44caliber | 347899570bba1cbaa4fe9149d71b7e2e07ea2d930d1bcb9e5762b242dd017887

General

Target

cheat-engine-7-404.exe
Size

3.0MB
MD5

cdc4636a35c109b43f2898e13e8dc666
SHA1

1c0807042275593c79da97799153b72929dfb2d8
SHA256

347899570bba1cbaa4fe9149d71b7e2e07ea2d930d1bcb9e5762b242dd017887
SHA512

9498fd4c2fc65ae0b1294f4d37f6a0df50d92ffd9709f79ffd9606add19962c7493f68dc7f279e398fecf68d2b57f0f87db5f4d2e7df3f31364cce26dbd0e4ef

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/973294177112686612/4QUQSbqvdZZd-DqEn3jQ1gWfu67yolKc4k1__wufBB-BWQv0dBmUKe8-IpUD-6DotJiV

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 3 IoCs

Processes:

cheat-engine-7-4.exeblackangus.execheat-engine-7-4.tmp

pid process

820 cheat-engine-7-4.exe
2192 blackangus.exe
964 cheat-engine-7-4.tmp

pid	process
820	cheat-engine-7-4.exe
2192	blackangus.exe
964	cheat-engine-7-4.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cheat-engine-7-404.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	cheat-engine-7-404.exe

Loads dropped DLL 3 IoCs

Processes:

cheat-engine-7-4.tmp

pid process

964 cheat-engine-7-4.tmp
964 cheat-engine-7-4.tmp
964 cheat-engine-7-4.tmp
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 freegeoip.app
12 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp

flow	ioc
11	freegeoip.app
12	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

blackangus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	blackangus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	blackangus.exe

Modifies registry class 1 IoCs

Processes:

cheat-engine-7-404.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ cheat-engine-7-404.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 16 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cheat-engine-7-404.exe

description	flow	ioc
HTTP User-Agent header	16	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

cheat-engine-7-404.exeblackangus.execheat-engine-7-4.tmp

pid	process
1240	cheat-engine-7-404.exe
1240	cheat-engine-7-404.exe
1240	cheat-engine-7-404.exe
2192	blackangus.exe
2192	blackangus.exe
2192	blackangus.exe
2192	blackangus.exe
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp
964	cheat-engine-7-4.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cheat-engine-7-404.exeblackangus.exe

description pid process

Token: SeDebugPrivilege 1240 cheat-engine-7-404.exe
Token: SeDebugPrivilege 2192 blackangus.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

cheat-engine-7-4.tmp

pid process

964 cheat-engine-7-4.tmp

description	pid	process
Token: SeDebugPrivilege	1240	cheat-engine-7-404.exe
Token: SeDebugPrivilege	2192	blackangus.exe

pid	process
964	cheat-engine-7-4.tmp

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cheat-engine-7-404.execheat-engine-7-4.exe

description	pid	process	target process
PID 1240 wrote to memory of 820	1240	cheat-engine-7-404.exe	cheat-engine-7-4.exe
PID 1240 wrote to memory of 820	1240	cheat-engine-7-404.exe	cheat-engine-7-4.exe
PID 1240 wrote to memory of 820	1240	cheat-engine-7-404.exe	cheat-engine-7-4.exe
PID 1240 wrote to memory of 2192	1240	cheat-engine-7-404.exe	blackangus.exe
PID 1240 wrote to memory of 2192	1240	cheat-engine-7-404.exe	blackangus.exe
PID 820 wrote to memory of 964	820	cheat-engine-7-4.exe	cheat-engine-7-4.tmp
PID 820 wrote to memory of 964	820	cheat-engine-7-4.exe	cheat-engine-7-4.tmp
PID 820 wrote to memory of 964	820	cheat-engine-7-4.exe	cheat-engine-7-4.tmp

C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-404.exe
"C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-404.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe
"C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Local\Temp\is-P0A5G.tmp\cheat-engine-7-4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P0A5G.tmp\cheat-engine-7-4.tmp" /SL5="$1301D0,2408085,845312,C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:964

C:\Users\Admin\AppData\Local\Temp\blackangus.exe
"C:\Users\Admin\AppData\Local\Temp\blackangus.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2192

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\blackangus.exe
Filesize
275KB

MD5
f77897f8a1db43161bcd5bfe7660fe6e

SHA1
b1e7142f586de5a48adcd3a132053e6fc0258bf4

SHA256
067205b69d3c39c5553c45fe92408b0b7c69c8a9f5c2108c01524f4fd2fc7de9

SHA512
b6b12a311eef32cef295ade3fd642ef63f45ba3f6aa0d5b28cce968f79ed2c6cf324b2810fe51ab09328d3ff5a10c0c7e9f345901cd1af5191bbcb52286c3e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\blackangus.exe
Filesize
275KB

MD5
f77897f8a1db43161bcd5bfe7660fe6e

SHA1
b1e7142f586de5a48adcd3a132053e6fc0258bf4

SHA256
067205b69d3c39c5553c45fe92408b0b7c69c8a9f5c2108c01524f4fd2fc7de9

SHA512
b6b12a311eef32cef295ade3fd642ef63f45ba3f6aa0d5b28cce968f79ed2c6cf324b2810fe51ab09328d3ff5a10c0c7e9f345901cd1af5191bbcb52286c3e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe
Filesize
3.2MB

MD5
32e0a8e898a4aef3abe2c5c26d2570fb

SHA1
0c56076f2d4d905a08dc2e8c85a6fd4d184a0846

SHA256
6d0e14d66da69c163f824f8fa7d87de3eea41cdbd48c0973de296cf6d2d0fed3

SHA512
1cec6e1dd8eaea6bfc00c48403d3263db6a54d4012b87666da5ac2f83748ef9102ed97c026e185d3c8cc0342c8feafd0a27442dfc19d6d37b69a9d91168ab97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheat-engine-7-4.exe
Filesize
3.2MB

MD5
32e0a8e898a4aef3abe2c5c26d2570fb

SHA1
0c56076f2d4d905a08dc2e8c85a6fd4d184a0846

SHA256
6d0e14d66da69c163f824f8fa7d87de3eea41cdbd48c0973de296cf6d2d0fed3

SHA512
1cec6e1dd8eaea6bfc00c48403d3263db6a54d4012b87666da5ac2f83748ef9102ed97c026e185d3c8cc0342c8feafd0a27442dfc19d6d37b69a9d91168ab97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P0A5G.tmp\cheat-engine-7-4.tmp
Filesize
2.9MB

MD5
9858749c3a44de91503ba1124f98a4f0

SHA1
9e871a2a692fe7fa03cbd2b958a48eee9a694758

SHA256
058a000842e85dbf501d6fc76fa4a73e13b31102367d06d459c8ba8e7e91a201

SHA512
85c8f861cca5adee81d8707627ca008821993c19be35ed86372bd50457ed194d11138e9e34e3e527ef4253857eac372eedd0d7a511ae11927be36eefe39c5dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U8TRS.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U8TRS.tmp\botva2.dll
Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U8TRS.tmp\zbShieldUtils.dll
Filesize
2.0MB

MD5
e1f18a22199c6f6aa5d87b24e5b39ef1

SHA1
0dcd8f90b575f6f1d10d6789fe769fa26daafd0e

SHA256
62c56c8cf2ac6521ce047b73aa99b6d3952ca53f11d34b00e98d17674a2fc10d

SHA512
5a10a2f096adce6e7db3a40bc3ea3fd44d602966e606706ee5a780703f211de7f77656c79c296390baee1e008dc3ce327eaaf5d78bbae20108670c5bc809a190

Download Submit
memory/820-134-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/820-132-0x0000000000000000-mapping.dmp

Download
memory/820-148-0x0000000000400000-0x00000000004DC000-memory.dmp

Filesize
880KB

Download
memory/964-141-0x0000000000000000-mapping.dmp

Download
memory/964-147-0x0000000002CD0000-0x0000000002CDF000-memory.dmp

Filesize
60KB

Download
memory/1240-130-0x0000000000230000-0x000000000052E000-memory.dmp

Filesize
3.0MB

Download
memory/1240-131-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp

Filesize
10.8MB

Download
memory/2192-140-0x00000162CBE00000-0x00000162CBE4C000-memory.dmp

Filesize
304KB

Download
memory/2192-135-0x0000000000000000-mapping.dmp

Download
memory/2192-144-0x00007FFBFA0B0000-0x00007FFBFAB71000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads