Analysis
-
max time kernel
114s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
23-08-2024 19:29
Behavioral task
behavioral1
Sample
e2780d5f4e1a30a57a4e47f893370e60N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e2780d5f4e1a30a57a4e47f893370e60N.exe
Resource
win10v2004-20240802-en
General
-
Target
e2780d5f4e1a30a57a4e47f893370e60N.exe
-
Size
303KB
-
MD5
e2780d5f4e1a30a57a4e47f893370e60
-
SHA1
f5adbd631b5303cb832eb59085210176dfb0bdb6
-
SHA256
8d14c3ddc1f328f6afa101354b3bd237ea5f6d5ede5526c301d647db5e7b2829
-
SHA512
d9b68d4d01e6fc495afcbf2255f684a609fc96edfdb17cc34bd2b3c27d54374225424a7f16214f38ea44281f0f63c21e46edda89de71aacc72cfb0d8ab6198e1
-
SSDEEP
6144:h/oT6MDdbICydeBrdEGHpcJWbg6vmA1D0q0G:h/WJEGHpQWEM1DWG
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1275104139587616934/cVYjsimoHW_MSjxoI5Prmq28mq3wQZ0Q6S-d_VTdoxMVqXW-c2M0A6ByJLCYIAEg0gsS
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 freegeoip.app 4 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
e2780d5f4e1a30a57a4e47f893370e60N.exepid process 3444 e2780d5f4e1a30a57a4e47f893370e60N.exe 3444 e2780d5f4e1a30a57a4e47f893370e60N.exe 3444 e2780d5f4e1a30a57a4e47f893370e60N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e2780d5f4e1a30a57a4e47f893370e60N.exedescription pid process Token: SeDebugPrivilege 3444 e2780d5f4e1a30a57a4e47f893370e60N.exe