Overview

overview

10

Static

static

3

8d06aa1339...42.exe

windows7-x64

10

8d06aa1339...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    03-02-2024 18:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d06aa1339eb228d1e1cadafaafa6642.exe

  • Size

    1.2MB

  • MD5

    8d06aa1339eb228d1e1cadafaafa6642

  • SHA1

    10ee0eeae5ea05c4b129396e7698e080d1dd6b82

  • SHA256

    365b5ff8ca48c1fc8199963f1ca5b8ba17cdaf509a70bdcf39a1f494939efbef

  • SHA512

    c0db2d5c75d2b7fbaf5749979c98c7aa2b97ae89447b091b624f0c8b9c3339c5de26a174f477da6f9b4c04e1580d5bc2bdbc27ce8a295483cf6103c8ea825d70

  • SSDEEP

    24576:SE6n68i0m4emAe0yup0fqRJXaFGAVD+jz4EhCjV2hvbS:z6n68NA3yupo+8VD+rG2B

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/856136644549672990/QUNtw2qTusIFDmzy-UzjpJMUoOb_iEuhuGYNbubQrYAP-N--gudEwK04jXD4FjY9AbgU

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d06aa1339eb228d1e1cadafaafa6642.exe
    "C:\Users\Admin\AppData\Local\Temp\8d06aa1339eb228d1e1cadafaafa6642.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    257B

    MD5

    df27f79d821632be1ec7067198672b4d

    SHA1

    b241f64158d3d7048fdf481e423b0a6b2dadd54a

    SHA256

    99206f959b2a42dc2c6508fc82c424eb835a89ae690792f73a045689abb07a18

    SHA512

    e1cf9074b98be94a314dd97d10e10cce9360c946331cfefdce3408c3d229f1ddf759afb8778f630055160553feae6bac3b24de2f48083fa18a60ca1d003119ae

    Download Submit

  • memory/2212-0-0x00000000013E0000-0x0000000001790000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2212-1-0x00000000013E0000-0x0000000001790000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2212-2-0x00000000013E0000-0x0000000001790000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2212-3-0x0000000074B40000-0x000000007522E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2212-4-0x0000000005620000-0x0000000005660000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2212-54-0x00000000013E0000-0x0000000001790000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/2212-55-0x0000000074B40000-0x000000007522E000-memory.dmp

    Filesize

    6.9MB

    Download