Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2024 02:58
Static task
static1
Behavioral task
behavioral1
Sample
93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Resource
win7-20240903-en
General
-
Target
93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
-
Size
1.2MB
-
MD5
b3cdce3b009f3e939234082945e89807
-
SHA1
7129f64c79954ba3e764efd44eaf3567a541ccac
-
SHA256
93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82
-
SHA512
97ab0bc727fac0e3d5a5231266fc5de257f3ddbc614990ed487e41897847ceaf2e027e9f2e93fb44f077532e87f472d902b7f3ba70b75db904a66f706a428ecd
-
SSDEEP
24576:gFtCQinvekY81UmRAOO0+B+i/rOjX25RxQps2ARjTjMpXCYmJS:Wv5mRfO9bzOjX21QJA9H6CYX
Malware Config
Extracted
44caliber
https://discord.com/api/webhooks/899702716115329035/bngOeqo8LUOszmsJtzqpLnMtfNXAZr9oXhUZ9DwQPgZG1cj1Y0F0qgN18O94CQ_gvLSj
Signatures
-
44Caliber family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 freegeoip.app 6 freegeoip.app -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1524 93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe"C:\Users\Admin\AppData\Local\Temp\93d019a96cfeb007a6baf5b8d463ebf36bc5dbaabe213e7df6189d566f813e82.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
Filesize
1KB
MD5eb44556e6c1782f22b554c0c872d8ef4
SHA16d2bcb9586a6024ec9f92501b1e4718400855546
SHA256e7734b37edf5bee830f24a37584cf857bfbdb0b6644a6bc789616d9b040d1677
SHA512c439aa31174d11c95661ec2bb3d9d769834b9285a80f9b0c67b52ae1c078e7bc0efab1d7309f33dd4978ca9f4e4545084c7e5d9119f880b10420915cbacf7d99
-
Filesize
355B
MD509310db260819e4a1b570b0eebed882e
SHA15d3b5367a68f41af424f66c218c110f32f70baa4
SHA2569789eb7b20929ac2e086b7c74ef2fa5fe331f09560e1caa661c7135c7ef23635
SHA512c4b5b8731127bff877c27dd9d59daae64669d51d8d409ae90a55e0c4f0f00c929f73e32d520ebe7b108863b34035c9350f94805c7403bb085b078ce01d0494c1
-
Filesize
979B
MD5a1e7cd9be0cb60705294f7b04512b988
SHA1e21e47cbbd287fcf84dac07885ba7bf34ed0bf89
SHA256e0ca204c958f3e07bec991e9b7fd4093715388231a8cc570259bdf227a32bc50
SHA512de144751878e6ec137ea243196908b2ff7da27dc7754127b3770137c10c4c06a1a69bdc2bfae16bbb3790f5386019ea8b6a82354d55789b3084f71c46a6cb89f
-
Filesize
964B
MD55a5e4ab85481b45fd966285820199a39
SHA178217f46248cd8a3c002ccb1b27b0ec223d845b4
SHA256f4f8bac94e10f435ad769e2318facb1ea6832d58ace7bd2ad01f3168bea6747b
SHA5123528ab21ab7f80361d642d2621fcc20000229e559387970594f27fadd85c011d94fd338904e878a4e95b0cc88572be1f0f3e319ecee18384abd02b39dbdfdc21
-
Filesize
1000B
MD57ac991de37f4fc3852e3da9b3f85bcb2
SHA1fceab590d077cb9cd2b11b0265deb1253012bb42
SHA2562882a211d5fdf7e7e5535c612f4118da16fd0b6a501bb381b7b02c512cdb6b85
SHA51238d49eab9187a4ac73c1b92b8760852590fb5bff6c9f40dd6bd577eff0fc6c19d9503b8b028b3fd38bc14c63d344712e25b2306a2699e9de5103d21819b5ce0c