Analysis
-
max time kernel
34s -
max time network
34s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2024 17:46
Behavioral task
behavioral1
Sample
execute.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
execute.exe
Resource
win10v2004-20240802-en
General
-
Target
execute.exe
-
Size
303KB
-
MD5
7cfe3e4a9b6da9b158ebf7e0d1ab9945
-
SHA1
a238ffedd893f57dcfcd70fff18c37aef9fd416e
-
SHA256
cdcad2a6891cfaa9635c0718f3344280f8d02a78611bd6ca234e8bf22603613c
-
SHA512
006ef6f83b13afddf814226f00ddba4580f74939c9a051b9537bbe352cb213e4c366548927363f573d04bad69520c3b843b466fb86f700d2e9ef9caf2d33dd4b
-
SSDEEP
6144:9v9T6MDdbICydeBhbvsGfSDpbwko6jmA1D0Zi6:9vLFsGfSNsjY1DT6
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1264290240290361368/HDo7Noqy1EZnwf2Slhpj8GKIwaCmP_A66Af1DGldm_aCLel95CQQWcTbmmU_vwpsIMZr
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 freegeoip.app 2 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1632 execute.exe 1632 execute.exe 1632 execute.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1632 execute.exe