44caliber | 98f61a34d1b53907d24096b09b5530b80ca42ce9dd4c50eafcc6fab3f45a0119

General

Target

Auto Block.exe
Size

2.2MB
MD5

006f5bbb2e6f9ce7d38edad078e753ba
SHA1

ae6bcb7f694bee6e52be7e7dc75a1d9ced78f75f
SHA256

98f61a34d1b53907d24096b09b5530b80ca42ce9dd4c50eafcc6fab3f45a0119
SHA512

f4e6aafe806fc71a728a500fa80cce83044bbe979252228b74e60b88f73ded979e917cbef1a987db176f323b6027298de102f4e867fb99ffe28c1b50d667bfff

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/987320469264928788/XHGBPVVk0PqB5Bug7qHP2xnrZN4CfIIFQe0thEyFCmF2MEQleEN98ae4oIo8Q6KdiaA_

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

Insidious.exeБХ.exe

pid process

1948 Insidious.exe
1260 БХ.exe
Loads dropped DLL 2 IoCs

Processes:

Auto Block.exe

pid process

1784 Auto Block.exe
1784 Auto Block.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
3 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1948	Insidious.exe
1260	БХ.exe

pid	process
1784	Auto Block.exe
1784	Auto Block.exe

flow	ioc
4	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Insidious.exe

pid process

1948 Insidious.exe
1948 Insidious.exe
1948 Insidious.exe
1948 Insidious.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 1948 Insidious.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

БХ.exe

pid process

1260 БХ.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

БХ.exe

pid process

1260 БХ.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

БХ.exe

pid process

1260 БХ.exe

pid	process
1948	Insidious.exe
1948	Insidious.exe
1948	Insidious.exe
1948	Insidious.exe

description	pid	process
Token: SeDebugPrivilege	1948	Insidious.exe

pid	process
1260	БХ.exe

pid	process
1260	БХ.exe

pid	process
1260	БХ.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Auto Block.exe

description	pid	process	target process
PID 1784 wrote to memory of 1948	1784	Auto Block.exe	Insidious.exe
PID 1784 wrote to memory of 1948	1784	Auto Block.exe	Insidious.exe
PID 1784 wrote to memory of 1948	1784	Auto Block.exe	Insidious.exe
PID 1784 wrote to memory of 1948	1784	Auto Block.exe	Insidious.exe
PID 1784 wrote to memory of 1260	1784	Auto Block.exe	БХ.exe
PID 1784 wrote to memory of 1260	1784	Auto Block.exe	БХ.exe
PID 1784 wrote to memory of 1260	1784	Auto Block.exe	БХ.exe
PID 1784 wrote to memory of 1260	1784	Auto Block.exe	БХ.exe

C:\Users\Admin\AppData\Local\Temp\Auto Block.exe
"C:\Users\Admin\AppData\Local\Temp\Auto Block.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Users\Admin\AppData\Local\Temp\БХ.exe
"C:\Users\Admin\AppData\Local\Temp\БХ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
9dff4650d113fe21dcc45c13ef90defd

SHA1
1d45ce5878d6ed0ac9b03588a9aafad752e15db3

SHA256
ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99

SHA512
8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
9dff4650d113fe21dcc45c13ef90defd

SHA1
1d45ce5878d6ed0ac9b03588a9aafad752e15db3

SHA256
ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99

SHA512
8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\БХ.exe

Filesize
1.2MB

MD5
5fdb43b73957e39125b2005848c23b82

SHA1
0769336c1254b44b87c7ec881f73c149ba95d406

SHA256
454a12fe83683aede8ee95934b45d7cb4ecde8315496b42e280614dca3b6c299

SHA512
5a623d429be286f4c95c0597e766a5723002d752a93eec5f709bc9ce28309dbbe5cdb2cf118360ad607480d5d862ad67d76fdeedadf026d5649777bdf6f7aad0

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
9dff4650d113fe21dcc45c13ef90defd

SHA1
1d45ce5878d6ed0ac9b03588a9aafad752e15db3

SHA256
ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99

SHA512
8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

Download Submit
\Users\Admin\AppData\Local\Temp\БХ.exe

Filesize
1.2MB

MD5
5fdb43b73957e39125b2005848c23b82

SHA1
0769336c1254b44b87c7ec881f73c149ba95d406

SHA256
454a12fe83683aede8ee95934b45d7cb4ecde8315496b42e280614dca3b6c299

SHA512
5a623d429be286f4c95c0597e766a5723002d752a93eec5f709bc9ce28309dbbe5cdb2cf118360ad607480d5d862ad67d76fdeedadf026d5649777bdf6f7aad0

Download Submit
memory/1260-62-0x0000000000000000-mapping.dmp

Download
memory/1260-64-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1784-54-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/1784-55-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1948-57-0x0000000000000000-mapping.dmp

Download
memory/1948-60-0x00000000009D0000-0x0000000000A1A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing