Malware Analysis Report

2024-11-15 06:30

Sample ID 220301-wtfr3abah4
Target 98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.bin
SHA256 98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab
Tags
44caliber spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab

Threat Level: Known bad

The file 98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.bin was found to be: Known bad.

Malicious Activity Summary

44caliber spyware stealer

44caliber family

44Caliber

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-03 17:38

Signatures

44caliber family

44caliber

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-01 18:12

Reported

2022-03-01 18:16

Platform

win7-20220223-en

Max time kernel

4294179s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe"

Signatures

44Caliber

stealer 44caliber

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe

"C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 172.67.188.154:443 freegeoip.app tcp

Files

memory/960-54-0x00000000002C0000-0x000000000030A000-memory.dmp

memory/960-55-0x000007FEF5343000-0x000007FEF5344000-memory.dmp

memory/960-56-0x000000001B110000-0x000000001B112000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-01 18:12

Reported

2022-03-01 18:16

Platform

win10v2004-en-20220113

Max time kernel

136s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe"

Signatures

44Caliber

stealer 44caliber

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe

"C:\Users\Admin\AppData\Local\Temp\98e1550881100955bf59a6b3120a60f45bf4bb91852c5e18fa24ed1affee40ab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 188.114.96.0:443 freegeoip.app tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 20.189.173.13:443 tcp

Files

memory/784-130-0x000001D6DEB10000-0x000001D6DEB5A000-memory.dmp

memory/784-131-0x00007FF9A6DE3000-0x00007FF9A6DE5000-memory.dmp

memory/784-132-0x000001D6FA650000-0x000001D6FA652000-memory.dmp