Extracted

• • Target

    7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87

  • Size

    5.0MB

  • MD5

    46da75a26b19ac079ac537df27812f55

  • SHA1

    7ab3ebd563f09227daa95d45b25fc026105e8d43

  • SHA256

    7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87

  • SHA512

    33673daaec68ebef0723a9a1f840441da95d7d2a008aac608c784e398779e6a4a8f5730d0f0a7696ed08b48b6c3d74f2fc2a7f38484f89cd32b2eb26229562f8

  • SSDEEP

    98304:g3GjDdIVl8LhRqb8ilx8hdrHjIhwxocDbUZBpgpK0/v4bY4tBNpQ3zv:g3GjpIT8LhRfbnrUhkbUZwt/vsBNpC

  Score

  10^/10

  44caliberxmrigminerspywarestealer

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig

  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

  • Detects executables referencing Discord tokens regular expressions

  • Detects executables referencing credit card regular expressions

  • Detects executables referencing many VPN software clients. Observed in infosteslers

  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

  • XMRig Miner payload

    miner

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2