Analysis
-
max time kernel
23s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 20:55
Behavioral task
behavioral1
Sample
Alpha.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
30 seconds
General
-
Target
Alpha.exe
-
Size
303KB
-
MD5
f25055b8bc6c0ea610dc7e7f537c965e
-
SHA1
ec7867e4f67a589b3dcfc6eb2937f51b6f586acb
-
SHA256
83fa8d782b344ad03557650a4d3c8d8b9d34d74238bdfa470c40ee1b43a5aa0c
-
SHA512
0552cd40771593c2c00d922555a02bdfdec0922c6ce51611f0b780384c8f44332df19277360012d830fa7944967767d2db2af0a7d4f2653d3fe695f50861636c
-
SSDEEP
6144:DXt3T6MDdbICydeBimcmXKhJUP+6jmA1D0goc:DXttpcmXKnUWY1Dkc
Malware Config
Extracted
Family
44caliber
C2
https://discord.com/api/webhooks/1299714323437846560/8vTyp7oBL-pL3lSrtcRSiyqmJ0QAxIj3uJD3LMbf2ZP-8fjjLRUvMZtdpz8DfGxdoou6
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2792 Alpha.exe 2792 Alpha.exe 2792 Alpha.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2792 Alpha.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2236 2792 Alpha.exe 30 PID 2792 wrote to memory of 2236 2792 Alpha.exe 30 PID 2792 wrote to memory of 2236 2792 Alpha.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Alpha.exe"C:\Users\Admin\AppData\Local\Temp\Alpha.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2792 -s 7762⤵PID:2236
-