Analysis
-
max time kernel
71s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
06-10-2024 04:11
General
-
Target
Cheat.exe
-
Size
303KB
-
MD5
02d6afbd57a884836f0c845f9870af7f
-
SHA1
3543d551d9369672ad781781efcd450b0bea2bdb
-
SHA256
359c20f4dd6423e91635c3d6cc365959e438dc12aeb3353c17e3b1641efc4835
-
SHA512
110c8d9ba3fa21d9a10ceac293b447dab45e1438fc4cb509598228fc0aa7c5b8d35ea4dc55bba3afffd60e2679a60694e856efee351a152651e6d3c7d263546a
-
SSDEEP
6144:B5hxT6MDdbICydeBvQ26i2dVTZy6jmA1D06k5:B5dY26i2vT4Y1DW5
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/897533314720759858/2IthAY1F50e0tIWa51HPNxK5_vNppGvmSOFSU_Yq3riGW0BMzST3MUD9P7wE1B_qSnT5
Signatures
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 freegeoip.app 4 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3460 Cheat.exe 3460 Cheat.exe 3460 Cheat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3460 Cheat.exe