Overview

overview

10

Static

static

7

5e3b448a40...43.exe

windows7-x64

10

5e3b448a40...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    15-01-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e3b448a401c6b9662d1e3d0d5cb2143.exe

  • Size

    2.7MB

  • MD5

    5e3b448a401c6b9662d1e3d0d5cb2143

  • SHA1

    f290401040a78886975024e54b9e53d20169563d

  • SHA256

    a2119eeffe066d388268d02e56303423b8ec267efae306609c1b316dc0c04cab

  • SHA512

    677aba5e6ec76d3e21242638b0f31eb5ff4351c7fa14676d0ed87ac8c999552ef02de7423e5acd8bbdc9d43fcd45ff1330151d29f685ef0319e038d63dbd4cba

  • SSDEEP

    49152:Izosmx2LWrn4StMIlux28xPmXtNMGi72arIPR5pl20hukH5jE9PlU/goROD+e8WD:zZnr4yRl6xPmXtNML7zA12OFHMNU/bRW

Score
10/10
44caliberechelonevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/877099784312328213/gbN3AhFr-HwOYeSmi-AjLnTIHhnG8GV5LfjEhIncHO-_rtFM2jafytOi5GkZCyhMgXTd

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detects Echelon Stealer payload 5 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e3b448a401c6b9662d1e3d0d5cb2143.exe
    "C:\Users\Admin\AppData\Local\Temp\5e3b448a401c6b9662d1e3d0d5cb2143.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe
      "C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2148
    • C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
      "C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2752
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 2752 -s 1272
        3⤵
          PID:1612

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    3
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    4
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
      Filesize

      253KB

      MD5

      2addfeda2537d0e29dd11aff81744888

      SHA1

      973a595b17225f7113d51c37f225146a98b5ca9e

      SHA256

      f9235a86d849f1b17f65d85eec43dd1aca5f35def08bec4be0feaec317b15808

      SHA512

      0abb0da37f429b9c60927f3ae39d07897107765e833c53350f28bc521cd11ddd20a8694c15fceda59f6e9f28a883b1e4929168dd05abec4d52d98ab64cdc2074

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
      Filesize

      418KB

      MD5

      96c3200d660b501538805a8f72057499

      SHA1

      6682493d7f7972f41aeb155b6882e125e47b5b80

      SHA256

      a438524e33c3bd4af0d4ef3bf4a9bba6fd644dde7236384e7e372e081b18753c

      SHA512

      45ceaa46997494ab9aa778bbd2e3931fefab127a68352939c45fb2ed01dc4e1f85ca96875ef457b03cb4f4bc2af4e1bdcffa655e966c1f6b6ca15ff1cc7274d7

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ProtonHack.exe
      Filesize

      274KB

      MD5

      9df1e86f0c44b525df31975949fe225a

      SHA1

      a1869bd91c12f6e96339d112d2acb0f018c31f6e

      SHA256

      13685d73ac437d3d5f976b9f600b183a489aa8871596ee9bec5d27ceb53c0b13

      SHA512

      7dfe7348e4934aa5d5b21af64ed0d90397fb430ea8dd6f5b104b69edc80e51766c6150f8db37749912dc47f604fa18dff4e9cfbf7a850248d16cf8acdd2d5bb6

      Download Submit
    • \Users\Admin\AppData\Local\Temp\ProtonHackers.exe
      Filesize

      363KB

      MD5

      2fe4f79252cd9cf9cf1a5e8473ea94ef

      SHA1

      bf77fd826ece97985dc8b6843b1d63a98591646f

      SHA256

      6c344b38fe2fafe25ae07e760a043e05b8e991329350306dff21c62dca5a2373

      SHA512

      1ccd6644b9fad5b7ee5e0e79348339c70360d46e2164afc9ba7d49e4984ece43e9c4b666a6236abba090f6d14353f3e04d371be11edb38043eddafa0dfc52a36

      Download Submit
    • memory/816-0-0x0000000000400000-0x0000000000A84000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/816-1-0x00000000773F0000-0x00000000773F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/816-16-0x0000000000400000-0x0000000000A84000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/2148-17-0x00000000008F0000-0x000000000093A000-memory.dmp
      Filesize

      296KB

      Download
    • memory/2148-19-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2148-21-0x000000001B4E0000-0x000000001B560000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2148-73-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2752-18-0x0000000000050000-0x00000000000E8000-memory.dmp
      Filesize

      608KB

      Download
    • memory/2752-20-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2752-40-0x000000001AEC0000-0x000000001AF40000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2752-74-0x000007FEF5900000-0x000007FEF62EC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/2752-75-0x000000001AEC0000-0x000000001AF40000-memory.dmp
      Filesize

      512KB

      Download