Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-10-2024 00:15
Behavioral task
behavioral1
Sample
beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8cN.exe
Resource
win7-20240708-en
General
-
Target
beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8cN.exe
-
Size
303KB
-
MD5
a3b03fb443f3fdaf2699b4bd9e49a5e0
-
SHA1
bfd397f358ce50906ac6ad38ee0ccb6d438cd629
-
SHA256
beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8c
-
SHA512
376c4e07b54f0acb30368de057474af0cbba8b17c4cca915e515888e3c1a42f2cd76e04d0f337e655cb66f707e59c3e2884a4644b627a2c87e1eabce81203e60
-
SSDEEP
6144:EFcT6MDdbICydeBvtCikGW9KJj6bmA1D0eaJ:EFK1CikGeK5g1DEJ
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1289704359051005992/2XGtx3s5Kz6l83FYQ_KPhBXAv_AhvaOGN4IWckqBBO2gLAOHGr8_5kfhfkKztx8tUJZt
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 freegeoip.app 4 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4020 beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8cN.exe 4020 beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8cN.exe 4020 beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8cN.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4020 beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8cN.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8cN.exe"C:\Users\Admin\AppData\Local\Temp\beba78d7c27442aa96a7f4580fbf46a02af0cf0ec5f0f11bac9871e068b09b8cN.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020