Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 14:17
Behavioral task
behavioral1
Sample
CR9CK/CR9CK.exe
Resource
win7-20240704-en
General
-
Target
CR9CK/CR9CK.exe
-
Size
303KB
-
MD5
d58c2577966ca8563fd69729151f52ea
-
SHA1
efed2d279e6b2a23a46392731cc8d36411bcdcb3
-
SHA256
4164f7408da2a5a31318d8a6da3c17546f6782822a07e928c0824401cce69830
-
SHA512
8502777f3ddca95dcda8f1962945f6285ee0fe2a2bf008d35066bf0b6eb97733822d7ade6c6b5134c64036d2a2d80802641529283cd30d757bc0b552a5fc9b1c
-
SSDEEP
6144:Uz2ZNT6MDdbICydeBblLIGv2A5siP6vmA1D0g/O:Uzi5IGv20sKM1DbO
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1259949517135151126/locx-MKcF15uY85qiDh_Kt5nRCte0luK62KFHfEH79iF3r9uRpGPhsG-g9YijITFCe5d
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1584 CR9CK.exe 1584 CR9CK.exe 1584 CR9CK.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1584 CR9CK.exe