Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Korepi.rar

windows10-1703-x64

10

Korepi/Korepi.exe

windows10-1703-x64

10

Korepi/chr...nt.pak

windows10-1703-x64

3

Korepi/chr...nt.pak

windows10-1703-x64

3

Korepi/con...ig.xml

windows10-1703-x64

1

Korepi/con...es.pdb

windows10-1703-x64

3

Korepi/d3d...47.dll

windows10-1703-x64

3

Korepi/d4d...er.xml

windows10-1703-x64

1

Korepi/dll/ffmpeg.dll

windows10-1703-x64

1

Korepi/dll/libEGL.dll

windows10-1703-x64

1

Korepi/dll...v2.dll

windows10-1703-x64

3

Korepi/dll...er.dll

windows10-1703-x64

3

Korepi/dll...d.json

windows10-1703-x64

3

Korepi/dll...-1.dll

windows10-1703-x64

3

Korepi/ffmpeg.dll

windows10-1703-x64

1

Korepi/icudtl.dat

windows10-1703-x64

3

Korepi/libEGL.dll

windows10-1703-x64

1

Korepi/libGLESv2.dll

windows10-1703-x64

3

Korepi/system.yaml

windows10-1703-x64

3

Korepi/sys...gl.pdb

windows10-1703-x64

3

Korepi/vgrl.dll

windows10-1703-x64

1

Korepi/vivoxsdk.dll

windows10-1703-x64

1

Resubmissions

08/02/2024, 19:42

240208-ye7cksbg28 10

08/02/2024, 19:33

240208-x9kavshh6s 10

Analysis

  • max time kernel
    132s
  • max time network
    141s
  • platform
    windows10-1703_x64
  • resource
    win10-20231215-en
  • resource tags

    arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
  • submitted
    08/02/2024, 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Korepi.rar

  • Size

    22.4MB

  • MD5

    ecb834d94edbee6f13e0851fa6caf1f4

  • SHA1

    3212af8c23e6c19ef53b6b7d711397676b508e26

  • SHA256

    3343644e85fc33f8cd3b97e0f7275053f1c272932379c61b3c0d3c620a23a4ee

  • SHA512

    12e31a8d653f68c5b4af69b9f20622923fd1f28ea414e5dcdc2be373f5a4fcc860f01fafee3b11dca018568c3f602ad1d484c3c19c050ef5348d1c0bb6091254

  • SSDEEP

    393216:daXr/gp4rHPuszFA5Hj/9/gp4rWcQQtwvxPCsWQQs/uszDq2Z/SE/Mb4KZnJsQwJ:di/gp6HHijV/gp6WVQGhW3stzZREb4Qq

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1204820036871651418/CUplXl5h8mK8wayRD4L98BI20GJlZ7pUqazPKIFG3k71PQZAQLEztS-LsGq873wkB2Tf

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Korepi.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Korepi.rar"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Users\Admin\AppData\Local\Temp\7zOCD377338\Korepi.exe
        "C:\Users\Admin\AppData\Local\Temp\7zOCD377338\Korepi.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:392
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3104
    • C:\Users\Admin\Desktop\Korepi\Korepi.exe
      "C:\Users\Admin\Desktop\Korepi\Korepi.exe"
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3872
    • C:\Users\Admin\Desktop\Korepi\Korepi.exe
      "C:\Users\Admin\Desktop\Korepi\Korepi.exe"
      1⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt
      Filesize

      105B

      MD5

      2e9d094dda5cdc3ce6519f75943a4ff4

      SHA1

      5d989b4ac8b699781681fe75ed9ef98191a5096c

      SHA256

      c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

      SHA512

      d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt
      Filesize

      210B

      MD5

      1267f4be35fbe5510886cf08ddee9fdd

      SHA1

      04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

      SHA256

      ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

      SHA512

      6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Information.txt
      Filesize

      652B

      MD5

      0383ba4b2c76672c7bf4616228443724

      SHA1

      4254fa044ea48cfb3420f07d906f46fe1c6fab33

      SHA256

      41a7dcefb4d502fe098a57e8b5d6df33f1dd1bfe651a5c0e3f1e988faa7aca82

      SHA512

      25f369db5c9b422e0e387c93afb656b323161369557dc5d613f588b1f766a3bace180043a61a65ab1e076d68cd2507ca56212182ba61bfea5f10f50a626bd19b

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Information.txt
      Filesize

      652B

      MD5

      c79ed26e640491404c74d29855ffba40

      SHA1

      f7b7e48766335c17b34512d22989e236698ed85d

      SHA256

      8accd6442e119c8627132b25fd1a98bae25de3355c15c48656421fd0104d3e8c

      SHA512

      48313d6b2e5cc8a462ee3b392da31cdb6cca94f9c015217de9d275ed6a1554aa1ddb94c33849a080851a2715b801b024454965e326291a792d60673172cf7921

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      1KB

      MD5

      100053f5310bb54c41aed6f690de35ad

      SHA1

      7f6cb346a78166139c9f7004d01eaa2b975d97d9

      SHA256

      6d44d446187279cfe6d5ef59f1990e79ea36c822d938bf00d3bd25fc13b2544d

      SHA512

      d3c8c9586c7d0dcc16e787c0cd2bb020253a2dc2670c8dd99348c45914c4178ffb5756a2b2b8e24ca29a37ff7ddd08d84d66d7db9f018f4a594c29b163587a85

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      2KB

      MD5

      f280f6a54b6fd5ce143f214279655276

      SHA1

      9ee637548d241a6ba9e0a55d3674aa90cd4a9ce1

      SHA256

      9167c08e2e7b3e33ef75a8ffcd72f54d2043eaba278dfeb0f93b3508a2fa985c

      SHA512

      cdbf006d5f41a0781d9ab87e8a1a2637b4c435c3d36c236c551ed533f65743d61411abb905885a3f09f73db2c3610a42ffad2d72d21d07c8f895c44829a1d68b

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      2KB

      MD5

      8154869742c978889f1fb3184035c463

      SHA1

      6f2469473585f335af02205a361866d781d44d3e

      SHA256

      fd73289dc40d62b266f56e2cf4f53c68633de8e569417433ba8ba7589ece2d0f

      SHA512

      99a347e58cc9c2662fb8d9ba9a170511b13db162090e4818b6465b5814af5e65fe53d3f5e95048d860aa5eb85bc76eb41a39e91a90ab4b88421124ebf0a4474c

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      2KB

      MD5

      c68a73bdce9213609d19d58b77a7c333

      SHA1

      4189ca2a5d6bf13deb1db2015925dea54271cc2d

      SHA256

      2130523c82d9b8560ce9e42d811bd6c211ac30fb97f1c6053bcf4208c2dcb3d1

      SHA512

      a2f74d35979fffd4268e318b0198f21af09ebabe979081d22be85e95c3f4c99876fc92257570fceb2a52fdb7fd0ef4224367265ba416949365adde906274209e

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      3KB

      MD5

      d8eef15982dcd2278d8cab67f99ded6b

      SHA1

      4e70cf7c0da7069ac973cfa416c984e1fbcca92b

      SHA256

      b06203ea323dcbec734862893eb77780668d5aca7985c21a434f492c4d60ebb5

      SHA512

      3c94805251cb9e8ce71d33110b5f53c947697e3826a1d5896f96e78483d14a2cb28e33d832aca421f019e7b3e616e3a7065e13156d9cf2e45d9319a387efbf49

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Process.txt
      Filesize

      737B

      MD5

      d11659a8c7dca463363596b2eb557fd7

      SHA1

      1b84fa515d75911f96a4a651f6e96b53cd3ec563

      SHA256

      a6c05e72d16ec73bbf89cf011e26175b1f6a58e171057e260438e8e9d88a88cf

      SHA512

      f2f2e50b16058e3551b98c16848b54c15de110d6ae123c61610428e1b11256787454706a4da8ffb5bd68f1422793d87f8887f69711d7e6b80d457cd5444ce6d3

      Download Submit

    • C:\Users\Admin\AppData\Local\44\Screen.png
      Filesize

      128KB

      MD5

      00cc41fe9bc1fcbb9a10bab25e974d86

      SHA1

      d67de5b8be5287bc3730829236dac4f38eafcbfe

      SHA256

      4d07bff81ec7059c26b4e452e86ef986240ab52c8eb7de1f174d794db6bff60f

      SHA512

      13075d1f20f1ad2fb95594da2227fcd85da72636d5a283e60b5ba3074a419ff33eb9f6497e26a2cc795fdc59a46f5449132339d32bcdf2fd9739a30b3865bf89

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Korepi.exe.log
      Filesize

      1KB

      MD5

      a9ad243deaee83581ee742d0ce4f4c58

      SHA1

      2a399d641fe3a1dbedd32831c3d0b4e69c214df9

      SHA256

      3dbce5343fda3438460000ae97a47268e90055a74f1d57b8ffa0f4ded8c13a48

      SHA512

      a2dd670885e2503e38ddd3b251efb2c426453fe65a28a4002f9276c690c7b323d8a13a9576ee3d5ee6ade3a5b36d7e59116978ec51ec40359430fbfebb8b580f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7zOCD377338\Korepi.exe
      Filesize

      274KB

      MD5

      efa2b41e3fad6f9748f69cee22300fd8

      SHA1

      9989d14b2b6876f53969ca4346109fd377013a71

      SHA256

      f8caf6d4c0c782dc6f40399a72286412dba50c081c38efee96417910516e0123

      SHA512

      2bca7353443a8e771abdd71780545f08e20d9231161802a7d838860f6149c07bf912142cf2c2def98439ee3d8904c65fb7f0a2f229dcf73575270062c3f60ec6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp87C5.tmp.dat
      Filesize

      46KB

      MD5

      02d2c46697e3714e49f46b680b9a6b83

      SHA1

      84f98b56d49f01e9b6b76a4e21accf64fd319140

      SHA256

      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

      SHA512

      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp87D7.tmp.tmpdb
      Filesize

      5.0MB

      MD5

      7a8dbbd21d9a460640782baeaaaa42a4

      SHA1

      f9c5b5763051773d14570f5466a842df3292c2c5

      SHA256

      e238538ef876f380b162fb1b22359228fcafe8143a45c22ce5dcb4337ab30da7

      SHA512

      c72e62660e9dc7c605a58d33d7780a73ac059a9895ac667c0f2d7a5956cf963ff7bcb6b826b7c318003a9c7c4cc424708c28fb5cd8a0686638ea4a471e386987

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmp87D8.tmp.tmpdb
      Filesize

      96KB

      MD5

      d367ddfda80fdcf578726bc3b0bc3e3c

      SHA1

      23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

      SHA256

      0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

      SHA512

      40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpEA4B.tmp.dat
      Filesize

      92KB

      MD5

      e5984ef57f6e5c9a979cd8da62e790d5

      SHA1

      a8713f506a13857bd4a5a600c6c0f94b5139a8ec

      SHA256

      639bc181e8b90b33485fe76854d4d0eb0b598b83398589b75ff38a9589df0c40

      SHA512

      0e769c782cbc70cf5946ff0503c81124427191852c687cd6a1d0d26025d4ed7c6fbb026bac6e620105f3b9a0d69931c1c220bb646c0567237eb979aace4303bd

      Download Submit

    • memory/392-6-0x000001E5BD050000-0x000001E5BD09A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/392-19-0x000001E5D7620000-0x000001E5D7630000-memory.dmp

      Filesize

      64KB

      Download

    • memory/392-13-0x00007FFDFE9D0000-0x00007FFDFF3BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/392-106-0x00007FFDFE9D0000-0x00007FFDFF3BC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2828-268-0x000001305AF80000-0x000001305AF90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2828-256-0x00007FFDFE8E0000-0x00007FFDFF2CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2828-354-0x00007FFDFE8E0000-0x00007FFDFF2CC000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3872-165-0x00000247D1B70000-0x00000247D1B80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3872-252-0x00007FFDFE840000-0x00007FFDFF22C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3872-158-0x00007FFDFE840000-0x00007FFDFF22C000-memory.dmp

      Filesize

      9.9MB

      Download