Analysis
-
max time kernel
95s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 16:15
Behavioral task
behavioral1
Sample
ad8bad1ca3c888140a267dab3ca32f40N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
ad8bad1ca3c888140a267dab3ca32f40N.exe
Resource
win10v2004-20240802-en
General
-
Target
ad8bad1ca3c888140a267dab3ca32f40N.exe
-
Size
303KB
-
MD5
ad8bad1ca3c888140a267dab3ca32f40
-
SHA1
a8455a1023ca8b83b145669036eaf7e47fd23a4b
-
SHA256
a8234940d8bae72c337c38780bbe79af9ff944282113daa64d7c18addbe019f3
-
SHA512
d9522ee93908fb8b04d00a2ae0f79776f6570387ef625e0e46ffb34d185e2e25e753438ec92ed1d39ca6bd3c9ab777397e541facb087fe84852df064dabdc0f0
-
SSDEEP
6144:15hxT6MDdbICydeBvQ26i2dVTZ867mA1D0FI6:15dY26i2vTGA1DR6
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1267879755852677195/gVzfD2x4tcYypDXASFDiRFPDc3XXIcfmVrwOtmb4OxjlfTTOMCCPvDvp3O4Y4cLpKKeR
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 freegeoip.app 1 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1968 ad8bad1ca3c888140a267dab3ca32f40N.exe 1968 ad8bad1ca3c888140a267dab3ca32f40N.exe 1968 ad8bad1ca3c888140a267dab3ca32f40N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1968 ad8bad1ca3c888140a267dab3ca32f40N.exe