44caliber

Target

Downloaders.zip
Size

12KB
Sample

250202-xbfvsawpaq
MD5

94fe78dc42e3403d06477f995770733c
SHA1

ea6ba4a14bab2a976d62ea7ddd4940ec90560586
SHA256

16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
SHA512

add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
SSDEEP

384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:8080

127.0.0.1:17027

2.tcp.ngrok.io:6606

2.tcp.ngrok.io:7707

2.tcp.ngrok.io:8808

2.tcp.ngrok.io:8080

2.tcp.ngrok.io:17027

Mutex

KSKA6RWWOYIu

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Extracted

Family

remcos

Botnet

RemoteHost

else-directors.gl.at.ply.gg:56448

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
$77-Bitdefender.exe
copy_folder
Bitdefender
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-Z3DS2J
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
VisualStudioServer
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

tieumao1995-51127.portmap.io:51127

Mutex

4119a2e0-4ae4-4843-8534-99af91a2475d

Attributes

encryption_key
DF6316067206E09C1F85138FCEBD56F5D94BF6AE
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Startup
subdirectory
SubDir

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

wzt5xcg.localto.net:1604

wzt5xcg.localto.net:5274

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
KYGOClient.exe
install_folder
%AppData%

aes.plain

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

217.195.197.192:1604

Mutex

iG5Qu7mo7JWZRWS2JY

Attributes

encryption_key
f8ffk4jC3Ygnfr2GgGiB
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Extracted

Family

44caliber

https://discord.com/api/webhooks/1146486791835230260/bE9QI2eAT_dyqn0dm7VljbMDjUklfKOXxq3ua0HOtKeG6TIgizThvorpCYQf2NEkabwH

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

82.117.243.110:5173

Mutex

yfsS9ida0wX8mgpdJC

Attributes

encryption_key
KDNBgA8jiBeGX1rj1dDt
install_name
csrss.exe
log_directory
Logs
reconnect_delay
3000
startup_key
NET framework
subdirectory
SubDir

Extracted

Family

xworm

super-nearest.gl.at.ply.gg:17835

26.185.184.104:942

26.185.184.104:0942

Attributes

install_file
USB.exe

Extracted

Family

quasar

Version

1.4.1

Botnet

Aryszx

Apichat:4782

Mutex

181f4a12-4cad-46a9-9896-1001033c5b69

Attributes

encryption_key
F4F359BEF442D9221F73F7D64267E0E300CC68CE
install_name
Runtime Broker.exe
log_directory
Logs
reconnect_delay
1
startup_key
Runtime Broker

Extracted

Family

quasar

Version

1.4.1

Botnet

ZJEB

VIPEEK1990-25013.portmap.host:25013

Mutex

ad21b115-2c1b-40cb-adba-a50736b76c21

Attributes

encryption_key
3EBA8BC34FA983893A9B07B831E7CEB183F7492D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Service
subdirectory
SubDir

Extracted

Family

vidar

https://t.me/m08mbk

https://steamcommunity.com/profiles/76561199820567237

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Extracted

Family

redline

Botnet

LiveTraffoc

4.185.56.82:42687

Targets

- Target
  
  Downloaders.zip
- Size
  
  12KB
- MD5
  
  94fe78dc42e3403d06477f995770733c
- SHA1
  
  ea6ba4a14bab2a976d62ea7ddd4940ec90560586
- SHA256
  
  16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
- SHA512
  
  add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
- SSDEEP
  
  384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Score

10^/10

44caliber asyncrat mimikatz quasar redline remcos vidar xworm aryszx default livetraffoc office office04 remotehost zjeb microsoft collection defense_evasion discovery evasion execution impact infostealer persistence phishing pyinstaller ransomware rat spyware stealer themida trojan upx vmprotect
- 44Caliber
  An open source infostealer written in C#.
  stealer 44caliber
- 44Caliber family
  44caliber
- AsyncRat
  AsyncRAT is designed to remotely monitor and control other computers written in C#.
  rat asyncrat
- Asyncrat family
  asyncrat
- Detect Xworm Payload
- Mimikatz
  mimikatz is an open source tool to dump credentials on Windows.
  mimikatz
- Mimikatz family
  mimikatz
- Quasar RAT
  Quasar is an open source Remote Access Tool.
  trojan spyware quasar
- Quasar family
  quasar
- Quasar payload
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- Redline family
  redline
- Remcos
  Remcos is a closed-source remote control and surveillance software.
  rat remcos
- Remcos family
  remcos
- UAC bypass
  defense_evasion trojan
- Vidar
  Vidar is an infostealer based on Arkei stealer.
  stealer vidar
- Vidar family
  vidar
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Xworm family
  xworm
- Async RAT payload
  rat
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  defense_evasion
- Modifies boot configuration data using bcdedit
  ransomware evasion
- mimikatz is an open source tool to dump credentials on Windows
- Adds policy Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Modifies Windows Firewall
  defense_evasion
- Sets service image path in registry
  persistence
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Uses the VBS compiler for execution
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- AutoIT Executable
  AutoIT scripts compiled to PE executables.
- Detected potential entity reuse from brand MICROSOFT.
  phishing microsoft
- Drops autorun.inf file
  Malware can abuse Windows Autorun to spread further via attached volumes.
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
behavioral1