44caliber | 3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657

General

Target

3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657.exe
Size

3.4MB
MD5

5c48167b9b7f4ca64ec8ffc3dac52f4f
SHA1

798c3b6432e0a6c7ca3565847f2ae6132ce273e2
SHA256

3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657
SHA512

41d9dfe7e15f372e271b87bb1c28a16af7259d5dd76fe9e1d936de8ef34200504afb4a505d6c96722fc2c29c6a032fa81f094ae1969d13f4f55bdcf8ed2faace
SSDEEP

98304:U3GZi+althnATSq/Mr0E6QpT3WF/zYpDLGf8xV3XVV4l94e/YjW:U3G0+althATSCil3acME/6L/T

Score

10^/10

44caliber stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1250616070168121415/5zPJF3YAMfzIYMNhBy0XbjWdMsVRmd5PNYzbuTK55XQkKeKyHmQ5hnEfKgffl6GKC84q

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2668-23-0x0000000000F80000-0x000000000115C000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables Discord URL observed in first stage droppers 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2668-23-0x0000000000F80000-0x000000000115C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables packed with ConfuserEx Mod 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Siticone.Desktop.UI.dll	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2668-27-0x0000000004A80000-0x0000000004E86000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Detects executables referencing Discord tokens regular expressions 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe	INDICATOR_SUSPICIOUS_EXE_Discord_Regex
behavioral1/memory/2668-23-0x0000000000F80000-0x000000000115C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Discord_Regex

Detects executables referencing credit card regular expressions 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe	INDICATOR_SUSPICIOUS_EXE_CC_Regex
behavioral1/memory/2668-23-0x0000000000F80000-0x000000000115C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_CC_Regex

Detects executables referencing many VPN software clients. Observed in infosteslers 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe	INDICATOR_SUSPICIOUS_EXE_References_VPN
behavioral1/memory/2668-23-0x0000000000F80000-0x000000000115C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_VPN

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
behavioral1/memory/2668-23-0x0000000000F80000-0x000000000115C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Executes dropped EXE 1 IoCs

Processes:

Loader.exe

pid process

2668 Loader.exe
Loads dropped DLL 6 IoCs

Processes:

Loader.exe

pid process

2668 Loader.exe
2668 Loader.exe
2668 Loader.exe
2668 Loader.exe
2668 Loader.exe
2668 Loader.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Loader.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Loader.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Loader.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Loader.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Loader.exe

pid	process
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe
2668	Loader.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Loader.exe

description pid process

Token: SeDebugPrivilege 2668 Loader.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Loader.exe

pid process

2668 Loader.exe
2668 Loader.exe

description	pid	process
Token: SeDebugPrivilege	2668	Loader.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657.exe

description	pid	process	target process
PID 2112 wrote to memory of 2668	2112	3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657.exe	Loader.exe
PID 2112 wrote to memory of 2668	2112	3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657.exe	Loader.exe
PID 2112 wrote to memory of 2668	2112	3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657.exe	Loader.exe
PID 2112 wrote to memory of 2668	2112	3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657.exe	Loader.exe

C:\Users\Admin\AppData\Local\Temp\3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657.exe
"C:\Users\Admin\AppData\Local\Temp\3f8c834a6f95f5128aa4c916bbb51afcfe7d1c6e79e93b9c750862fbacf8d657.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

1

T1553

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab192E.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe
Filesize
1.8MB

MD5
bb9840f7382dd86e6b528da7eca4282e

SHA1
312520506e7444ca7952fca5473b61ca18ea3a94

SHA256
38c69a36a8add6d7f523719ec0909867e0a4f2df0041c0f654cdb49c6b716e3b

SHA512
8018b864da28b383e127d209c458281eca62ddb6c74a97f9c225938f21f87a2833c9fc828123c8014b9b7b5b576fc7c9e827f1d873e511722876ee559e6ee1e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Newtonsoft.Json.dll
Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Siticone.Desktop.UI.dll
Filesize
4.0MB

MD5
1582aa45d981e0e569c6e05698642b30

SHA1
763506f312a186c55a04ef6a16ad7e867c394097

SHA256
21eecaf504b7fe787a45f4aa8f8f36dacfc3ab1d75624dfb41827cdef2a9a589

SHA512
278a7a4e2b9d82528200b9f92244db3f228187d15c36fd169deb927e343bc4d0bb29c9dba496f86558aea4f4deb44d1e47a41d5598c0b375d99ad9fbe99cec34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A0F.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2668-27-0x0000000004A80000-0x0000000004E86000-memory.dmp

Filesize
4.0MB

Download
memory/2668-30-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-31-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-29-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-28-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-23-0x0000000000F80000-0x000000000115C000-memory.dmp

Filesize
1.9MB

Download
memory/2668-22-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/2668-112-0x0000000008F10000-0x0000000008FC2000-memory.dmp

Filesize
712KB

Download
memory/2668-116-0x000000007484E000-0x000000007484F000-memory.dmp

Filesize
4KB

Download
memory/2668-117-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-118-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-119-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads