44caliber | a63d0da5401d3f5d28a9e8ac8c6a6fe7ba7eb7b1e1e60d1ec47a3eb7dd079808

Resubmissions

14-03-2022 20:45

220314-zj49fsccc8 10

02-03-2022 21:06

220302-zxssksgcd2 7

Analysis

max time kernel
151s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

inside3.exe
Size

282KB
MD5

0238e5a4b41c4dcff77e8b01e88bed22
SHA1

9c265d639104a538f708d5aaef6fcb9b61a8048f
SHA256

a63d0da5401d3f5d28a9e8ac8c6a6fe7ba7eb7b1e1e60d1ec47a3eb7dd079808
SHA512

4add1b607fdfd4159745a7ed1fb02543ce210b9e36996ea404c05fc491bce2471c452cbf0aad3de0b1f1f563ca23f843ef77d9d85ffc6828b6924c4fa34b4bac

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/943188844625428520/64LwO5Gsh0pUZCcm80BNwTcVPihRnEmr1rZOPj02k6T5sRc5Lq4sdaB2KyttNgJHeX3T

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 freegeoip.app
8 freegeoip.app

flow	ioc
7	freegeoip.app
8	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

inside3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	inside3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	inside3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

inside3.exe

pid process

1460 inside3.exe
1460 inside3.exe
1460 inside3.exe
1460 inside3.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

inside3.exe

description pid process

Token: SeDebugPrivilege 1460 inside3.exe

pid	process
1460	inside3.exe
1460	inside3.exe
1460	inside3.exe
1460	inside3.exe

description	pid	process
Token: SeDebugPrivilege	1460	inside3.exe

C:\Users\Admin\AppData\Local\Temp\inside3.exe
"C:\Users\Admin\AppData\Local\Temp\inside3.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1460-130-0x0000016BDF9A0000-0x0000016BDF9EA000-memory.dmp

Filesize
296KB

Download
memory/1460-131-0x00007FFCFFEE0000-0x00007FFD009A1000-memory.dmp

Filesize
10.8MB

Download
memory/1460-132-0x0000016BDFD40000-0x0000016BDFD42000-memory.dmp

Filesize
8KB

Download