44caliber | c5ee34afbf493076223619be9b8019dd214f77c404227aadb0e0b0bc1fc71ce6

Analysis

max time kernel
90s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2024 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b7ac85820cc4f0473db2dd738f64a95.exe
Size

1.0MB
MD5

6b7ac85820cc4f0473db2dd738f64a95
SHA1

bc99b0d5a217d34bbfce0bf129ec1c6437a3bf93
SHA256

c5ee34afbf493076223619be9b8019dd214f77c404227aadb0e0b0bc1fc71ce6
SHA512

834acf63ed2e4f7c1df43ee2b6c060e508204c4bc4541dff44add91acf8e9b1c67b30e636524aeac504648f118085a5a8c44137af17bebc1e612847e03c554e5
SSDEEP

12288:HACVEaXmJ0cp1EspJG+dRBz0s3y7K46HJ9Qv7FgpgmDa4NcbzTZG3GHQ:PyWmJ0cp1NJG+dRBxqa9QTFQNNc/9ZQ

Score

10^/10

44caliber zgrat rat spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/684-0-0x0000000000F10000-0x000000000101A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 freegeoip.app
15 freegeoip.app

flow	ioc
14	freegeoip.app
15	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6b7ac85820cc4f0473db2dd738f64a95.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	6b7ac85820cc4f0473db2dd738f64a95.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	6b7ac85820cc4f0473db2dd738f64a95.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6b7ac85820cc4f0473db2dd738f64a95.exe

pid	process
684	6b7ac85820cc4f0473db2dd738f64a95.exe
684	6b7ac85820cc4f0473db2dd738f64a95.exe
684	6b7ac85820cc4f0473db2dd738f64a95.exe
684	6b7ac85820cc4f0473db2dd738f64a95.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6b7ac85820cc4f0473db2dd738f64a95.exe

description pid process

Token: SeDebugPrivilege 684 6b7ac85820cc4f0473db2dd738f64a95.exe

description	pid	process
Token: SeDebugPrivilege	684	6b7ac85820cc4f0473db2dd738f64a95.exe

C:\Users\Admin\AppData\Local\Temp\6b7ac85820cc4f0473db2dd738f64a95.exe
"C:\Users\Admin\AppData\Local\Temp\6b7ac85820cc4f0473db2dd738f64a95.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
dc4d4d123bcd1ecdd199a23786eeac46

SHA1
51aa755e71c81b1209e0fe80a492150390323a23

SHA256
bec6131a76e7e80d51d42f2e4379cb72152371db01c82e32e1263cb31fafa20a

SHA512
e73bdc175ec8987f6d986c68b4a71fc781f7085a916883ccd882934d91ab0c838dbbfeba9e82875cf44d2a9892e7c970e554d781399b4c8f361ad0ef51fc99ca

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
ae32fcd297e99715bc83be4f8adaf745

SHA1
bdf349c2e5007c2190c941ce588d9258a185a147

SHA256
86c02870e3024d1f455746a615896ccce7a0b2f59f9c91c8f24472fd95e6dacc

SHA512
c600e19fd13e6a4ad5b8bb57581c978b2130658cace5b0231dc70944c7f6806684542c44f0ac2492b8d706f5d6ca30cf04ddc96782ef8d18d7d6377272beb81c

Download Submit
memory/684-0-0x0000000000F10000-0x000000000101A000-memory.dmp

Filesize
1.0MB

Download
memory/684-2-0x000000001BD70000-0x000000001BD80000-memory.dmp

Filesize
64KB

Download
memory/684-1-0x00007FFCE3080000-0x00007FFCE3B41000-memory.dmp

Filesize
10.8MB

Download
memory/684-33-0x000000001BD70000-0x000000001BD80000-memory.dmp

Filesize
64KB

Download
memory/684-32-0x000000001BD70000-0x000000001BD80000-memory.dmp

Filesize
64KB

Download
memory/684-128-0x00007FFCE3080000-0x00007FFCE3B41000-memory.dmp

Filesize
10.8MB

Download