Extracted

• • Target

    4e66b442315b528793daf29f272beb6e

  • Size

    13.2MB

  • MD5

    4e66b442315b528793daf29f272beb6e

  • SHA1

    5085c7f9d376063e9544fc9fe6c94a3567fae67d

  • SHA256

    f920013efc8d6839e9ff3a2ce43010e1fb46a941a95f99b8c39335d1fbb1bc29

  • SHA512

    5165565ebc68a408842cf6ea6bf14d60172d2f4fc2c684d16235db2368ae12f53277580fc2103eda1fc102bc68e8742882ab78e74b31ee686bd3c3c5941d89e1

  • SSDEEP

    393216:CWeWk6XZcIgBBQFOnQ+NZrqCkbEp+DNjyymL8AV:Cz6J7gP8OnQctRQg+hyyW

  Score

  10^/10

  44caliberevasionpersistencespywarestealerthemidatrojanupx

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber

  • Modifies WinLogon for persistence

    persistence

  • UAC bypass

    evasiontrojan

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Themida packer

    Detects Themida, an advanced Windows software protection system.

    themida

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2