Overview

overview

10

Static

static

10

4e89652421...91.exe

windows7-x64

10

4e89652421...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    09-01-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e896524210ad3a26c70e5b835a7f791.exe

  • Size

    598KB

  • MD5

    4e896524210ad3a26c70e5b835a7f791

  • SHA1

    56266f2cfcccaadd39a76fd2b71f776d81777f7e

  • SHA256

    9aa6cc584cb71f79cd0bed533930514f04b3f1f84163cd0fa5808e6d88d26362

  • SHA512

    bfa8ed75ec6da65875ca654092930cd3ebac0f8e8f2c1650c9dc67e570de5f4622edd20d4b7398365e0bcba2e52c8b5214221fd347c296065bbc40913ea046de

  • SSDEEP

    12288:1tqe3zJK6Y69eyXf1DBLP/NtvEbCzCo06qVwe6FQp9ioP0:bdI6F3PTsbCx06qH6F4RP

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/855417360688480256/JUyPPd3soXD0X_vllpMQMEAEAMSAs1J4iX2r2jRuXhB3kX2tHimYk-jMIi71U29HYoiG

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e896524210ad3a26c70e5b835a7f791.exe
    "C:\Users\Admin\AppData\Local\Temp\4e896524210ad3a26c70e5b835a7f791.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    178B

    MD5

    5fa188b016b8769d6ec3c01cfe72a235

    SHA1

    9102538c6baa53bd4a4fdc958415377151532b91

    SHA256

    338ab2eba46b528da6e585df53773ddc992ed0cf486e397034adab056bba1a19

    SHA512

    a26496a1e015ce75aea9c19056f965c9001bf4bda8402811a2450c65ac099e81c3f6ca4cb759080e95a7508c4486b8bc63b9844e76493c60e46bdf391222b8ec

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    397B

    MD5

    2976d04d0062df8c392e03eb132ba274

    SHA1

    b558b027ab3be3b1ce62c1bbff15ca0ed39599f8

    SHA256

    8e45b9ad45fa3388ba165dd46e6bc099c03b7e5472c5bc5a4844f17d7c8014d3

    SHA512

    62f8cc597402d48fa8cbb0f281844efc247c3b23c08a959dc1bbf6f35d1f1da890885e074c739225bb6b725927567e6ab7fd41010b8024d5b9bbcbc977e2a36d

    Download Submit
  • memory/2968-0-0x00000000010E0000-0x000000000117A000-memory.dmp
    Filesize

    616KB

    Download
  • memory/2968-1-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2968-2-0x0000000000430000-0x00000000004B0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2968-49-0x000007FEF54E0000-0x000007FEF5ECC000-memory.dmp
    Filesize

    9.9MB

    Download