Overview

overview

10

Static

static

3

sosa.exe

windows10-1703-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    sosa.exe

  • Size

    802KB

  • Sample

    240317-v435nsbd34

  • MD5

    945d2a9d5d4e823e24248599c7729e21

  • SHA1

    68129a0da152573622f47b8c76125adfd10a2e42

  • SHA256

    54047ad6b586bd8a5196f0464cbdb04e22435bb6ebf0c90483ed43a0302dcfe1

  • SHA512

    675a4087ddc3e7880ba6f41abaff1c06c02305d5187b35c1221077c3c8bc49a72efc50233de2418c0525fce2297d55a7044e2a8c5fd01f1228612730f7b8ad8a

  • SSDEEP

    24576:dgMMGv+oVPdb7Cb4vCCI4hsw5PHtwyLhZTY+ha4P8/B8wQDrikCmN:dgMPw8FBjwQPw

Score
10/10
44caliberstealeriumcollectionevasionspywarestealer

Malware Config

Extracted

Family

stealerium

C2

https://discordapp.com/api/webhooks/1218245534754672670/2YtS8ZZZGLfJ4a53R8Upd6pJBfJGWdMziuCCB4zfvLaT1l665IRoHYEEg_nhBYAO-SIw

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/1218700109580206200/ClDSaxv7M9ZG9hShaQNLqX_ocqqkyBFA3LB7wEkB4tRPlAiZElGtyTIzFrXPhSCZ0Oci

Targets

    • Target

      sosa.exe

    • Size

      802KB

    • MD5

      945d2a9d5d4e823e24248599c7729e21

    • SHA1

      68129a0da152573622f47b8c76125adfd10a2e42

    • SHA256

      54047ad6b586bd8a5196f0464cbdb04e22435bb6ebf0c90483ed43a0302dcfe1

    • SHA512

      675a4087ddc3e7880ba6f41abaff1c06c02305d5187b35c1221077c3c8bc49a72efc50233de2418c0525fce2297d55a7044e2a8c5fd01f1228612730f7b8ad8a

    • SSDEEP

      24576:dgMMGv+oVPdb7Cb4vCCI4hsw5PHtwyLhZTY+ha4P8/B8wQDrikCmN:dgMPw8FBjwQPw

    Score
    10/10
    44caliberstealeriumcollectionevasionspywarestealer

    • 44Caliber

      An open source infostealer written in C#.

      stealer44caliber

    • Stealerium

      An open source info stealer written in C# first seen in May 2022.

      stealerstealerium

    • Enumerates VirtualBox registry keys

      evasion

    • Identifies VirtualBox via ACPI registry values (likely anti-VM)

      evasion

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Downloads MZ/PE file

    • Looks for VMWare Tools registry key

      evasion

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

7
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks