Overview

overview

10

Static

static

3

6618325d64...69.exe

windows7-x64

10

6618325d64...69.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2024 21:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6618325d64a870040b82fb73575ee669.exe

  • Size

    1.5MB

  • MD5

    6618325d64a870040b82fb73575ee669

  • SHA1

    5a7a92a76a832d7a5fc37577af8ebb7078cff6e2

  • SHA256

    8298df16c667b88f524bf2cbb79c7f1122fe0f1c95502c5a4e37fa69999affcb

  • SHA512

    641e2c1b6b4c0d1efa590511ead2f46154367a6a9a0a7ac3b7791e2f285214bd8b7ed2309b5c5e59c66475931a2f5245268f99e44f820ecd2bedbb2f6bd233c9

  • SSDEEP

    24576:JhvJVJdMJ7uLp3iEOwnBYnRIOzm3QHxumDWsWT+T6kcfTj4WEs4x8Ka23x:x3dXLp3iEOwnk8BmDCTdkcojxpx

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/866738169181372456/leUwW_rAYekiwOVhgk8WOe6mYy271-wPgyPdfdgGkW3LvRIrgaePX3yC-m_SGyjcPYeJ

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6618325d64a870040b82fb73575ee669.exe
    "C:\Users\Admin\AppData\Local\Temp\6618325d64a870040b82fb73575ee669.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3896
    • C:\Users\Admin\AppData\Local\Temp\ST.exe
      "C:\Users\Admin\AppData\Local\Temp\ST.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ST.exe
    Filesize

    475KB

    MD5

    ee5fa19b09857f3f3e718ebe5a18f376

    SHA1

    b583cd941e0479da53fea293249a6021273e3aac

    SHA256

    f2139428d11728d91c6cd680f70cd8aa4e34ec3ee0d3f10683db4b6aa883aa39

    SHA512

    4b709c154cabb18c33591cf3b09dbe67f3153f96f705c55676d99ac94877970d01ab45ae7877a4bb69ad4ed58955c35c464c812ead6342c367b4be33f28fa789

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ST.exe
    Filesize

    442KB

    MD5

    166e858d6723c660d9c31d75fdde9030

    SHA1

    9dda1648b86157e9ed402c58bcf6dacf31209512

    SHA256

    1e214fcea82fe889f49ab1d5ecdf6ee9180d46a9c34a771c88c1c9c18c1b88b0

    SHA512

    d36a4d1885b1d71596d757bc955c3a564b635055ec3707f5560ce921ed51389128de8fbac9b50e45a215cd703eba4b332c6f7efaa0ab4518420ebfafef866c68

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ST.exe
    Filesize

    648KB

    MD5

    87c6f0cab35d4fbd69452e8383c6a17e

    SHA1

    95e978cf9139021e33b02775cbc92ebe9e920bfd

    SHA256

    5632ee02c4d4aca594afc95695709e68f0d8e4ed0b3bf626001ce7d98e829775

    SHA512

    eb4b41348239ca1dd613573f591368e5efd77f97defd38f31941495c35975269655c7c5bb829f3a31159b86d85df0976bc17e317a3db03b2eb5cfa1e1a3e233a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    72c5adcb8f3c20b0f509c00c8dcdc3e2

    SHA1

    1e366878db0df08f4072374360ba4bd435d48d37

    SHA256

    0bc491cf1fe48a870fae85dd0a0991f15dc473b7e6c41eb75bc2b08279dff19e

    SHA512

    ae750ff06ee0abd9a0fbb3d0ad1555f0bb36dd5baf94b91c003b328e8496fe6cd3906a7c2a1678baa581b247bf28c73b7c17263c8d3416c5a82bc490bc0883d7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    35e39f88f86148930e67b39be6c81ec9

    SHA1

    66b15c4d703f0930b22babff3fd06a91ae6fa42a

    SHA256

    e1a3ad27fd789fa006fa0231f422aa5bf020a8ae90c47207e8d8b11e57db089a

    SHA512

    000a3f1b7193bbbe73b6555737287363be3000c14352e3a6faf108e891d7b51408cbdb8b7aba0575b152b107e46d75ff1eb789957fe62be83ee989c4392ce4e7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    464B

    MD5

    f4a42ea290fe84249d001330efdb818b

    SHA1

    756d0549da5400ee79aec24d94b83ddc10b4bcb9

    SHA256

    90b9ca45e816e93a2b194f52b8e56fffef61b2f33b0b57da5cc8b50a4f815720

    SHA512

    5cb5e220e54a6dd0060d208acd043d50d3ca696a2c74992cc676c78151cbecdc3e5b2898e3b192cc33ea0b706b37ad448cbd3671bc930307dede79ccc838ab93

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    665B

    MD5

    edfba9ec34ceb7e2441399ddb2222ab1

    SHA1

    04382d5ec6b2a015d7a668d9bcaf1208544e0dce

    SHA256

    0cd6ab0e50720f9c787921aa353f8c7d19d9de414878b6d10929438598745952

    SHA512

    f3eae2834d36a75c93d833fc28aa312ab0d80284b15afa8f23181c0e900f1472379f82ee873198e953cf7cf11eae28f954f3d24f65fe406fbf2cb41226172832

    Download Submit
  • memory/232-14-0x00000000742B0000-0x0000000074A60000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/232-16-0x0000000005FF0000-0x0000000006082000-memory.dmp
    Filesize

    584KB

    Download
  • memory/232-15-0x0000000005F40000-0x0000000005F50000-memory.dmp
    Filesize

    64KB

    Download
  • memory/232-13-0x00000000008D0000-0x0000000000C7E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/232-49-0x00000000073A0000-0x0000000007944000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/232-141-0x0000000008400000-0x0000000008466000-memory.dmp
    Filesize

    408KB

    Download
  • memory/232-12-0x00000000008D0000-0x0000000000C7E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/232-145-0x00000000008D0000-0x0000000000C7E000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/232-146-0x00000000742B0000-0x0000000074A60000-memory.dmp
    Filesize

    7.7MB

    Download