Overview

overview

10

Static

static

10

d006975785...ae.exe

windows7-x64

10

d006975785...ae.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d006975785908bd891378c66553267cb89746e95a6728d877941e6f25c94f3ae.exe

  • Size

    303KB

  • MD5

    c763e936df8e54ad67dbfa4b3bd3c0bc

  • SHA1

    beaaa7a141823c64fb245f19ac3c2251fef900d1

  • SHA256

    d006975785908bd891378c66553267cb89746e95a6728d877941e6f25c94f3ae

  • SHA512

    4eafdd8a3f3f8041d51ea1019a1695f46781c5d47be7d1142a043c4cf9531a07343583f1c148db9277341a82aa1380bf2df2c866382ee8b9bfef611f0c78c5c1

  • SSDEEP

    6144:iBcT6MDdbICydeBP0+KUmylpnY6rmA1D0RWE:iBKM+KUmapY41DbE

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1226160357496721500/M8J7D5k1hO1RyahDiTtwdkk4Fvbpx4urcIZZllG8IAXSc4eGIg2m6G4UbF_cjPMvvv0D

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables Discord URL observed in first stage droppers 1 IoCs
  • Detects executables referencing Discord tokens regular expressions 1 IoCs
  • Detects executables referencing credit card regular expressions 1 IoCs
  • Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d006975785908bd891378c66553267cb89746e95a6728d877941e6f25c94f3ae.exe
    "C:\Users\Admin\AppData\Local\Temp\d006975785908bd891378c66553267cb89746e95a6728d877941e6f25c94f3ae.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3868-0-0x0000014EF9220000-0x0000014EF9272000-memory.dmp

    Filesize

    328KB

    Download

  • memory/3868-30-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3868-31-0x0000014EFAE60000-0x0000014EFAE70000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3868-32-0x00007FFE8CE20000-0x00007FFE8D8E1000-memory.dmp

    Filesize

    10.8MB

    Download