Overview

overview

10

Static

static

10

gamesense.exe

windows10-2004-x64

10

loader+vacbypass.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    28s
  • max time network
    29s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-03-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gamesense.exe

  • Size

    275KB

  • MD5

    06d26e80e55344a8a483c357d2c93361

  • SHA1

    791f3e4a55785b940dfd335b9bf408a276b95258

  • SHA256

    0e9d0fb06c0f889d46fac8b5d9afeb4a503ac39a73742729ec38a83cf48c3623

  • SHA512

    504bea28b846edb81050792dc309a79d17c312df58b3fb363ecd6b281703c575ac9e643c91749fe15c9bb344de0124fe160e0e1910583857919c8fdc3d5750fd

  • SSDEEP

    6144:Bf+BLCABPCSyu0Y6/8eaxLaqJCVImMOAle0EO+J:8yvZaxLaDVvgle3J

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1140809162201243699/btqO8cRb46bEQDfduagpAMVv7owTAQ07NMRmYHKOBoLrPmi8MTwUvTQMbnvuk2E4cchn

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 37 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 30 IoCs
  • Suspicious use of SendNotifyMessage 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gamesense.exe
    "C:\Users\Admin\AppData\Local\Temp\gamesense.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2832
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:3428

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    e326b8d1b860bc755f6ed57d4de1cd3b

    SHA1

    c6302a71de6dfc307bab0446f8a173e6aefa5f15

    SHA256

    a3669df2c7f8fb6c7d923909d7efd19c848123355e095aa8cac297133ead8690

    SHA512

    b11036cc9550f11dfea5902499463cd6f938b94093748eba8881edcf5182ed1466a66636c460a7ab841b7c351e0de3d229f4f4aedc3e8422577b9ac468853832

    Download Submit

  • memory/2832-0-0x0000020B3B860000-0x0000020B3B8AC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2832-3-0x00007FFB180E0000-0x00007FFB18BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2832-13-0x0000020B3D410000-0x0000020B3D420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2832-128-0x00007FFB180E0000-0x00007FFB18BA1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3428-130-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-129-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-131-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-135-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-137-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-138-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-136-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-139-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-140-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3428-141-0x0000026255410000-0x0000026255411000-memory.dmp

    Filesize

    4KB

    Download