d09
SHA1bd5cfdb1f4b898149848649c1bfec101ff41cdd1
SHA256007e587caa344fab21a39d6d8f418f6569a6df02b71c529fe1b50bf8818dc043
SHA5122ef93ec5f3d05ee1283121d2da20f6e1bde51aa6c6062d841406252e2d2b39d59f28d7bd621a9b74bc910bc185d761beca3955a6d7cb3ed087e0d5911c32a119
-
Filesize
23KB
MD5223d84921fbf28144b6e14673db1b8ac
SHA1d1ff2a8e9990675956f1852f28c52bce748f9a9d
SHA2563e6a389395c9f471de4ce49207724487c248ff699748a87d6f8447885d194a6d
SHA5124269393f9a58b305198aa469ef73dda0830cb3a73ab409cce70e52b57f58d2774b555e199ce6d2970f952dcee91c819b6ca40b20f057103db514963e02692bf2
-
Filesize
47KB
MD5593317dadc792d7a9adaf7f3a6023aef
SHA189cb1b7ba8ba26428509c6bde0457bcf2d4399f1
SHA25600ae04368a4367df46a6f9a571f33bd3168921e14b5b42b2a8bd9406ddc8f7fe
SHA5122956b93e776d4f0fec8ef570f3bafcf3c1b1271152939a3368d4a7393c44ca86ac5ebd119bf7d2706deedd206886f1c19c1385eff6001112e96caa579957241e
-
Filesize
56KB
MD5905568df790163df002505014753f281
SHA1afdba210cb6d4565136c82f39771aacd5d07eb2b
SHA25645a3c170715fa33eefd4c46f29ec12fdf2b2346ce563c43b8b4e6d0522e03d68
SHA51245cbc5fbd6372bf339e385c106f2389d7a9521599c2de5c61e14de7b0bd4d85c74cb8c8d7c26843dddae491551862f7354c1b366374d217be197658db5cb43d9
-
Filesize
67KB
MD50d8bc8b8bc2ac7fe6c7f95ca14f28c5e
SHA1b200ac892e28ad634fc4874b47c916f1130360d3
SHA25684b44d271d4402e8d1cf3d89d0568439655c186644cbce3451a1c9dba975165a
SHA5128fc1e116d3219fa5fa99cbf6063781cfb071ed3794ba904f1d03b3743ba535291454b07a7b39b446a59fab38efb205c5dd208794f48729a03cb3b5483088c8fa
-
Filesize
83KB
MD586f9a4f59c321762c58181da1f4ada42
SHA1122d78756fe87b3d33f13b5332e3e2902b4f1e0a
SHA256daacd4c125249ddafc079c5d02d013472f23e60faa4acaf458cf83d45dc7acc7
SHA5123856de223c5a1a9fae8238824a61e8983760a9de55dda15a50b3bf018df36334539cdac8945985edb29ec94189ea69358980d4e5379d2e9e69858f38117874f3
-
Filesize
46KB
MD50c833b5ca95b93101b1e2474eff30c0f
SHA1f6ab8c355766ed372439f42a86af0f950bb465a8
SHA256e5c29e905bb024a53f2ed86771a747204960ae23e2e8677466378d6447c356d9
SHA512019f54346123d8553a2f949739fe735c0d4f458ee00f3337264b74d563552c1feb7aaa4776a11fe132a175a71df31558b38ec64cb513236f3c15a53d5952bfef
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD57a37159274973fd342f373adaae234b1
SHA159e6dcb7db1f0e6a6c8d7f38f28618b9b08605ab
SHA256275a5f87e3ec9f25121fe332db7d33c6764e0de8db8cd8685450fb846ad872f9
SHA512826369c4782b5987b0877e7b37346ddb012683f4c7671d0a8d4c1dba1712fe47baf91c754cf8edeab2406dd5ddcbe1c3bf0cb735d3e61a70417d6eb4cc3b4303
-
Filesize
17KB
MD5f8f848e3792f47b86ac397288fa3f8d7
SHA17c4371e46bab5b65d893cacedd03eca1fa33a72b
SHA2565108a3c3f21488e613fc543c900fcc9874e10677621389573f049bd92fab6061
SHA512b2371a5109662b975a80839bdc14d1605e310425d56d42058ac5dbc69c7538dc208f175c5025b6646590e4e4826e286ab794cfc01b9d38fbb1db098ca1229c0a
-
Filesize
3KB
MD5d9e65b3fd8a9a0e49d233099cbc280af
SHA1e8490873180a2b7fc16a2427caa22cc0187d396d
SHA2560b84650d8e579facad2c2bfe02c21bbd8509ca98271d4d2e715fad062823ec7f
SHA51285a9d5ed7f68360ef6457895256e42af24b29d5fa73cb1d00040ccb203b0159f38139b3f20c3dfa08045db987c495dd9a85b36daec68df731128166102fc6188
-
Filesize
56KB
MD5356524452b3949b60d9e43e389c49a24
SHA18a4a3062d8fcd4a22a739a4d197e42da45e09f48
SHA256b95652f371abefabb9c8654d7f64d3e62027b9619942e5395b674523646a4346
SHA5120e9e455b572f68f8ed6e0915499a70cb33efb5b10414eb09ffda539421947deb751615b07ada11df9f5c27a49026f0071b2248e7359aebedf5685980da0fa63b
-
Filesize
11KB
MD5b49fca9e63e399259e6a5038dc632cda
SHA190139fd8c3c0c3187370b273b47dc4eb082b791b
SHA256d7f9c064459bda2b8a9e048dd6f1539b85b74db5dfcee825dfd4d4162cf5fe74
SHA512df76084554f79ff5acd1b638aeb48ec821dd03332d6cb2ba9ed17a6f65becff3b17d27c85d4b02f44a66eb25d92c0b26d429fa9395664c8113c4a87f7ae8f9e5
-
Filesize
296KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
64KB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
112KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
16.0MB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
2.3MB
-
Filesize
2.1MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
2.2MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
9.3MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
9.5MB