Analysis
-
max time kernel
79s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-11-2024 02:58
Static task
static1
Behavioral task
behavioral1
Sample
93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Resource
win7-20240903-en
General
-
Target
93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
-
Size
1.2MB
-
MD5
b3cdce3b009f3e939234082945e89807
-
SHA1
7129f64c79954ba3e764efd44eaf3567a541ccac
-
SHA256
93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82
-
SHA512
97ab0bc727fac0e3d5a5231266fc5de257f3ddbc614990ed487e41897847ceaf2e027e9f2e93fb44f077532e87f472d902b7f3ba70b75db904a66f706a428ecd
-
SSDEEP
24576:gFtCQinvekY81UmRAOO0+B+i/rOjX25RxQps2ARjTjMpXCYmJS:Wv5mRfO9bzOjX21QJA9H6CYX
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/899702716115329035/bngOeqo8LUOszmsJtzqpLnMtfNXAZr9oXhUZ9DwQPgZG1cj1Y0F0qgN18O94CQ_gvLSj
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 freegeoip.app 5 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3052 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe 3052 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3052 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe 3052 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe 3052 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe 3052 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3052 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3052 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe"C:\Users\Admin\AppData\Local\Temp\93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3052