Overview

overview

10

Static

static

3

dda9fdfc7c...17.exe

windows7-x64

10

dda9fdfc7c...17.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-03-2024 09:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dda9fdfc7cce385b13c96a10d8634417.exe

  • Size

    1.2MB

  • MD5

    dda9fdfc7cce385b13c96a10d8634417

  • SHA1

    45ac86dfe9f66937d06229840ae40543bb917a47

  • SHA256

    876e5e9bbaf937b3dbcdaf019eee4e2b492ed2cfa47c3e264467ac9c97c052f1

  • SHA512

    3a1fb982a79fe34cf0fedc2600ebe7f796fd0606596e45ebf80d14e2890b06f306969acb69a4374e5ac883e92d58953fe16828d8a00ddfa756eb518b42eece20

  • SSDEEP

    24576:NSVCwS8BA69IxW5iPOdN6Jufj/SPpLv0r9zND5d+53FH4K:NSwa15iPEK2KBM9zNV453F/

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/859014405580783637/J-rOLcLQORAp4rSIpre0H46Lhmzd8QK1hgRFNA4mqYSEz6dtJRq9HsK-id725NgqZTvK

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dda9fdfc7cce385b13c96a10d8634417.exe
    "C:\Users\Admin\AppData\Local\Temp\dda9fdfc7cce385b13c96a10d8634417.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:8

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit
  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    fad74c85bdd4a8677c486e14ebb7dc1c

    SHA1

    06b13975dc006878500848f358e384c85e5cc370

    SHA256

    1dfe5e20277717b7abf3366665d0376f4c6bae8edfe5cf8ca9a89916949654f4

    SHA512

    8447f8193fc60dc03c3bf25c10189af688acf4d6fc257956d1289e28763237b4b760f929743d9e5b7bcd3759d59562f65dfc9aeeab59399cad521240b8a9c7af

    Download Submit
  • C:\ProgramData\44\Process.txt
    Filesize

    732B

    MD5

    cb481b2f183ec97880d258cf828c8799

    SHA1

    a259d80c3fe2408ce3bd8d41afee23115fdba4c1

    SHA256

    c2d604c5578a9d629ca764220471aa0cd9579cf9e80bd42e29bb0d5b4d67a4da

    SHA512

    10d2ab70e3da1f9ec56b543626a0080f504c09ea59125399b06876471108de2d91fd32a4e027808f41204e14401b0f6fab290451c0526ac8143008f2162760d3

    Download Submit
  • C:\ProgramData\44\Process.txt
    Filesize

    972B

    MD5

    0600c60a26ccbbba185892ad766f9998

    SHA1

    b52691a56d2ffb7aabdb60420fa8de44c98983fe

    SHA256

    526ecf2fee43c5b49021763eea4467a6d96c1b89d9b0bfa06c05c2ba92de35fa

    SHA512

    092984d8f029cbf34a38a0dec540cdfc09f55c7ad8ce02a47cf86c549403b7c1ef6ea58de296a74570adbe2e24849c89cf9f89d3747cb3f81b90aee9454baf37

    Download Submit
  • memory/8-3-0x00000000040D0000-0x00000000040E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/8-11-0x0000000006AF0000-0x0000000006B82000-memory.dmp
    Filesize

    584KB

    Download
  • memory/8-37-0x0000000007640000-0x0000000007BE4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/8-0-0x0000000000E70000-0x0000000001220000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/8-2-0x0000000074770000-0x0000000074F20000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/8-1-0x0000000000E70000-0x0000000001220000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/8-129-0x00000000074F0000-0x0000000007556000-memory.dmp
    Filesize

    408KB

    Download
  • memory/8-133-0x0000000000E70000-0x0000000001220000-memory.dmp
    Filesize

    3.7MB

    Download
  • memory/8-134-0x0000000074770000-0x0000000074F20000-memory.dmp
    Filesize

    7.7MB

    Download