Overview

overview

10

Static

static

3

206db0f204...48.exe

windows7-x64

10

206db0f204...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2023 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    206db0f20482b4ffcf4bf7a72b743a48.exe

  • Size

    1.5MB

  • MD5

    206db0f20482b4ffcf4bf7a72b743a48

  • SHA1

    5952e991897ad99f773b7bf9d8835f7dbc7f274a

  • SHA256

    1041b6275ef7bc5b1729fa2b415ccf0e30a83ec298e02a9ec6b85c7fa0ac3418

  • SHA512

    25df102ec9bdcf038003ae357bef77f06adc07182ebd72bdea25e2f10da4090c48b7347d1e424d5552ad0ccba3df400a6bf6b58d9b0dbc3acadd96eb966eec69

  • SSDEEP

    24576:ATQuKl+Mw5dImXOEULqpKOKH07zIthhfPuD3J2Od4I0WpWeGdjeIPf6+kItzfdhZ:Yt5WjEULmzc3uD3JTd4k5YjeI364xVhZ

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/878380228894937168/1FKbQhM8XJ4ozljtwifZ-1m-XeYw5uknMJLH4X2t0Qxup8aulmWIgdRLa1z0jAtb9Z9u

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\206db0f20482b4ffcf4bf7a72b743a48.exe
    "C:\Users\Admin\AppData\Local\Temp\206db0f20482b4ffcf4bf7a72b743a48.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    419B

    MD5

    9c9912aeff7a15b4d5feaf1222684be9

    SHA1

    dade6a7baca15242ccf4824cfdb6b6f7961f3f26

    SHA256

    2fce42406dc16b32e7cdaa499182ea419b4fcb27a9b15aac303627bafffd0ae7

    SHA512

    91b0ee9a66eecc67db92b16363ca1f3d749c0684adc20b6ea9ec8871e1078baeeb691da79109a92355cb9e9a07b379acc31193b513f30a94f46e2c1dc7ea7f0e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
    Filesize

    304KB

    MD5

    7dd3bc789d4c11211304814c19d263d9

    SHA1

    b69b177a8ddb986f74cc226459eb972b10459909

    SHA256

    cb233784a01de84b5dba24ab9ac49042fdbe90fc2cec65c13279aa4b2901009c

    SHA512

    7cafc6530fe791393436604a70c5cc2fda3ee314145344789b52e0c17eb8eac017f372f19eac45d83080a26745acb9bbbc4fec0fa9bea58b4c51e922a41587c2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
    Filesize

    783KB

    MD5

    aaac8b9094e988160fd1f38e021a659a

    SHA1

    e5ff80fb7c0e76640850f490b20f4ae2cb41cce6

    SHA256

    9690ef73e284ce47c62774a6e09cb571a1789699c5782152f82a67c98119058f

    SHA512

    57f9784d32b1b508f87b327120776373c3f863fa3dc4047332a104b30864d0d67191ad6275da766ffb9ef2bc35ac200604354017df9d0504692ca4f4d0920d0c

    Download Submit

  • \??\c:\users\admin\appdata\local\temp\insidious (1)_protected.exe
    Filesize

    445KB

    MD5

    e9a383d69239d35f23d19f19fb797d1b

    SHA1

    1578731ec44b03f45883774730c637896203f4d0

    SHA256

    f5ba013e197a745eb56b04e0607cffe6c1003b49708f5ad1d5f705650d306597

    SHA512

    62c91f759c6116a3db55c347a3af83356e526e1c9ebfbbd76bd091d8448c24e522772c6c967a799ae3a2d97925968309c343d470b9755eaf65e621ce6e4212bb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
    Filesize

    411KB

    MD5

    a190507c89e21798e26c1559c7acd93f

    SHA1

    0403eb2b0bce1c304afc993e78fa1cedf745c515

    SHA256

    538914ceb34012db5ab9a03e3633d31d12a34d6ee5e0b96e1a9b6c1914ebe0ea

    SHA512

    374e1c1c41385166764d844c8444fd5ff13d81bb3ae50d8a51e8c67a081a8297d358da6b7c471edcd621d6ea673cbb0de44a32bb769b2ee08eb170ec510ddcfd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
    Filesize

    415KB

    MD5

    2b4baea2c079892886ed8d9e4ececfbd

    SHA1

    6e26537338dd066bc1ce721fbf6854cc937b1c9d

    SHA256

    ede9b2753d5b6f1d0287ce2b2beea27b312ccc6b8ddaf04cde0d0eec5771dbb6

    SHA512

    688f8c7cffdd6fa18b1a9b5f8cc13fdbb4ac67dbeb104000de06dad094a6669c2894b0a32d317ee2e8d9b62f38b6af0ab1b6ea5b92687bb628fa4224bf0a705f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
    Filesize

    1.2MB

    MD5

    7786d92296517e19d9ef43301d5e9683

    SHA1

    846dcd8fca2ee19c26b0b8b79b0f41c8982ce907

    SHA256

    8f727f5b33bac619cc7bbfe7ff24352319657cc603c687777b845babf018b932

    SHA512

    03dd20dd3def940ed6813405f986c172470a5c16cfc4163adfccb6ae3368e2ab4d042409d3b8e20abaa371838fae853a3ddf9f4e7b61d7167c06046a7381ce3a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
    Filesize

    547KB

    MD5

    14782ed87517285c4f64e68ba438c25e

    SHA1

    97a73404d9b3c9d25c613c834734b620f60b4ac3

    SHA256

    b7e6bde88283283eac1711beb25f1daedc4037995cfb8548018b69decc51f4eb

    SHA512

    648293d59b382887849e5101f251a175f735aa8ee70cec8690e29b003c6e8a24de5e18e706206323fedceb4996fe19e1fd6662016296f1229309376ffdde394d

    Download Submit

  • memory/1648-15-0x00000000031C0000-0x000000000356C000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1648-16-0x00000000031C0000-0x000000000356C000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/1648-6-0x00000000031B0000-0x000000000355C000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3048-19-0x0000000073DB0000-0x000000007449E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-20-0x00000000008E0000-0x0000000000C8C000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3048-21-0x0000000005950000-0x0000000005990000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3048-75-0x0000000073DB0000-0x000000007449E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-78-0x00000000008E0000-0x0000000000C8C000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/3048-79-0x0000000073DB0000-0x000000007449E000-memory.dmp

    Filesize

    6.9MB

    Download