44caliber | 93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f

General

Target

93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe
Size

666KB
MD5

92493532531788040b78f62f00c1d5d6
SHA1

e9a348440a7c42b4b9416830dba158f2c51fa68f
SHA256

93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f
SHA512

b0b6e704ff091318de64a05ce66a029831cb091d95257b184486b5369d22369cc1121a6eff304abce254ad760ba29dbc7cfcb2cd12261a50050e7728415ff818

Score

10^/10

44caliber njrat hacked spyware stealer trojan

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/947445080342556692/k5eX_haEP42zYxqA0vzh33TmF53CrHI3NFO_LEsqnIXkOW8GqH66QMKAvOSZ3Fkkfhjh

Extracted

Family

njrat

Version

Njrat 0.7 Golden By Hassan Amiri

Botnet

HacKed

C2

127.0.0.1:25565

Mutex

Windows Update

Attributes

reg_key
Windows Update
splitter
|Hassan|

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Executes dropped EXE 4 IoCs

Processes:

Server.exeOUPPO.exeInsidious.execsgo.exe

pid process

1664 Server.exe
1824 OUPPO.exe
1756 Insidious.exe
2724 csgo.exe

pid	process
1664	Server.exe
1824	OUPPO.exe
1756	Insidious.exe
2724	csgo.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exeServer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Server.exe

Drops startup file 2 IoCs

Processes:

csgo.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	csgo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Java update.exe	csgo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
9 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
8	freegeoip.app
9	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Modifies registry class 2 IoCs

Processes:

OUPPO.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OUPPO.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OUPPO.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Insidious.exeOUPPO.exe

pid process

1756 Insidious.exe
1756 Insidious.exe
1756 Insidious.exe
1756 Insidious.exe
1824 OUPPO.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Server.execsgo.exe

pid process

1664 Server.exe
2724 csgo.exe

pid	process
1756	Insidious.exe
1756	Insidious.exe
1756	Insidious.exe
1756	Insidious.exe
1824	OUPPO.exe

pid	process
1664	Server.exe
2724	csgo.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

Insidious.exeOUPPO.execsgo.exe

description	pid	process
Token: SeDebugPrivilege	1756	Insidious.exe
Token: SeDebugPrivilege	1824	OUPPO.exe
Token: SeDebugPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe
Token: 33	2724	csgo.exe
Token: SeIncBasePriorityPrivilege	2724	csgo.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exeServer.exe

description	pid	process	target process
PID 548 wrote to memory of 1664	548	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe	Server.exe
PID 548 wrote to memory of 1664	548	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe	Server.exe
PID 548 wrote to memory of 1664	548	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe	Server.exe
PID 548 wrote to memory of 1824	548	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe	OUPPO.exe
PID 548 wrote to memory of 1824	548	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe	OUPPO.exe
PID 548 wrote to memory of 1824	548	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe	OUPPO.exe
PID 548 wrote to memory of 1756	548	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe	Insidious.exe
PID 548 wrote to memory of 1756	548	93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe	Insidious.exe
PID 1664 wrote to memory of 2724	1664	Server.exe	csgo.exe
PID 1664 wrote to memory of 2724	1664	Server.exe	csgo.exe
PID 1664 wrote to memory of 2724	1664	Server.exe	csgo.exe

C:\Users\Admin\AppData\Local\Temp\93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe
"C:\Users\Admin\AppData\Local\Temp\93667713af8e23ecde25e78d05f762ecd77d8a7b8667ec78a3cafbf43d724c4f.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\csgo.exe
"C:\Users\Admin\AppData\Local\Temp\csgo.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Users\Admin\AppData\Local\Temp\OUPPO.exe
"C:\Users\Admin\AppData\Local\Temp\OUPPO.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5
818467636d598a4dc6fc6d89de7a9e57

SHA1
cb4bf08a35cf6e586bf76753fff1f43e1d61b4ca

SHA256
de55d02511c1d6b3b339299ec904b2a3605405e136d5d76b3b3d0d3818be25ea

SHA512
fe34c0ca523ae41f6ac41000f124a703f9fdfd949b80165f43898880d87be9a92c0aaca6ebc2acdea90a183e5c34bf906ceb290450d10bc5bdf86df6ba19034e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5
818467636d598a4dc6fc6d89de7a9e57

SHA1
cb4bf08a35cf6e586bf76753fff1f43e1d61b4ca

SHA256
de55d02511c1d6b3b339299ec904b2a3605405e136d5d76b3b3d0d3818be25ea

SHA512
fe34c0ca523ae41f6ac41000f124a703f9fdfd949b80165f43898880d87be9a92c0aaca6ebc2acdea90a183e5c34bf906ceb290450d10bc5bdf86df6ba19034e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUPPO.exe

MD5
bf9e924aaf11a12005d2f2d36ac87441

SHA1
b78f005f558deea3beab17d4062fe50d40576822

SHA256
5a5fba380366ce98b4b040b2f3186dd18da4d27f67a0627e2b6f5230d4059261

SHA512
e4323d7b1242849167ff7d8fa1c5361b4b9c7a9e5240f5683aef7396ec132e005094032a0c6ddc8904e9e98a92d27947a7a65bd3d21e006f449480f0cb11e9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUPPO.exe

MD5
bf9e924aaf11a12005d2f2d36ac87441

SHA1
b78f005f558deea3beab17d4062fe50d40576822

SHA256
5a5fba380366ce98b4b040b2f3186dd18da4d27f67a0627e2b6f5230d4059261

SHA512
e4323d7b1242849167ff7d8fa1c5361b4b9c7a9e5240f5683aef7396ec132e005094032a0c6ddc8904e9e98a92d27947a7a65bd3d21e006f449480f0cb11e9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5
de4d468220008d0050ab60cd0091177c

SHA1
cbdd291fa512b43ef9a1a572c4d5f6c1ea590ada

SHA256
0cb50e1f328aa44d13490a50408c8f73a0f464fc895219748edeec58335f03ee

SHA512
ff58acfd1dcc7ec73aea3f13cd97033fd79eaeeb48dd77f484458dbc2378000d2229810e0eb61d0362b92214bad275c5258846f59016414fed457c7727451ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

MD5
de4d468220008d0050ab60cd0091177c

SHA1
cbdd291fa512b43ef9a1a572c4d5f6c1ea590ada

SHA256
0cb50e1f328aa44d13490a50408c8f73a0f464fc895219748edeec58335f03ee

SHA512
ff58acfd1dcc7ec73aea3f13cd97033fd79eaeeb48dd77f484458dbc2378000d2229810e0eb61d0362b92214bad275c5258846f59016414fed457c7727451ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgo.exe

MD5
de4d468220008d0050ab60cd0091177c

SHA1
cbdd291fa512b43ef9a1a572c4d5f6c1ea590ada

SHA256
0cb50e1f328aa44d13490a50408c8f73a0f464fc895219748edeec58335f03ee

SHA512
ff58acfd1dcc7ec73aea3f13cd97033fd79eaeeb48dd77f484458dbc2378000d2229810e0eb61d0362b92214bad275c5258846f59016414fed457c7727451ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgo.exe

MD5
de4d468220008d0050ab60cd0091177c

SHA1
cbdd291fa512b43ef9a1a572c4d5f6c1ea590ada

SHA256
0cb50e1f328aa44d13490a50408c8f73a0f464fc895219748edeec58335f03ee

SHA512
ff58acfd1dcc7ec73aea3f13cd97033fd79eaeeb48dd77f484458dbc2378000d2229810e0eb61d0362b92214bad275c5258846f59016414fed457c7727451ca4

Download Submit
memory/548-130-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1664-142-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1664-131-0x0000000000000000-mapping.dmp

Download
memory/1664-143-0x0000000004CD0000-0x0000000004D6C000-memory.dmp

Filesize
624KB

Download
memory/1756-140-0x000002952A720000-0x000002952A76A000-memory.dmp

Filesize
296KB

Download
memory/1756-144-0x00007FF804A70000-0x00007FF805531000-memory.dmp

Filesize
10.8MB

Download
memory/1756-146-0x000002952AAC0000-0x000002952AAC2000-memory.dmp

Filesize
8KB

Download
memory/1756-137-0x0000000000000000-mapping.dmp

Download
memory/1824-145-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/1824-141-0x0000000000C60000-0x0000000000C84000-memory.dmp

Filesize
144KB

Download
memory/1824-147-0x0000000005540000-0x00000000055D2000-memory.dmp

Filesize
584KB

Download
memory/1824-148-0x00000000054F0000-0x00000000054FA000-memory.dmp

Filesize
40KB

Download
memory/1824-149-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download
memory/1824-133-0x0000000000000000-mapping.dmp

Download
memory/2724-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads