Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240319-en
  • resource tags

    arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
  • submitted
    25-03-2024 14:10

General

  • Target

    de3258d448ac5d543c996a6b4c0fd6b8.exe

  • Size

    3.3MB

  • MD5

    de3258d448ac5d543c996a6b4c0fd6b8

  • SHA1

    44b4fe0e0d731011467f2f0c831f83801c0d068c

  • SHA256

    9785139b6e8bc5f53da68bed1b78f0567aa00d0de965f8e802e038a1243853e6

  • SHA512

    71edbb9e13fcdb5f3a86d79446dc4a87c50438b64e7b3cb108fe543be5954e06d3f6f4e9d34135f6baeb8bc19eafa32263e673fae2fdaed547354571b1cffdc7

  • SSDEEP

    98304:1/xTTgkJENlhU7ZLsyEQrbRt64dtARJACo9x4RqsSTyIv:rTTguENAlLtPrb7Ri/ACo9mR+ys

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/877099784312328213/gbN3AhFr-HwOYeSmi-AjLnTIHhnG8GV5LfjEhIncHO-_rtFM2jafytOi5GkZCyhMgXTd

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Detects Echelon Stealer payload 2 IoCs
  • Echelon

    Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\de3258d448ac5d543c996a6b4c0fd6b8.exe
    "C:\Users\Admin\AppData\Local\Temp\de3258d448ac5d543c996a6b4c0fd6b8.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Local\Temp\RACKED.exe
      "C:\Users\Admin\AppData\Local\Temp\RACKED.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe
        "C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3068
      • C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
        "C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2628
        • C:\Windows\system32\WerFault.exe
          C:\Windows\system32\WerFault.exe -u -p 2628 -s 1260
          4⤵
            PID:2684
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
      1⤵
      • Suspicious use of FindShellTrayWindow
      PID:2632

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\44\Process.txt

      Filesize

      242B

      MD5

      170a09439462ae3f536b2c5f4277a31c

      SHA1

      30b7f1e5e5ba603a2ffdfe00ef3305421b1ff07e

      SHA256

      b2af831b911e253a5cc8124fd0268d73d1aa3e4914b5c48606797995b8af0c8f

      SHA512

      fb436edecf61aef4e8f8359f6f1107cc744e0f663cb3c827cddc2fee377db3198b044bd4f6635f88be4dcdcce732d55601fe873f4fecacbc26d3cdf11321368e

    • C:\Users\Admin\AppData\Local\44\Process.txt

      Filesize

      443B

      MD5

      e4eb408b3076458077762744cf2645ef

      SHA1

      80d41125f0964e2415a8fbf8df7e064ccd0cbae5

      SHA256

      24774c8f8efdc068bbbe3e931476f5f409019da0ce3fbe56b983ef0c96f5c1c1

      SHA512

      d8cff83460638f9b29029fd48da9000bbfbd79c1f2ae6da12653d8dae8a8650067feb71ee6875e8d37042b1d0c32a38474fc4e194b0e4ce807fc8c6dd337aedf

    • C:\Users\Admin\AppData\Local\Temp\PDh_icon.ico

      Filesize

      295KB

      MD5

      418e0374acb48a29df66cd6cf77b2556

      SHA1

      1aec0f4a7810cea8a0356e3c40602f843e64e8b9

      SHA256

      a9a8e2eb897d271ae1aa442c1c315f3df7b377f33809e82d685452e90f7790fe

      SHA512

      8c6e57b180a57cec0593c77fd8377a4a27e6a64bfd4142e7382c0a4fc0fb95af7bc6daabaabcbc8289029da361ede25fa2bcdf26912a4da05f35f57993a39c13

    • C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe

      Filesize

      581KB

      MD5

      ae9fc2812c2a6d55c9f66b626963639f

      SHA1

      22b0e3477e075bb7fbe70121f51567d50c6d5d39

      SHA256

      c46ae05c8aecb322d21d504e5dc4665304c12f4a23da2222f58bc940ee53345c

      SHA512

      37ef5617f2fda51865f850a9d089e9e56de29508a1b153ada6fd8e32375fdd0f8750b9c5946508a5b0a7a06d61f271fc3d4ffca66d2a8ae72adfed11fc226e88

    • C:\Users\Admin\AppData\Local\Temp\RACKED.exe

      Filesize

      64KB

      MD5

      4e3e3a145100c082b8643dc22a6b48f9

      SHA1

      b4954ec4d81ed8d0a5dbecae897337b8f812d657

      SHA256

      94532042c3dbdc12e95b830f3886085bc44245eb95744e272e40aa2e09332699

      SHA512

      748b524f288f96391342204ab16e8354915a831ebec9c180fd4a7450bc0385eb187d4f6b5f47d28e9c06db6940f598a9d757b0d919d34fe301f1b2464792d762

    • C:\Users\Admin\AppData\Local\Temp\RACKED.exe

      Filesize

      449KB

      MD5

      af6dbbdcb44d920c0e41d166b60b26e4

      SHA1

      bd653c5d5985e0cf826fef5c080754a935527afd

      SHA256

      2c1a3eb1514f74d3f0c87e3ba9f205a809eebff725bdf105d50c2de351971592

      SHA512

      ebc0e10e4d5b2dd032ac09c364133cc8483ffc5fae2b39f9a65c11be06ee8b704e52bda47cdcecdcea357d51a4804ab418cadc908d68d6fb545139c5fafe8c83

    • \Users\Admin\AppData\Local\Temp\ProtonHack.exe

      Filesize

      274KB

      MD5

      9df1e86f0c44b525df31975949fe225a

      SHA1

      a1869bd91c12f6e96339d112d2acb0f018c31f6e

      SHA256

      13685d73ac437d3d5f976b9f600b183a489aa8871596ee9bec5d27ceb53c0b13

      SHA512

      7dfe7348e4934aa5d5b21af64ed0d90397fb430ea8dd6f5b104b69edc80e51766c6150f8db37749912dc47f604fa18dff4e9cfbf7a850248d16cf8acdd2d5bb6

    • \Users\Admin\AppData\Local\Temp\RACKED.exe

      Filesize

      575KB

      MD5

      1bedb8644adbf8aa590d04ebb31edb87

      SHA1

      5467bb793d56356a418c779dd2677c9ebf92a7a6

      SHA256

      5db197f06ea1b086ef988650989d7dc85388a1f6be6d4fc1cfa27231f05e587b

      SHA512

      5c56418fe8d4536d6227123df14204235f2c86276030ed6f2a420daf41b3a78614aa374916daa92a06bfdaf6a204f54f22cf97ba33f492b9376ab798313acdac

    • \Users\Admin\AppData\Local\Temp\RACKED.exe

      Filesize

      549KB

      MD5

      11ce8a0ba80fe5b237f361ef05f41507

      SHA1

      c6802f3aa82660932d5a96df939427c2417824d7

      SHA256

      3577fa9dc8ce5c58ec025589a5aa2802332f2ea0310cbe4cecd40250c60fd780

      SHA512

      d254c348d2dbaed48fc6cbeacaffdbe345283b4fbad1739884226b2d424c43492971f2b6ce9e9823ca2c4f0c7b727f0110343d18bc275110c187479ae1ff6d9d

    • memory/2628-55-0x0000000000B90000-0x0000000000C10000-memory.dmp

      Filesize

      512KB

    • memory/2628-34-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

      Filesize

      9.9MB

    • memory/2628-31-0x0000000001340000-0x00000000013D8000-memory.dmp

      Filesize

      608KB

    • memory/2628-90-0x0000000000B90000-0x0000000000C10000-memory.dmp

      Filesize

      512KB

    • memory/2628-89-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

      Filesize

      9.9MB

    • memory/2632-41-0x0000000000300000-0x0000000000301000-memory.dmp

      Filesize

      4KB

    • memory/2632-29-0x0000000000120000-0x0000000000122000-memory.dmp

      Filesize

      8KB

    • memory/2884-0-0x0000000000400000-0x0000000000C12000-memory.dmp

      Filesize

      8.1MB

    • memory/2884-28-0x0000000003160000-0x0000000003162000-memory.dmp

      Filesize

      8KB

    • memory/2884-1-0x00000000775D0000-0x00000000775D2000-memory.dmp

      Filesize

      8KB

    • memory/2884-32-0x0000000000400000-0x0000000000C12000-memory.dmp

      Filesize

      8.1MB

    • memory/3068-35-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

      Filesize

      9.9MB

    • memory/3068-30-0x0000000000F70000-0x0000000000FBA000-memory.dmp

      Filesize

      296KB

    • memory/3068-36-0x0000000000EB0000-0x0000000000F30000-memory.dmp

      Filesize

      512KB

    • memory/3068-88-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

      Filesize

      9.9MB