Overview

overview

10

Static

static

7

5e3b448a40...43.exe

windows7-x64

10

5e3b448a40...43.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-01-2024 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5e3b448a401c6b9662d1e3d0d5cb2143.exe

  • Size

    2.7MB

  • MD5

    5e3b448a401c6b9662d1e3d0d5cb2143

  • SHA1

    f290401040a78886975024e54b9e53d20169563d

  • SHA256

    a2119eeffe066d388268d02e56303423b8ec267efae306609c1b316dc0c04cab

  • SHA512

    677aba5e6ec76d3e21242638b0f31eb5ff4351c7fa14676d0ed87ac8c999552ef02de7423e5acd8bbdc9d43fcd45ff1330151d29f685ef0319e038d63dbd4cba

  • SSDEEP

    49152:Izosmx2LWrn4StMIlux28xPmXtNMGi72arIPR5pl20hukH5jE9PlU/goROD+e8WD:zZnr4yRl6xPmXtNML7zA12OFHMNU/bRW

Score
10/10
44caliberecheloncollectiondiscoveryevasionspywarestealerthemidatrojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/877099784312328213/gbN3AhFr-HwOYeSmi-AjLnTIHhnG8GV5LfjEhIncHO-_rtFM2jafytOi5GkZCyhMgXTd

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detects Echelon Stealer payload 2 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

    stealerspywareechelon
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5e3b448a401c6b9662d1e3d0d5cb2143.exe
    "C:\Users\Admin\AppData\Local\Temp\5e3b448a401c6b9662d1e3d0d5cb2143.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • NTFS ADS
    • Suspicious use of WriteProcessMemory
    PID:4172
    • C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe
      "C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3472
    • C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
      "C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe
    Filesize

    274KB

    MD5

    9df1e86f0c44b525df31975949fe225a

    SHA1

    a1869bd91c12f6e96339d112d2acb0f018c31f6e

    SHA256

    13685d73ac437d3d5f976b9f600b183a489aa8871596ee9bec5d27ceb53c0b13

    SHA512

    7dfe7348e4934aa5d5b21af64ed0d90397fb430ea8dd6f5b104b69edc80e51766c6150f8db37749912dc47f604fa18dff4e9cfbf7a850248d16cf8acdd2d5bb6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
    Filesize

    581KB

    MD5

    ae9fc2812c2a6d55c9f66b626963639f

    SHA1

    22b0e3477e075bb7fbe70121f51567d50c6d5d39

    SHA256

    c46ae05c8aecb322d21d504e5dc4665304c12f4a23da2222f58bc940ee53345c

    SHA512

    37ef5617f2fda51865f850a9d089e9e56de29508a1b153ada6fd8e32375fdd0f8750b9c5946508a5b0a7a06d61f271fc3d4ffca66d2a8ae72adfed11fc226e88

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp
    Filesize

    92KB

    MD5

    ec564f686dd52169ab5b8535e03bb579

    SHA1

    08563d6c547475d11edae5fd437f76007889275a

    SHA256

    43c07a345be732ff337e3826d82f5e220b9474b00242e335c0abb9e3fcc03433

    SHA512

    aa9e3cb1ae365fd5a20439bca6f7c79331a08d2f7660a36c5b8b4f57a0e51c2392b8e00f3d58af479134531dc0e6b4294210b3633f64723abd7f4bc4db013df9

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    7b3ea807c0ea9fc4647a73f5c08c7f8f

    SHA1

    c5748c5ab5b05a05a7ca0db82521fc7bcc3f2109

    SHA256

    33926d45c688179f283327b335b99c974c935b58265dfcd139fdd8bd7a782292

    SHA512

    b9985aca26de73190ddaa93c17aeff94294303d302c31e5cac625c31c7062af311395bbaef9ce411e63a426553aed62eba56ac7adfdadc44f2e4681c756481c0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    45281db3021cc392385e03b0b2e89b23

    SHA1

    f3f4b7c00e44c10f17b45764249733080626384b

    SHA256

    572ebd9c1cf15afbfb602445fc150fd48d02fe8078a7abc5a13eafd30f0cf303

    SHA512

    2ca210b211131021997d0fd2a9463f930d4c93f8016cfe57157c03c1d3569c76ff10b896401e409afba1ebd2e1e67f0127b2288e0d5f8bb5b838aa95e439717b

    Download Submit

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    376B

    MD5

    6fa5ccf33b67952483ff75552bf5dc01

    SHA1

    c3d70ad87bac2c98fe867c8ea32f18037491c318

    SHA256

    a5a36020c80202c8a13685ea321d97b1308cbef7fa36f4c4381cffe633c44d21

    SHA512

    05f3f5274647364545e956494cd76b30ce7d43d6f3299b445226f63f34cbdfc00b61e1470d3876ea910f9b6f025e48d2f1f78ba87d2475f97e5a5e5b7871491b

    Download Submit

  • memory/2292-62-0x00000194BCF00000-0x00000194BCF10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2292-174-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2292-176-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2292-51-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2292-63-0x00000194D71A0000-0x00000194D7216000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2292-27-0x00000194BCA20000-0x00000194BCAB8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/2292-175-0x00000194BCF00000-0x00000194BCF10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3472-29-0x000000001B190000-0x000000001B1A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3472-28-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3472-26-0x00000000004C0000-0x000000000050A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3472-157-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4172-0-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4172-1-0x0000000077654000-0x0000000077656000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4172-31-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

    Download