Overview

overview

10

Static

static

10

53705a5afb...a6.exe

windows7-x64

10

53705a5afb...a6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    12-08-2024 22:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe

  • Size

    303KB

  • MD5

    3d3676c2d36ed1af59c1815af1f74058

  • SHA1

    fc384ba05ea668dfba796b14c34e6056fd0f94b8

  • SHA256

    53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6

  • SHA512

    3cc2c941082ee926efaa0cb015785321b4090e41abfdcfe7e6484ee414498e0fd6f46ceaee86110795ea6fec5e6456d46d4e6b8d65cbf58e635d1daf0f673fdc

  • SSDEEP

    6144:HrzRT6MDdbICydeB7qgGWSlZNaW61mA1D0EfC:HrT2gGWSjNPq1D3C

Score
10/10
44calibercredential_accessspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1131711873008549938/QPUFf0SJyyBKkmbeY9YgkuN6uIphQMrfHrESgo7LDLk9M-ZHEC2H2R-LmRpRgJMYG97X

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe
    "C:\Users\Admin\AppData\Local\Temp\53705a5afba7eccd5f2628d61c4c0bbdcc267e8fe1bdbd32f98b154806f11aa6.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1348
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1348 -s 1176
      2⤵
        PID:2648

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    2
    T1552

    Credentials In Files

    2
    T1552.001

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1348-0-0x000007FEF5973000-0x000007FEF5974000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1348-1-0x0000000000A90000-0x0000000000AE2000-memory.dmp
      Filesize

      328KB

      Download
    • memory/1348-20-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1348-21-0x000007FEF5973000-0x000007FEF5974000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1348-22-0x000007FEF5970000-0x000007FEF635C000-memory.dmp
      Filesize

      9.9MB

      Download