Extracted

• • Target

    8a098265737317cd7bf7bbef762b81c1

  • Size

    2.2MB

  • MD5

    8a098265737317cd7bf7bbef762b81c1

  • SHA1

    e1c206f8914af7b22b4cc0af74966723faefd1bd

  • SHA256

    26ef72d7170fa0aa8ffab8695637d465040d1e51a8ba03a22855d7abfb902fbe

  • SHA512

    1a66997af3559b58db357e021ccce53a5de87fa47c5fba4c175f930792b0c8b2ec43a67823df7112e9b662935bbc81b0f367912ab5d729ec076d8742df7a9d69

  • SSDEEP

    24576:kJKWsWCN4jTYnUg5cb4xBNJhzuVy5rlZvUvb9CxxPkkz8V5p80kd2pkP4ij/v7IT:kJ2W/oUr4DNzzXrT4kMVfzhGN7es/K

  Score

  10^/10

  44caliberevasionspywarestealertrojan

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber

  • Identifies VirtualBox via ACPI registry values (likely anti-VM)

    evasion

  • Checks BIOS information in registry

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Identifies Wine through registry keys

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Checks whether UAC is enabled

    evasiontrojan

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  behavioral1behavioral2