Analysis

  • max time kernel
    112s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-03-2022 18:14

General

  • Target

    f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe

  • Size

    252KB

  • MD5

    727f871c6a9151b9c7edd435b2e0a4a0

  • SHA1

    2a857cbe7c20a04cb668045d8f2bb0241ec7a4ce

  • SHA256

    f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9

  • SHA512

    f95ce1f9b33d38c3ac4e66ad945673c35aa730dacb0bc9426367f28241a79daa9a51ad145526f6aed8034972168ed55cf4e432e1a257fc9a72ca913cb93cb6d4

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/941986689709137930/LKCHnOiVuh0n3jE7BdB9bpDlzvK0fX8pEXx58iWJcCPcde_CC8MD15H7kSkIFx040A5u

Signatures

  • 44Caliber

    An open source infostealer written in C#.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe
    "C:\Users\Admin\AppData\Local\Temp\f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3780

Network

  • flag-us
    DNS
    freegeoip.app
    f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe
    Remote address:
    8.8.8.8:53
    Request
    freegeoip.app
    IN A
    Response
    freegeoip.app
    IN A
    188.114.96.0
    freegeoip.app
    IN A
    188.114.97.0
  • flag-us
    GET
    https://freegeoip.app/xml/
    f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe
    Remote address:
    188.114.96.0:443
    Request
    GET /xml/ HTTP/1.1
    Host: freegeoip.app
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Tue, 01 Mar 2022 18:16:50 GMT
    Content-Type: application/xml
    Content-Length: 334
    Connection: keep-alive
    RateLimit-Limit: 1200
    RateLimit-Remaining: 1171
    RateLimit-Reset: 2590
    X-RateLimit-Limit-Hour: 1200
    X-RateLimit-Remaining-Hour: 1171
    Vary: Origin
    vary: Origin
    X-Database-Date: Thu, 24 Feb 2022 15:28:15 GMT
    Access-Control-Allow-Origin: *
    X-Kong-Upstream-Latency: 0
    X-Kong-Proxy-Latency: 1
    Via: kong/2.5.1
    CF-Cache-Status: DYNAMIC
    Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Zo4y8qN00kRyEdPdS35JbZVoTSpJ4cyUzytvYOzp%2FqY2Pv1LDa5pKxLdSuGKxcmrpjWttjtXFFoF%2BcM8SjQeuOOo99r%2FfEyjq8ZPTYWGYfIsNuPQByvPKsoTuo%2FS7Rap"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 6e53e2d2ec050c65-AMS
    alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
  • flag-us
    DNS
    geo.prod.do.dsp.mp.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    geo.prod.do.dsp.mp.microsoft.com
    IN A
    Response
    geo.prod.do.dsp.mp.microsoft.com
    IN CNAME
    geo.prod.do.dsp.trafficmanager.net
    geo.prod.do.dsp.trafficmanager.net
    IN CNAME
    array509.prod.do.dsp.mp.microsoft.com
    array509.prod.do.dsp.mp.microsoft.com
    IN A
    52.184.217.56
  • flag-us
    DNS
    kv801.prod.do.dsp.mp.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    kv801.prod.do.dsp.mp.microsoft.com
    IN A
    Response
    kv801.prod.do.dsp.mp.microsoft.com
    IN CNAME
    kv801.prod.do.dsp.mp.microsoft.com.edgekey.net
    kv801.prod.do.dsp.mp.microsoft.com.edgekey.net
    IN CNAME
    e12437.g.akamaiedge.net
    e12437.g.akamaiedge.net
    IN A
    184.29.205.60
  • flag-nl
    GET
    https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=6
    Remote address:
    184.29.205.60:443
    Request
    GET /all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=6 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Microsoft-Delivery-Optimization/10.0
    MS-CV: f3lgBz9Db0G0OZms.2.1.1
    Content-Length: 0
    Host: kv801.prod.do.dsp.mp.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/json
    Server: Microsoft-IIS/10.0
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 808
    Cache-Control: max-age=58
    Date: Tue, 01 Mar 2022 18:17:06 GMT
    Connection: keep-alive
  • flag-us
    DNS
    cp801.prod.do.dsp.mp.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    cp801.prod.do.dsp.mp.microsoft.com
    IN A
    Response
    cp801.prod.do.dsp.mp.microsoft.com
    IN CNAME
    cp801.prod.do.dsp.mp.microsoft.com.edgekey.net
    cp801.prod.do.dsp.mp.microsoft.com.edgekey.net
    IN CNAME
    e12437.g.akamaiedge.net
    e12437.g.akamaiedge.net
    IN A
    184.29.205.60
  • flag-nl
    GET
    https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6
    Remote address:
    184.29.205.60:443
    Request
    GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Microsoft-Delivery-Optimization/10.0
    MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.1.1.1
    Content-Length: 0
    Host: cp801.prod.do.dsp.mp.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/json
    Server: Microsoft-IIS/10.0
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 366
    Cache-Control: max-age=33100
    Date: Tue, 01 Mar 2022 18:17:06 GMT
    Connection: keep-alive
  • flag-nl
    GET
    https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6
    Remote address:
    184.29.205.60:443
    Request
    GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6 HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    Accept-Encoding: gzip, deflate
    User-Agent: Microsoft-Delivery-Optimization/10.0
    MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.2.1.1
    Content-Length: 0
    Host: cp801.prod.do.dsp.mp.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Type: text/json
    Server: Microsoft-IIS/10.0
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Content-Length: 366
    Cache-Control: max-age=33100
    Date: Tue, 01 Mar 2022 18:17:06 GMT
    Connection: keep-alive
  • 104.80.224.57:443
    322 B
    7
  • 93.184.220.29:80
    260 B
    5
  • 188.114.96.0:443
    https://freegeoip.app/xml/
    tls, http
    f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe
    766 B
    4.5kB
    9
    8

    HTTP Request

    GET https://freegeoip.app/xml/

    HTTP Response

    200
  • 52.184.217.56:443
    geo.prod.do.dsp.mp.microsoft.com
    tls, https
    1.2kB
    3.5kB
    12
    9
  • 184.29.205.60:443
    https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=6
    tls, http
    1.2kB
    7.8kB
    11
    13

    HTTP Request

    GET https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=US&profile=256&CacheId=6

    HTTP Response

    200
  • 184.29.205.60:443
    https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6
    tls, http
    1.4kB
    7.3kB
    11
    13

    HTTP Request

    GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6

    HTTP Response

    200
  • 184.29.205.60:443
    https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6
    tls, http
    1.4kB
    7.3kB
    11
    13

    HTTP Request

    GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=US&profile=256&CacheId=6

    HTTP Response

    200
  • 13.107.4.50:80
    322 B
    7
  • 13.107.4.50:80
    322 B
    7
  • 8.8.8.8:53
    freegeoip.app
    dns
    f33ce8a56f6e635e42844edbd03569120d56c28dbb902a87316687667ff6c6b9.exe
    59 B
    91 B
    1
    1

    DNS Request

    freegeoip.app

    DNS Response

    188.114.96.0
    188.114.97.0

  • 8.8.8.8:53
    geo.prod.do.dsp.mp.microsoft.com
    dns
    78 B
    165 B
    1
    1

    DNS Request

    geo.prod.do.dsp.mp.microsoft.com

    DNS Response

    52.184.217.56

  • 8.8.8.8:53
    kv801.prod.do.dsp.mp.microsoft.com
    dns
    80 B
    190 B
    1
    1

    DNS Request

    kv801.prod.do.dsp.mp.microsoft.com

    DNS Response

    184.29.205.60

  • 8.8.8.8:53
    cp801.prod.do.dsp.mp.microsoft.com
    dns
    80 B
    190 B
    1
    1

    DNS Request

    cp801.prod.do.dsp.mp.microsoft.com

    DNS Response

    184.29.205.60

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3780-130-0x000001ADA9120000-0x000001ADA9166000-memory.dmp

    Filesize

    280KB

  • memory/3780-131-0x00007FFFD0A93000-0x00007FFFD0A95000-memory.dmp

    Filesize

    8KB

  • memory/3780-132-0x000001ADAAEF0000-0x000001ADAAEF2000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.