Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-05-2024 17:14

General

  • Target

    BlastedCrack.exe

  • Size

    549KB

  • MD5

    0321782a20a84473a2bf7204f4b94d49

  • SHA1

    0232950dfddc20314c4bed9815590191ce31283c

  • SHA256

    f1273b7c08ddef61d8240de5fb61c780575b9330c4868c383076e21a79d03d22

  • SHA512

    5be35b75c329057f5cd81a532405cc55e5460a2992fc1a7e2585db68750215a80f9b019175d062a45291884da54431fe31f6f1b2daf600c25116857531eef0e5

  • SSDEEP

    12288:UCQjgAtAHM+vetZxF5EWry8AJGy0wT+t13X2F:U5ZWs+OZVEWry8AFU3X2F

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1217779080850706492/4knjig6DiCOeXSkGA1LGWaAo5XXa_s8z91RQ954jqRgqAhjOtgNK-aoBNJU45eHP5Ir2

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BlastedCrack.exe
    "C:\Users\Admin\AppData\Local\Temp\BlastedCrack.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.exe

    Filesize

    303KB

    MD5

    a147413e40194267cf19da405bbb8be4

    SHA1

    8f1c9d6c88f1ca967ecd4e9749195ff006e59be1

    SHA256

    652920284464f45452dd695167982d5f73909284063a21e66899ad785be5325c

    SHA512

    4a8f3ebb1b4cb3fbea4fc0f0a0df44953ef33e5fc66b13ab3d02801e02e1deb171c4955e2331d526e2af1ac4de9b12b3b2e8994b3da7feff6e9b68fea457c0cd

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\XWors.lnk

    Filesize

    992B

    MD5

    9238ad2608f57aaac6da2b2a822701d4

    SHA1

    21fc46daf0a8969a14bd07f9f9d10a1b2828036b

    SHA256

    1ac3ca9e60cc963701872728a84e0bfbddafeb017e29a81867612ba706078279

    SHA512

    c110718703eac037a5f427ad64e3c135bb4481af8d147610eb7d5a9ec708736c21bc94f614c5264ef02ab4d64da1271d97d1266ed9c30644c7ddd44bdbcf4ea6

  • memory/2432-14-0x00007FF99C363000-0x00007FF99C365000-memory.dmp

    Filesize

    8KB

  • memory/2432-15-0x0000023692A60000-0x0000023692AB2000-memory.dmp

    Filesize

    328KB

  • memory/2432-45-0x00007FF99C360000-0x00007FF99CE21000-memory.dmp

    Filesize

    10.8MB

  • memory/2432-46-0x00007FF99C360000-0x00007FF99CE21000-memory.dmp

    Filesize

    10.8MB