Overview

overview

10

Static

static

3

b94b9203b9...59.exe

windows7-x64

10

b94b9203b9...59.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07-03-2024 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b94b9203b9682e94a0600f8ad2896e59.exe

  • Size

    1.1MB

  • MD5

    b94b9203b9682e94a0600f8ad2896e59

  • SHA1

    f3316cebbc21d9becaa7744f92dc1de6b2ee31ff

  • SHA256

    4d76bd31c6cb18d229df1ec8fc0c929f37a4cdf694d2c885f1beaeddad3f14d6

  • SHA512

    31f0912abcf2b57ad0f8324ff1db0857c619c13f21be2833d0553ee5586ef9fdc9ec1ba16483ff111a7572627ae5c0619da1f08b7096ac454b39e9609b0dc913

  • SSDEEP

    12288:wyLyxYjZb/yKJ4S1ebC68hpaBUZc7U4p12N4IWgswpJRhpQtXjpyECP4WchMMd/J:mwbL4SPX0BecnphaJGqcQla

Score
10/10
44caliberspywarestealer

Malware Config

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b94b9203b9682e94a0600f8ad2896e59.exe
    "C:\Users\Admin\AppData\Local\Temp\b94b9203b9682e94a0600f8ad2896e59.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\44\Process.txt
    Filesize

    397B

    MD5

    e9848ff9f53033f0cce83c7ff4a6d754

    SHA1

    8b496435b7c111b610113b90d77a28df5961f12e

    SHA256

    8c4e1d826b5bf926e1d2562e57d1e76a67aef7cc1863ec2d610db5b325211373

    SHA512

    3c78d8a430abce02eef9835ebeb7f6fa4718b63abc96646581f309c6dd5a01b3b0757191c9f7c0c24ee65c8107104873ba8dea520edf5b110687112e82fd6f67

    Download Submit
  • memory/1300-0-0x0000000000F50000-0x0000000001068000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1300-1-0x000007FEF5720000-0x000007FEF610C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1300-2-0x0000000000250000-0x0000000000256000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1300-3-0x000000001B070000-0x000000001B0F0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1300-49-0x000007FEF5720000-0x000007FEF610C000-memory.dmp
    Filesize

    9.9MB

    Download