General
-
Target
https://cdn.discordapp.com/attachments/1212416322160300103/1212779220468498492/OxyProjNL.rar?ex=6674ef6a&is=66739dea&hm=aaa39f26eb4804817f2fed307720d0a1c0b8e0503b4606e92c97ecfc05843958&
-
Sample
240620-ksfvwsyeka
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1208790119046193243/eZ9zjLPvHd-FRJsahjqgqZrRSsKnYitSyY6Wf_DhXU7Uan_6NaWZpaFcBn-LdnE8QCGt
Targets
-
-
Target
https://cdn.discordapp.com/attachments/1212416322160300103/1212779220468498492/OxyProjNL.rar?ex=6674ef6a&is=66739dea&hm=aaa39f26eb4804817f2fed307720d0a1c0b8e0503b4606e92c97ecfc05843958&
Score10/10-
44Caliber
An open source infostealer written in C#.
-
Modifies Windows Firewall
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1