Overview

overview

10

Static

static

10

09ea3bf729...06.exe

windows7-x64

10

09ea3bf729...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-04-2024 18:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    09ea3bf729f8c7d94be749b3c40de16b5795cf015e971164bb49168841917e06.exe

  • Size

    274KB

  • MD5

    15e2a8fb387c0d282a42769bf706302a

  • SHA1

    a3e079ec5d06a3a9b93c1f72c39ca0c83b17710d

  • SHA256

    09ea3bf729f8c7d94be749b3c40de16b5795cf015e971164bb49168841917e06

  • SHA512

    5fa9dd312f22d9ac36ee8b29fcb77bf8621ed3cb95496a4c6ff91437efa25cde672794ccc3f19c26a40988de17fb04798f77fb867a0b4f3822cfe3b71ae83653

  • SSDEEP

    6144:Cf+BLtABPDsJJfbdrJwiU0xoZZafTyMlI1D0qY/:NJXqiU0xoRh1Da/

Score
10/10
44caliberspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1160315256816554056/hlmTbenc8kZjs5SjhnARiVDXgoYJyFGIFGn6fTzvVyQv0AD0YdC5k0StuqiH0Q3QAxBA

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables Discord URL observed in first stage droppers 1 IoCs
  • Detects executables referencing Discord tokens regular expressions 1 IoCs
  • Detects executables referencing credit card regular expressions 1 IoCs
  • Detects executables referencing many VPN software clients. Observed in infosteslers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\09ea3bf729f8c7d94be749b3c40de16b5795cf015e971164bb49168841917e06.exe
    "C:\Users\Admin\AppData\Local\Temp\09ea3bf729f8c7d94be749b3c40de16b5795cf015e971164bb49168841917e06.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2332
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4976

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\44\Process.txt
      Filesize

      471B

      MD5

      b5902401e1087de3b7e6d6aa8bf7d86b

      SHA1

      aa404633e3f550e21a98c9d55e038d706b08f6fa

      SHA256

      56d8c0e3ee922a31d3cddc280421126a6b6ec91627f084f87d43b04d9546619e

      SHA512

      665ebf3ce78d0bae4718865c9bb6cf9147df64c276be33950b2966a07c5c53b893ced9540fe46323bc28ebf433c543a85db5c0051fe3eedc39d03883b6a9f208

      Download Submit
    • C:\ProgramData\44\Process.txt
      Filesize

      1KB

      MD5

      0fe683e0599a5d7e5da26c90027ff1ac

      SHA1

      f4d2976ff841f7453b4febfbeade93e4da194eca

      SHA256

      813e4fbf9b7ddc2e8c4bc0b551cb719dc73a683544e739ff690fea29d9ca2cf3

      SHA512

      67208afd24fd037e58863c6c9e2f9e62737141259069f7abb5f80f3f7b7792aac995d62e141593f3a6e152ac19f2c11bd69917d9c0919ec45c91a885a90a32e9

      Download Submit
    • memory/2332-0-0x000001EC542C0000-0x000001EC5430A000-memory.dmp
      Filesize

      296KB

      Download
    • memory/2332-1-0x00007FFA36590000-0x00007FFA37051000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2332-2-0x000001EC6E7E0000-0x000001EC6E7F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2332-123-0x00007FFA36590000-0x00007FFA37051000-memory.dmp
      Filesize

      10.8MB

      Download