Analysis
-
max time kernel
13s -
max time network
15s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
11-11-2024 15:16
Behavioral task
behavioral1
Sample
start me 2.exe
Resource
win10ltsc2021-20241023-en
General
-
Target
start me 2.exe
-
Size
303KB
-
MD5
7daba3f3dfb34fcc115e21d6ebb7f31e
-
SHA1
4a51dcb05ae0f1b2f67ade4840d3e8a39967a6ed
-
SHA256
8bc4f4545561e21cdd577b644d7a5d8f4c19e026b967d6273577d4882f85d178
-
SHA512
d7f57cc4b769685598097b8e9463471c2d0ab63753b4486b13e9c6ae6d70dc6aa41562ee5e050f9bab572e9fa1d25b360ca710ad7df4c6d06a819bbf21fb1e99
-
SSDEEP
6144:lXt3T6MDdbICydeBimcmXKhJUPw6hmA1D08nx:lXttpcmXKnUoa1DPx
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/1290668556769427476/ri8OyKleH8ERz74URwMZpANFiRTeYD63D7NjwJsY5WG8j240BRZlOokdLv5NIuZDqhnK
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 1 freegeoip.app 3 freegeoip.app -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2320 start me 2.exe 2320 start me 2.exe 2320 start me 2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2320 start me 2.exe