Overview

overview

10

Static

static

10

a8f8537dd9...d6.exe

windows7-x64

10

a8f8537dd9...d6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-03-2024 23:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8f8537dd994c6405a155144f0ea72f66f95e0beb94c64ace5dcede4e405e3d6.exe

  • Size

    274KB

  • MD5

    0f62fa73ab2574ad652247b0d0c1d53b

  • SHA1

    9755b759767a62ee6f0d188fc0713b7d9f4da6c2

  • SHA256

    a8f8537dd994c6405a155144f0ea72f66f95e0beb94c64ace5dcede4e405e3d6

  • SHA512

    ba726cac73b9c5a491ba74cb61731d90da54ee9d709d6f08ea9bde41f5bd4cb6013de4e1e068df7ea29b12a9bb6d2dbb0cef2585057722f4260faf0cfe34d698

  • SSDEEP

    6144:cf+BLtABPDLgj1xw1eO5rbMMzhgUsYqTXGR1afTyElI1D0uwX:n161eO5rbHHsYqTXG9p1D2X

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1220750955448893500/rzVzB_J0mIM7yMj5hlY1HnUJ8dpAQ8Q15SDx6jq9JhiYRJikDTjetvA86KDH-S-q1sWM

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables Discord URL observed in first stage droppers 1 IoCs
  • Detects executables referencing Discord tokens regular expressions 1 IoCs
  • Detects executables referencing credit card regular expressions 1 IoCs
  • Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8f8537dd994c6405a155144f0ea72f66f95e0beb94c64ace5dcede4e405e3d6.exe
    "C:\Users\Admin\AppData\Local\Temp\a8f8537dd994c6405a155144f0ea72f66f95e0beb94c64ace5dcede4e405e3d6.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4892
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1560

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      1KB

      MD5

      cece56ca2c882fd5d4e532a643f757b1

      SHA1

      7573024438de6569f5e635b1b3d5a8a8f9177558

      SHA256

      4fcd81d35073c01a27874c87ba27d4c01eb2d4b6f697ca6697032257aaf373fd

      SHA512

      40d7217c0dc4c6c89c67ef79b88f6f502e0d09e505497453aca52ac043cfdc9b6e3101e6f1c41a5dec84c50c5d964801b77d2f497b8e0f13071c56839581b8fa

      Download Submit

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      1KB

      MD5

      a54b40c77f1270db09f46884612088a6

      SHA1

      1cd429469862bbd5979d9b546e75c5f87e68ec98

      SHA256

      93c5b10c2d1f4f5768360d7c6ade7619c2982b252256f513f2dff11bec59ef3c

      SHA512

      ee5af370c4d5ea18b8e4dfa630b176487da75ebd90f990a52b19738167813680c3dbc85e075af776cbc0e7552dbb6cf106b4af2af5f72660ae5fd238f4709ed3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\44\Process.txt
      Filesize

      1KB

      MD5

      7028d9d81cca3878aa605a6911e5a625

      SHA1

      0d2730783e9c41825837914db7d0ca292452e8d7

      SHA256

      e26d6d578bc94686ee4f335e26de45d30284e51ad32e844d916546e23aa84aad

      SHA512

      37cb2ce83419e347b4e78575235882015e248aff5dd940082474d9076220dd59115495547ddfe8b30294c42624f2351f1d264e1341bfee665060847357cf5bcf

      Download Submit

    • memory/4892-0-0x00000195015B0000-0x00000195015FA000-memory.dmp

      Filesize

      296KB

      Download

    • memory/4892-5-0x00007FF9D56B0000-0x00007FF9D6171000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4892-26-0x000001951BAF0000-0x000001951BB00000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4892-128-0x00007FF9D56B0000-0x00007FF9D6171000-memory.dmp

      Filesize

      10.8MB

      Download