Overview

overview

10

Static

static

3

8010a52546...d4.exe

windows7-x64

10

8010a52546...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2024 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8010a52546b7b4927e062e9f11d90cd4.exe

  • Size

    1.2MB

  • MD5

    8010a52546b7b4927e062e9f11d90cd4

  • SHA1

    e080c197ea3deba26b51b83d7d8fca65220c20b0

  • SHA256

    2b9acc15e272c93ebb1de7a8589d71bc0fef713bbcbd7d049960e4064d816c2b

  • SHA512

    35bc392fa40804224dedea630bc55aa9b2646b615268e1222fec1a9d46872b49b67beb2a40057c92588a3b28141d23815658ccece78182e411de1e97164550ee

  • SSDEEP

    24576:4IwdkMPH5dnYh6cBq0RQHD2MoulzpiwqdPrUPbBU5iuVAGU/f:JaZVw6cc7D2MJlztqVrUPb2km3U/f

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/866711810735996958/O6j2s0-Vj_HxOXRLkQqnJ3yalpf3Cuf5oOuopPL8nk4awQ3YRl6cndwNbPZLwQ8pLRY5

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8010a52546b7b4927e062e9f11d90cd4.exe
    "C:\Users\Admin\AppData\Local\Temp\8010a52546b7b4927e062e9f11d90cd4.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\44\Process.txt
    Filesize

    412B

    MD5

    dd9e37956585b39629aee4c543e885eb

    SHA1

    c75aa94054f4773907927138013b2b8c31aa3b22

    SHA256

    4b3dffdc88e4bf8e7ae95a4e1bf8e66d61da9e99fe8b564442ac3d5d662b273d

    SHA512

    95da508083155568b90edbefdf90bf332465dd2a61ade45cc5cb6e5c165262e35f779cbc8b3191439441481424b1a80bf5c845584a7dce538465a5f31aa34ac7

    Download Submit
  • memory/3028-0-0x0000000000CE0000-0x0000000001090000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/3028-1-0x0000000000CE0000-0x0000000001090000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/3028-2-0x0000000074AB0000-0x000000007519E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3028-3-0x00000000026D0000-0x0000000002710000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3028-55-0x0000000000CE0000-0x0000000001090000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/3028-56-0x0000000074AB0000-0x000000007519E000-memory.dmp
    Filesize

    6.9MB

    Download