Overview

overview

10

Static

static

10

Dupe V4.42.exe

windows7-x64

10

Dupe V4.42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    40s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-02-2024 22:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dupe V4.42.exe

  • Size

    274KB

  • MD5

    e69695656727b24faa0cce67b8a5a1fe

  • SHA1

    b71ca6b4f9f35bfd551ebf8d09255e4c8b13cc13

  • SHA256

    bce20f47da6456aa5e8ad6a47bef1e56b06efdac90e206d72edf3818e7c28bc9

  • SHA512

    7ddd3bc8229ffa318b1e6a1a8b19e11d8c1088dfd4c07fccf84d1e39501c562e2adb28fd02fac257f2c5f5b25412c151c4c168dac038f55f7e1a693fd2977c66

  • SSDEEP

    6144:wf+BLtABPDsth6Ej/UZkI4TjkRy5xafTyUlI1D0bft:DtK+I4TjkRyZZ1DQt

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1206974551552958464/exNVrcQItQDQp5Vif4AyKwrQX7lXQIl06vDpIAqDtX0OwImj8IH-5I460UrzegqRF6l4

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 43 IoCs
  • Suspicious use of SendNotifyMessage 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dupe V4.42.exe
    "C:\Users\Admin\AppData\Local\Temp\Dupe V4.42.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3228
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    257B

    MD5

    e37caa16b2cb5b54a2a00e94539a05f4

    SHA1

    8fa1dfcfc8e2fefe0f1bd39ab34643eb89b82f9e

    SHA256

    1e5c85f2bffe93b8be943ffad60f4bbb90786649d1c955cb7b2c3b171c420f81

    SHA512

    d5366572a947f8b68dcf913e3a1f48bc2e602286e0b90bf1c2da81d6fed994e80e1318e607807805ac4686751e8566cae299d5e7b1f45aca4268b9b36298dd6b

    Download Submit

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    1KB

    MD5

    22e39d6a653c9d2898f6a0565e2ad52d

    SHA1

    7f3bc848178f08e0703b7e065943ea36352e2268

    SHA256

    e814f470591361c16a0a68d56b45b4ad7b4457a5fa5d7cbc567ac883d981f976

    SHA512

    c1ac6d562b7d7425bf89f72739f88651597507b0492c9858a7fd248380135881bfa14d2d3d4061712d96a0bd586c7d32c16894d75dea7347c5fbc2d94c07b570

    Download Submit

  • memory/1436-124-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-128-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-134-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-133-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-122-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-123-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-132-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-131-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-129-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1436-130-0x00000221B73C0000-0x00000221B73C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3228-24-0x000002764D890000-0x000002764D8A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3228-0-0x0000027633170000-0x00000276331BA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/3228-121-0x00007FFF13010000-0x00007FFF13AD1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3228-14-0x00007FFF13010000-0x00007FFF13AD1000-memory.dmp

    Filesize

    10.8MB

    Download