Overview

overview

10

Static

static

1

6e0198412d...33.exe

windows7-x64

10

6e0198412d...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2024 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6e0198412dc4c49a52a6559e6994e733.exe

  • Size

    1.7MB

  • MD5

    6e0198412dc4c49a52a6559e6994e733

  • SHA1

    7d64b2341d03e46fafe7b351ae6903f3a2def5be

  • SHA256

    a795c7e73ca5c2e93d05a98da042618d6bc9cf194813f0b1e8c0eee6ddc95846

  • SHA512

    1d25745005b9d0efa8d356cda991c4cfb3d275216f24d62fec7d3e7f14106c6ec1a98522df5166e4760f2625222536d6cad456f8b5d72974150ef51678e8bd0a

  • SSDEEP

    49152:LgAYZTy551GTnx94KTfoFMNI0OsCytS+mRWZVHm:0XwpkxeKs0OsC+BZVH

Score
10/10
44caliberblackguardspywarestealer

Malware Config

Extracted

Family

blackguard

C2

https://api.telegram.org/bot1797125241:AAE1XIY55Ovg-afkvywGkitP-lumPvMjAuQ/sendMessage?chat_id=894993333

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • BlackGuard

    Infostealer first seen in Late 2021.

    stealerblackguard
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6e0198412dc4c49a52a6559e6994e733.exe
    "C:\Users\Admin\AppData\Local\Temp\6e0198412dc4c49a52a6559e6994e733.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    a0a8598da9618656efaee468e096f5c2

    SHA1

    fe2edd36ebabed91308cbb32f92b9e0c7d2172cc

    SHA256

    70e33a9f1d0316c2f8d17c43ecee9bbb64b48120d8607892fdc87cd12fda6a16

    SHA512

    5a226424aaaec76125f943b97857d8a4f8d86eb089df488ff42eb92f0e536383a17e30ffcccc58a8e1e57074f6ff078192b6076f4d25e1f0f11caea5f1779eed

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    735B

    MD5

    25beab8d99b33dd5a06a11b5ecd3636f

    SHA1

    af8dc9ebd35df4508589313c07508c7f181bf732

    SHA256

    eab09a6310fb1eb61ad7f8318c7798e75cad7db124ecf11cf0d848169b1e186b

    SHA512

    dd44ddf01338096f137378053cb76d993dd8e8809ee874c0efded1966946afbc7d5e1d0c2ae5d66859561afbe17e2aa9df743689e520c9e878c0a0a66af1ae2a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    1KB

    MD5

    627892e673a35df863742afdf040080f

    SHA1

    d0508d962a8e8eb7f9e2774d5f16c62e2b1a59a6

    SHA256

    3b4db881681af44be02b1986de566901c8087d656c2d39a9a91ea64ac1713331

    SHA512

    479048c8251a32b1321eed5b7341b01b65af8241e85413ea1dca06d086e4ae8269fba2ebca542841c44f6657e4233c7fd1e81ff0678bf7fb09dbead725b2922b

    Download Submit
  • memory/3752-5-0x0000000005D70000-0x0000000005D80000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3752-130-0x0000000007060000-0x00000000070C6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3752-42-0x0000000006B60000-0x0000000006BF2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3752-43-0x00000000071B0000-0x0000000007754000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3752-3-0x00000000004E0000-0x00000000009C2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3752-2-0x00000000004E0000-0x00000000009C2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3752-1-0x00000000740F0000-0x00000000748A0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3752-0-0x00000000004E0000-0x00000000009C2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3752-154-0x0000000006690000-0x000000000669A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3752-155-0x00000000066A0000-0x00000000066A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3752-156-0x0000000007130000-0x0000000007152000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3752-157-0x0000000007860000-0x0000000007BB4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3752-159-0x00000000004E0000-0x00000000009C2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3752-163-0x00000000004E0000-0x00000000009C2000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/3752-164-0x00000000740F0000-0x00000000748A0000-memory.dmp
    Filesize

    7.7MB

    Download