Overview

overview

10

Static

static

3

fly vw.exe

windows7-x64

10

fly vw.exe

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fly vw.exe

  • Size

    3.0MB

  • Sample

    240220-wrc86acg6y

  • MD5

    e9741cbf19fc1947d6c586564585f53f

  • SHA1

    6580de244f3f2f77548376aabf1671a2b76e0b4e

  • SHA256

    72ec0572620cb474a46ee2a6092f3d080c25b66b07d76fd2dd72d3f2388f04a0

  • SHA512

    4560eb4fb3706967e24a0cbcf34387564ab1b0e340a910ed7b925ec5dc80661c7b39a46650586c3991badfd343f3ad3cf67506f5afda4af859784629988b047a

  • SSDEEP

    49152:tM3r1CyUBpXb9OZxkjBJrlrCZ9eZHtFs6SC5bAPLERCpydSECwKWvtY0:qJC1pb9OZ+9dlKwZHtFg8czE0pydSECW

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/1192569430484463717/I6Kwe8DzntI6vhtlBS66UU8vV05EYfDX3mK1x5PPRmeEfRH9iurdtdMxHmv2ZZuW3Ev5

Targets

    • Target

      fly vw.exe

    • Size

      3.0MB

    • MD5

      e9741cbf19fc1947d6c586564585f53f

    • SHA1

      6580de244f3f2f77548376aabf1671a2b76e0b4e

    • SHA256

      72ec0572620cb474a46ee2a6092f3d080c25b66b07d76fd2dd72d3f2388f04a0

    • SHA512

      4560eb4fb3706967e24a0cbcf34387564ab1b0e340a910ed7b925ec5dc80661c7b39a46650586c3991badfd343f3ad3cf67506f5afda4af859784629988b047a

    • SSDEEP

      49152:tM3r1CyUBpXb9OZxkjBJrlrCZ9eZHtFs6SC5bAPLERCpydSECwKWvtY0:qJC1pb9OZ+9dlKwZHtFg8czE0pydSECW

    Score
    10/10
    44caliberspywarestealer

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks