General
-
Target
Client1.exe
-
Size
435KB
-
Sample
240517-ggqdeaca8w
-
MD5
db41a85fb5d127502b98a520e0ec8107
-
SHA1
1ba0d60550a7eef401ce323c6c01f8547f5a9cd3
-
SHA256
5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81
-
SHA512
df2052fe1cb49b00e70a6eff5d40793a1dce423c989e763a22a92221970cb14b5bf1c9ac3738a6b09c6d6bda201c026a94ca2fe6db89103134297b0f88108c11
-
SSDEEP
6144:XsVDeAnIUilHQU24Je6VlWT8b9UlP1ObiSX3q7Vb+Ia06fjp+2BHS:cZAQ/4JPVle82ZeiQoZirHS
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1228959092572295179/zol6YJ2bwh5lmLGXkYg2G33z3qYjeTvdzyXLvgfVZAIQ67YWJuOjrxydQkablWLyTqUE
Targets
-
-
Target
Client1.exe
-
Size
435KB
-
MD5
db41a85fb5d127502b98a520e0ec8107
-
SHA1
1ba0d60550a7eef401ce323c6c01f8547f5a9cd3
-
SHA256
5ff3f3b3716a63575a4fd4ef65384341c2dd0a09310a4b6a0df18d8ced34ea81
-
SHA512
df2052fe1cb49b00e70a6eff5d40793a1dce423c989e763a22a92221970cb14b5bf1c9ac3738a6b09c6d6bda201c026a94ca2fe6db89103134297b0f88108c11
-
SSDEEP
6144:XsVDeAnIUilHQU24Je6VlWT8b9UlP1ObiSX3q7Vb+Ia06fjp+2BHS:cZAQ/4JPVle82ZeiQoZirHS
Score10/10-
44Caliber
An open source infostealer written in C#.
-
Modifies WinLogon for persistence
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification
-
Modifies AppInit DLL entries
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Command and Scripting Interpreter: PowerShell
Start PowerShell.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1