Overview

overview

10

Static

static

10

37ac48c6a3...17.exe

windows7-x64

10

37ac48c6a3...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 13:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37ac48c6a31ec8e83e4b92f03e729917.exe

  • Size

    274KB

  • MD5

    37ac48c6a31ec8e83e4b92f03e729917

  • SHA1

    ae3fb437257f048177223eff1df8f4a009aa6545

  • SHA256

    be163731cfe152309f2f36332968aa275edef44ede0544d9fa37d26ce530cb77

  • SHA512

    9209bf598ee9caa514700921cea8a2e788ce76eb03bf7acb0f21c462859974792d6bcf41d57a0578db90d79a86355556ed87717ee15caf4a5019448fe8d88c30

  • SSDEEP

    6144:Gf+BLtABPD9NF/DVGK7zeNL+dN41V6GIeyXyRA1D0kj2:wNKK7zeNL2Y69eyXX1DL2

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/859014405580783637/J-rOLcLQORAp4rSIpre0H46Lhmzd8QK1hgRFNA4mqYSEz6dtJRq9HsK-id725NgqZTvK

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37ac48c6a31ec8e83e4b92f03e729917.exe
    "C:\Users\Admin\AppData\Local\Temp\37ac48c6a31ec8e83e4b92f03e729917.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3048

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    397B

    MD5

    c410789a149bf9097a383a46ae6e9b4d

    SHA1

    5b725d563bc72710f324873d6e50d95d6389ec19

    SHA256

    db2e7a1bf347e66e9857705f566dab8691e34244a95927db7fdcb5c5acecedf7

    SHA512

    b56ea6f1b3a269a7f8248cf78949ab92c8d65d10f81451e47405f9e2e50bc57d20b8fe002b96e56031da04cbe2ece5a6fa8aba782105bca2c7a1d9e57bd1824a

    Download Submit

  • memory/3048-0-0x0000000000020000-0x000000000006A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3048-1-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3048-2-0x0000000002070000-0x00000000020F0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/3048-49-0x000007FEF54A0000-0x000007FEF5E8C000-memory.dmp

    Filesize

    9.9MB

    Download