Analysis

  • max time kernel
    134s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 05:54

General

  • Target

    Nursultan.exe

  • Size

    1.4MB

  • MD5

    04dd1f99162ef231ab0c9d28d181e9d2

  • SHA1

    af9cb52510704981a6e3daeae61c617d711366ef

  • SHA256

    c383f1a8383c27fda0910a6691aa4a7561d86094e3309df7d2ad787d8e601086

  • SHA512

    701b7557e14384648fafdc58ae28f76abee5d1c9f567884c42371e722d699d923ac6df68d0a896207452a2eeea4fe65cbcd350f11a2ff519b51b776970565614

  • SSDEEP

    24576:wBmXmo2G/nvxW3Ww0tBBlxD41ittL91eboEH2IgYAUUjZhI:wBi3bA30BBlxnioE5AW

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1245420777592062054/saI81XWOLJi1mJiEEt2FK-cyIKsq2Ayc-BlexWZ-2Fj0plrNSjRsNmF63M5uf5r_C7a0

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • DCRat payload 1 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\Insidious.exe
      "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1968

Network

  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    216.131.50.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    216.131.50.23.in-addr.arpa
    IN PTR
    Response
    216.131.50.23.in-addr.arpa
    IN PTR
    a23-50-131-216deploystaticakamaitechnologiescom
  • flag-us
    DNS
    freegeoip.app
    Insidious.exe
    Remote address:
    8.8.8.8:53
    Request
    freegeoip.app
    IN A
    Response
    freegeoip.app
    IN A
    172.67.160.84
    freegeoip.app
    IN A
    104.21.73.97
  • flag-us
    GET
    https://freegeoip.app/xml/
    Insidious.exe
    Remote address:
    172.67.160.84:443
    Request
    GET /xml/ HTTP/1.1
    Host: freegeoip.app
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Thu, 30 May 2024 05:55:43 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: keep-alive
    Cache-Control: max-age=3600
    Expires: Thu, 30 May 2024 06:55:43 GMT
    Location: https://ipbase.com/xml/
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RsNPUcteJ32YCb1rMOFtal1ttNX%2FN32D1Qi73smzyygpgeEHerpwIT33nZXYQnTXcArTbGUUTI0kY%2FdOLs4CFfKB%2FXkO4aw13yqHF46TNrUcpcQIos4VAE9MLDz1ElhT"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 88bc7a12e84b93eb-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    ipbase.com
    Insidious.exe
    Remote address:
    8.8.8.8:53
    Request
    ipbase.com
    IN A
    Response
    ipbase.com
    IN A
    172.67.209.71
    ipbase.com
    IN A
    104.21.85.189
  • flag-us
    GET
    https://ipbase.com/xml/
    Insidious.exe
    Remote address:
    172.67.209.71:443
    Request
    GET /xml/ HTTP/1.1
    Host: ipbase.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 404 Not Found
    Date: Thu, 30 May 2024 05:55:43 GMT
    Content-Type: text/html; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Age: 43572
    Cache-Control: public,max-age=0,must-revalidate
    Cache-Status: "Netlify Edge"; hit
    Vary: Accept-Encoding
    X-Nf-Request-Id: 01HZ41323HRS203CA5B079XK55
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PLuUkfv2TVahan2SLbUQYweF9%2Fh2qRf%2B0CbW8IAXo1pPQlfi%2BpgoaVD4%2FvV4YYUw%2B9FohSr%2BGCIhIkUyabytXSvlFyRvgLCii7PgTJWR%2FYAnTEGkZF3TECP4EQcE"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 88bc7a13ac446555-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    84.160.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    84.160.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.209.67.172.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.209.67.172.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.129:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Thu, 30 May 2024 05:55:45 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.7d3d3e17.1717048545.bd9f770
  • flag-us
    DNS
    129.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    129.61.62.23.in-addr.arpa
    IN PTR
    Response
    129.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-129deploystaticakamaitechnologiescom
  • flag-us
    DNS
    28.118.140.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    28.118.140.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    183.59.114.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    183.59.114.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    82.90.14.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    82.90.14.23.in-addr.arpa
    IN PTR
    Response
    82.90.14.23.in-addr.arpa
    IN PTR
    a23-14-90-82deploystaticakamaitechnologiescom
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 468637
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: E52E03F557CD4BC4AAE49E313175A4A5 Ref B: LON04EDGE0615 Ref C: 2024-05-30T05:57:23Z
    date: Thu, 30 May 2024 05:57:23 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 449656
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 1A460C910D4D43F3A46DA0A87AE62699 Ref B: LON04EDGE0615 Ref C: 2024-05-30T05:57:23Z
    date: Thu, 30 May 2024 05:57:23 GMT
  • 172.67.160.84:443
    https://freegeoip.app/xml/
    tls, http
    Insidious.exe
    766 B
    6.0kB
    9
    8

    HTTP Request

    GET https://freegeoip.app/xml/

    HTTP Response

    301
  • 172.67.209.71:443
    https://ipbase.com/xml/
    tls, http
    Insidious.exe
    852 B
    9.3kB
    11
    13

    HTTP Request

    GET https://ipbase.com/xml/

    HTTP Response

    404
  • 23.62.61.129:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
    6.3kB
    17
    11

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
    tls, http2
    34.4kB
    957.9kB
    706
    704

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239351692210_1AKNUXTAY2T0XUMCR&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239351692215_1UJ4FAL91XLA7HB15&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.1kB
    16
    14
  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    216.131.50.23.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    216.131.50.23.in-addr.arpa

  • 8.8.8.8:53
    freegeoip.app
    dns
    Insidious.exe
    59 B
    91 B
    1
    1

    DNS Request

    freegeoip.app

    DNS Response

    172.67.160.84
    104.21.73.97

  • 8.8.8.8:53
    ipbase.com
    dns
    Insidious.exe
    56 B
    88 B
    1
    1

    DNS Request

    ipbase.com

    DNS Response

    172.67.209.71
    104.21.85.189

  • 8.8.8.8:53
    84.160.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    84.160.67.172.in-addr.arpa

  • 8.8.8.8:53
    71.209.67.172.in-addr.arpa
    dns
    72 B
    134 B
    1
    1

    DNS Request

    71.209.67.172.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    129.61.62.23.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    129.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    28.118.140.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    28.118.140.52.in-addr.arpa

  • 8.8.8.8:53
    183.59.114.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    183.59.114.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    82.90.14.23.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    82.90.14.23.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Insidious.exe

    Filesize

    303KB

    MD5

    bf315b4f45ed1773fcf9384a004df664

    SHA1

    728d338d4889c1a92d4d5df7a8afb0bf2d4e73b1

    SHA256

    8cd6840512dac2770f4960ed7e4291bbe6b655b5905f4bb751c9383ba827a822

    SHA512

    f0b2cff9469f8935e0012ae68711d655c7d6d563f242da14565f153591f3d0d281c31123a99c913262915fb76cf3c2a027642bf43ff69b27289640c7e3339b6a

  • memory/1968-13-0x00007FF816413000-0x00007FF816415000-memory.dmp

    Filesize

    8KB

  • memory/1968-12-0x000001BA99AC0000-0x000001BA99B12000-memory.dmp

    Filesize

    328KB

  • memory/1968-40-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

    Filesize

    10.8MB

  • memory/1968-45-0x00007FF816410000-0x00007FF816ED1000-memory.dmp

    Filesize

    10.8MB

  • memory/1996-11-0x0000000000400000-0x0000000000572000-memory.dmp

    Filesize

    1.4MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.