Analysis
-
max time kernel
94s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 15:17
Behavioral task
behavioral1
Sample
startme2.exe
Resource
win7-20240903-en
General
-
Target
startme2.exe
-
Size
303KB
-
MD5
7daba3f3dfb34fcc115e21d6ebb7f31e
-
SHA1
4a51dcb05ae0f1b2f67ade4840d3e8a39967a6ed
-
SHA256
8bc4f4545561e21cdd577b644d7a5d8f4c19e026b967d6273577d4882f85d178
-
SHA512
d7f57cc4b769685598097b8e9463471c2d0ab63753b4486b13e9c6ae6d70dc6aa41562ee5e050f9bab572e9fa1d25b360ca710ad7df4c6d06a819bbf21fb1e99
-
SSDEEP
6144:lXt3T6MDdbICydeBimcmXKhJUPw6hmA1D08nx:lXttpcmXKnUoa1DPx
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1290668556769427476/ri8OyKleH8ERz74URwMZpANFiRTeYD63D7NjwJsY5WG8j240BRZlOokdLv5NIuZDqhnK
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 freegeoip.app 4 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4716 startme2.exe 4716 startme2.exe 4716 startme2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4716 startme2.exe