Loading ...

Play interactive tourEdit tour

Windows Analysis Report E9NhUneknw

Overview

General Information

Sample Name:E9NhUneknw (renamed file extension from none to exe)
Analysis ID:466786
MD5:f3d648c4f3a0f9cfbead90e546efe8f6
SHA1:cba4d6e13b5f1e766914ef65ff50c19bb295c17f
SHA256:cd80318bc4c724934435231e72cbf7cbf5942df8b36e480603237e2ed08d4a93
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

44Caliber Stealer
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected 44Caliber Stealer
Antivirus / Scanner detection for submitted sample
Tries to steal Crypto Currency Wallets
Contains functionality to capture screen (.Net source)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Queries information about the installed CPU (vendor, model number etc)
Sample file is different than original file name gathered from version info
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • E9NhUneknw.exe (PID: 6904 cmdline: 'C:\Users\user\Desktop\E9NhUneknw.exe' MD5: F3D648C4F3A0F9CFBEAD90E546EFE8F6)
  • cleanup

Malware Configuration

Threatname: 44Caliber Stealer

{"Discord Webhook": "https://discord.com/api/webhooks/877106556905328661/OyLkuIbHolsGkE_Gsdhp8C-pOzTVH86ebFWF0y5BTWS_pIz1kXoCYdJjwftfW7KLWuy0\u0001logger"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
E9NhUneknw.exeJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
    E9NhUneknw.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.667396835.00000000004F2000.00000002.00020000.sdmpJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
        00000000.00000000.667396835.00000000004F2000.00000002.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.683309433.00000000004F2000.00000002.00020000.sdmpJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
            00000000.00000002.683309433.00000000004F2000.00000002.00020000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000002.685062337.000000000292E000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 1 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.0.E9NhUneknw.exe.4f0000.0.unpackJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
                  0.0.E9NhUneknw.exe.4f0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.E9NhUneknw.exe.4f0000.0.unpackJoeSecurity_44CaliberStealerYara detected 44Caliber StealerJoe Security
                      0.2.E9NhUneknw.exe.4f0000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

                        Sigma Overview

                        No Sigma rule has matched

                        Jbx Signature Overview

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection:

                        barindex
                        Found malware configurationShow sources
                        Source: 0.2.E9NhUneknw.exe.4f0000.0.unpackMalware Configuration Extractor: 44Caliber Stealer {"Discord Webhook": "https://discord.com/api/webhooks/877106556905328661/OyLkuIbHolsGkE_Gsdhp8C-pOzTVH86ebFWF0y5BTWS_pIz1kXoCYdJjwftfW7KLWuy0\u0001logger"}
                        Multi AV Scanner detection for submitted fileShow sources
                        Source: E9NhUneknw.exeVirustotal: Detection: 67%Perma Link
                        Antivirus / Scanner detection for submitted sampleShow sources
                        Source: E9NhUneknw.exeAvira: detected
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FD557A CryptUnprotectData,0_2_00007FFA35FD557A
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FDC4B9 CryptUnprotectData,0_2_00007FFA35FDC4B9
                        Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.4:49733 version: TLS 1.0
                        Source: E9NhUneknw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: E9NhUneknw.exe, 00000000.00000003.673158824.0000000000A24000.00000004.00000001.sdmp
                        Source: Binary string: .PDBimeS source: E9NhUneknw.exe, 00000000.00000002.683565920.000000000099B000.00000004.00000020.sdmp
                        Source: Binary string: E:\44CALIBER-main\44CALIBER-main\44CALIBER\obj\Release\Insidious.pdb source: E9NhUneknw.exe
                        Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                        Source: Joe Sandbox ViewIP Address: 172.67.188.154 172.67.188.154
                        Source: unknownHTTPS traffic detected: 172.67.188.154:443 -> 192.168.2.4:49733 version: TLS 1.0
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: romium PDF Plugin","versions":[{"comment":"Chromium PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"divx-player":{"group_name_matcher":"*DivX Web Player*","help_url":"https://support.google.com/chrome/?p=plugin_divx","lang":"en-US","mime_types":["video/divx","video/x-matroska"],"name":"DivX Web Player","url":"http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe","versions":[{"status":"requires_authorization","version":"1.4.3.4"}]},"facebook-video-calling":{"group_name_matcher":"*Facebook Video*","lang":"en-US","mime_types":["application/skypesdk-plugin"],"name":"Facebook Video Calling","url":"https://www.facebook.com/chat/video/videocalldownload.php","versions":[{"comment":"We do not track version information for the Facebook Video Calling Plugin.","status":"requires_authorization","version":"0"}]},"google-chrome-pdf":{"group_name_matcher":"*Chrome PDF Viewer*","mime_types":[],"name":"Chrome PDF Viewer","versions":[{"comment":"Google Chrome PDF Viewer has no version information.","status":"fully_trusted","version":"0"}]},"google-chrome-pdf-plugin":{"group_name_matcher":"*Chrome PDF Plugin*","mime_types":[],"name":"Chrome PDF Plugin","versions":[{"comment":"Google Chrome PDF Plugin has no version information.","status":"fully_trusted","version":"0"}]},"google-earth":{"group_name_matcher":"*Google Earth*","lang":"en-US","mime_types":["application/geplugin"],"name":"Google Earth","url":"http://www.google.com/earth/explore/products/plugin.html","versions":[{"comment":"We do not track version information for the Google Earth Plugin.","status":"requires_authorization","version":"0"}]},"google-talk":{"group_name_matcher":"*Google Talk*","mime_types":[],"name":"Google Talk","versions":[{"comment":"'Google Talk Plugin' and 'Google Talk Plugin Video Accelerator' use two completely different versioning schemes, so we can't define a minimum version.","status":"requires_authorization","version":"0"}]},"google-update":{"group_name_matcher":"Google Update","mime-types":[],"name":"Google Update","versions":[{"comment":"Google Update plugin is versioned but kept automatically up to date","status":"requires_authorization","version":"0"}]},"ibm-java-runtime-environment":{"group_name_matcher":"*IBM*Java*","mime_types":["application/x-java-applet","application/x-java-applet;jpi-version=1.7.0_05","application/x-java-applet;version=1.1","application/x-java-applet;version=1.1.1","application/x-java-applet;version=1.1.2","application/x-java-applet;version=1.1.3","application/x-java-applet;version=1.2","application/x-java-applet;version=1.2.1","application/x-java-applet;version=1.2.2","application/x-java-applet;version=1.3","application/x-java-applet;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-applet;version=1.6","application/x-java-applet;version=1.7","application/x-j
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: http://download.divx.com/player/divxdotcom/DivXWebPlayerInstaller.exe
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: http://fpdownload.macromedia.com/get/shockwave/default/english/win95nt/latest/Shockwave_Installer_Sl
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://freegeoip.app
                        Source: E9NhUneknw.exe, 00000000.00000003.682808349.000000001B654000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/1.0/
                        Source: E9NhUneknw.exe, 00000000.00000003.677573262.000000001B641000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/1.0/w
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0v
                        Source: E9NhUneknw.exe, 00000000.00000002.686589364.0000000002AA7000.00000004.00000001.sdmp, tmpC14B.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: E9NhUneknw.exe, E9NhUneknw.exe, 00000000.00000002.684605624.0000000002881000.00000004.00000001.sdmpString found in binary or memory: https://api.vimeworld.ru/user/name/
                        Source: E9NhUneknw.exeString found in binary or memory: https://api.vimeworld.ru/user/name/5https://freegeoip.app/xml/
                        Source: E9NhUneknw.exe, 00000000.00000002.686589364.0000000002AA7000.00000004.00000001.sdmp, tmpC14B.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: E9NhUneknw.exeString found in binary or memory: https://discord.com/api/webhooks/877106556905328661/OyLkuIbHolsGkE_Gsdhp8C-pOzTVH86ebFWF0y5BTWS_pIz1
                        Source: E9NhUneknw.exe, 00000000.00000002.686589364.0000000002AA7000.00000004.00000001.sdmp, tmpC14B.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: E9NhUneknw.exe, 00000000.00000002.686589364.0000000002AA7000.00000004.00000001.sdmp, tmpC14B.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: E9NhUneknw.exe, 00000000.00000002.686589364.0000000002AA7000.00000004.00000001.sdmp, tmpC14B.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.app
                        Source: E9NhUneknw.exeString found in binary or memory: https://freegeoip.app/xml/
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: https://freegeoip.appx
                        Source: E9NhUneknw.exe, 00000000.00000002.686752727.0000000002AF0000.00000004.00000001.sdmp, E9NhUneknw.exe, 00000000.00000002.686761919.0000000002AF4000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                        Source: E9NhUneknw.exe, 00000000.00000002.686589364.0000000002AA7000.00000004.00000001.sdmp, tmpC14B.tmp.dat.0.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                        Source: E9NhUneknw.exe, 00000000.00000002.686589364.0000000002AA7000.00000004.00000001.sdmp, tmpC14B.tmp.dat.0.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: E9NhUneknw.exeString found in binary or memory: https://steamcommunity.com/profiles/
                        Source: E9NhUneknw.exeString found in binary or memory: https://steamcommunity.com/profiles/ASOFTWARE
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_divx
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
                        Source: E9NhUneknw.exe, 00000000.00000002.686340624.0000000002A48000.00000004.00000001.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6258784
                        Source: E9NhUneknw.exe, 00000000.00000002.686692878.0000000002AD1000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                        Source: E9NhUneknw.exe, 00000000.00000002.686589364.0000000002AA7000.00000004.00000001.sdmp, tmpC14B.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: unknownDNS traffic detected: queries for: freegeoip.app

                        Key, Mouse, Clipboard, Microphone and Screen Capturing:

                        barindex
                        Contains functionality to capture screen (.Net source)Show sources
                        Source: 0.0.E9NhUneknw.exe.4f0000.0.unpack, youknowcaliber/Screen.cs.Net Code: GetScreen
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FE30420_2_00007FFA35FE3042
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FD0E180_2_00007FFA35FD0E18
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FE22960_2_00007FFA35FE2296
                        Source: E9NhUneknw.exeBinary or memory string: OriginalFilename vs E9NhUneknw.exe
                        Source: E9NhUneknw.exe, 00000000.00000000.667396835.00000000004F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInsidious.exe6 vs E9NhUneknw.exe
                        Source: E9NhUneknw.exe, 00000000.00000002.683460236.000000000094A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs E9NhUneknw.exe
                        Source: E9NhUneknw.exe, 00000000.00000002.688849319.000000001B240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs E9NhUneknw.exe
                        Source: E9NhUneknw.exeBinary or memory string: OriginalFilenameInsidious.exe6 vs E9NhUneknw.exe
                        Source: E9NhUneknw.exeVirustotal: Detection: 67%
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile read: C:\Users\user\Desktop\E9NhUneknw.exeJump to behavior
                        Source: E9NhUneknw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: E9NhUneknw.exe, youknowcaliber/Help.csSuspicious URL: 'https://api.vimeworld.ru/user/name/'
                        Source: 0.2.E9NhUneknw.exe.4f0000.0.unpack, youknowcaliber/Help.csSuspicious URL: 'https://api.vimeworld.ru/user/name/'
                        Source: 0.0.E9NhUneknw.exe.4f0000.0.unpack, youknowcaliber/Help.csSuspicious URL: 'https://api.vimeworld.ru/user/name/'
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile created: C:\Users\user\AppData\Local\44Jump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC14B.tmpJump to behavior
                        Source: classification engineClassification label: mal92.troj.spyw.evad.winEXE@1/9@1/1
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                        Source: E9NhUneknw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: E9NhUneknw.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                        Source: E9NhUneknw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb" source: E9NhUneknw.exe, 00000000.00000003.673158824.0000000000A24000.00000004.00000001.sdmp
                        Source: Binary string: .PDBimeS source: E9NhUneknw.exe, 00000000.00000002.683565920.000000000099B000.00000004.00000020.sdmp
                        Source: Binary string: E:\44CALIBER-main\44CALIBER-main\44CALIBER\obj\Release\Insidious.pdb source: E9NhUneknw.exe
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FD5829 push eax; retf 0_2_00007FFA35FD59DD
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FD550A push eax; retf 0_2_00007FFA35FD5563
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FD5572 push eax; retf 0_2_00007FFA35FD5573
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeCode function: 0_2_00007FFA35FD55A0 push eax; retf 0_2_00007FFA35FD5563
                        Source: E9NhUneknw.exeStatic PE information: 0xE4DD3EAE [Tue Sep 4 00:39:10 2091 UTC]
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion:

                        barindex
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Source: C:\Users\user\Desktop\E9NhUneknw.exe TID: 6924Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exe TID: 4732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT ProcessorId FROM Win32_Processor
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: E9NhUneknw.exe, 00000000.00000002.689373636.000000001D251000.00000004.00000001.sdmpBinary or memory string: VMware
                        Source: E9NhUneknw.exe, 00000000.00000002.689373636.000000001D251000.00000004.00000001.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareM4PWCN5RWin32_VideoController_VG81BS9VideoController120060621000000.000000-00035525620display.infMSBDAT721FNDFPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsZERY_XE5rogr
                        Source: E9NhUneknw.exe, 00000000.00000002.688849319.000000001B240000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                        Source: E9NhUneknw.exe, 00000000.00000002.688849319.000000001B240000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                        Source: E9NhUneknw.exe, 00000000.00000002.688849319.000000001B240000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                        Source: E9NhUneknw.exe, 00000000.00000002.689054710.000000001B840000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ
                        Source: E9NhUneknw.exe, 00000000.00000002.688849319.000000001B240000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeQueries volume information: C:\Users\user\Desktop\E9NhUneknw.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information:

                        barindex
                        Yara detected 44Caliber StealerShow sources
                        Source: Yara matchFile source: E9NhUneknw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.E9NhUneknw.exe.4f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.E9NhUneknw.exe.4f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.667396835.00000000004F2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.683309433.00000000004F2000.00000002.00020000.sdmp, type: MEMORY
                        Tries to steal Crypto Currency WalletsShow sources
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Found many strings related to Crypto-Wallets (likely being stolen)Show sources
                        Source: E9NhUneknw.exeString found in binary or memory: ElectrumDir
                        Source: E9NhUneknw.exe, 00000000.00000002.685062337.000000000292E000.00000004.00000001.sdmpString found in binary or memory: 1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                        Source: E9NhUneknw.exeString found in binary or memory: JaxxDir
                        Source: E9NhUneknw.exeString found in binary or memory: \Exodus\exodus.wallet\
                        Source: E9NhUneknw.exeString found in binary or memory: \Ethereum\keystore
                        Source: E9NhUneknw.exeString found in binary or memory: ExodusDir
                        Source: E9NhUneknw.exeString found in binary or memory: EthereumDir
                        Source: E9NhUneknw.exeString found in binary or memory: \Exodus\exodus.wallet\
                        Source: E9NhUneknw.exeString found in binary or memory: \Ethereum\keystore
                        Tries to harvest and steal browser information (history, passwords, etc)Show sources
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BookmarksJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\E9NhUneknw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: Yara matchFile source: E9NhUneknw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.E9NhUneknw.exe.4f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.E9NhUneknw.exe.4f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.667396835.00000000004F2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.683309433.00000000004F2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.685062337.000000000292E000.00000004.00000001.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: E9NhUneknw.exe PID: 6904, type: MEMORYSTR

                        Remote Access Functionality:

                        barindex
                        Yara detected 44Caliber StealerShow sources
                        Source: Yara matchFile source: E9NhUneknw.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.E9NhUneknw.exe.4f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.E9NhUneknw.exe.4f0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.667396835.00000000004F2000.00000002.00020000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.683309433.00000000004F2000.00000002.00020000.sdmp, type: MEMORY

                        Mitre Att&ck Matrix

                        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                        Valid AccountsWindows Management Instrumentation121Path InterceptionPath InterceptionMasquerading1OS Credential Dumping1Query Registry1Remote ServicesScreen Capture1Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                        Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion141Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Local System3Automated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion141Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                        Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery33VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 signatures2 2 Behavior Graph ID: 466786