Overview

overview

10

Static

static

7

df1c3a1b70...6b.exe

windows7-x64

10

df1c3a1b70...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    df1c3a1b70fc8f37ea642c4df3a2f66b.exe

  • Size

    448KB

  • MD5

    df1c3a1b70fc8f37ea642c4df3a2f66b

  • SHA1

    87b9d4bacc776489efb68f762913b76ef86908bf

  • SHA256

    51cfc971849b6d809df4f567616db7f420874a754752490b981134f1d40ff47c

  • SHA512

    a5a3e83d48f6eb0bd1ccbd4f48567c04d66ec1ba11b4afaf55df5f120b186ad3c764dd78b9835f8b2fb37b0d76d3f77ec08657f355c6734960359017e00fb512

  • SSDEEP

    6144:+efG+g1L+8z7eoRDemTD+uf9+GV6eauyGFyInlXYWbgqtS4zbvhdaDz/A7Ah5lL2:+3S8xTiG04nTbcAcDq

Score
10/10
44caliberagilenetspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df1c3a1b70fc8f37ea642c4df3a2f66b.exe
    "C:\Users\Admin\AppData\Local\Temp\df1c3a1b70fc8f37ea642c4df3a2f66b.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt
    Filesize

    412B

    MD5

    5767aaa148d42dd0cc101c0d834c6ec6

    SHA1

    e8971a8473a9272b7547c73f850926690259e1a8

    SHA256

    ebb2603ac47531a699307854c8609c0ca46f2498d56899703ee3838a39b8bcf9

    SHA512

    ab65e9de43a3bf9145bfec07b960c46f377e0c9e17dc27b7c19cb63f14ab56a6450600ab6c375b6d8b384bfe5587d9d5ad7882545835063f0fa4c21497c6d40a

    Download Submit

  • memory/1452-0-0x0000000001310000-0x0000000001386000-memory.dmp

    Filesize

    472KB

    Download

  • memory/1452-1-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1452-2-0x000000001ADF0000-0x000000001AE70000-memory.dmp

    Filesize

    512KB

    Download

  • memory/1452-52-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

    Filesize

    9.9MB

    Download