General
-
Target
de3258d448ac5d543c996a6b4c0fd6b8
-
Size
3.3MB
-
Sample
240325-rgw63aac88
-
MD5
de3258d448ac5d543c996a6b4c0fd6b8
-
SHA1
44b4fe0e0d731011467f2f0c831f83801c0d068c
-
SHA256
9785139b6e8bc5f53da68bed1b78f0567aa00d0de965f8e802e038a1243853e6
-
SHA512
71edbb9e13fcdb5f3a86d79446dc4a87c50438b64e7b3cb108fe543be5954e06d3f6f4e9d34135f6baeb8bc19eafa32263e673fae2fdaed547354571b1cffdc7
-
SSDEEP
98304:1/xTTgkJENlhU7ZLsyEQrbRt64dtARJACo9x4RqsSTyIv:rTTguENAlLtPrb7Ri/ACo9mR+ys
Behavioral task
behavioral1
Sample
de3258d448ac5d543c996a6b4c0fd6b8.exe
Resource
win7-20240319-en
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/877099784312328213/gbN3AhFr-HwOYeSmi-AjLnTIHhnG8GV5LfjEhIncHO-_rtFM2jafytOi5GkZCyhMgXTd
Targets
-
-
Target
de3258d448ac5d543c996a6b4c0fd6b8
-
Size
3.3MB
-
MD5
de3258d448ac5d543c996a6b4c0fd6b8
-
SHA1
44b4fe0e0d731011467f2f0c831f83801c0d068c
-
SHA256
9785139b6e8bc5f53da68bed1b78f0567aa00d0de965f8e802e038a1243853e6
-
SHA512
71edbb9e13fcdb5f3a86d79446dc4a87c50438b64e7b3cb108fe543be5954e06d3f6f4e9d34135f6baeb8bc19eafa32263e673fae2fdaed547354571b1cffdc7
-
SSDEEP
98304:1/xTTgkJENlhU7ZLsyEQrbRt64dtARJACo9x4RqsSTyIv:rTTguENAlLtPrb7Ri/ACo9mR+ys
-
Detects Echelon Stealer payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses Microsoft Outlook profiles
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-