Malware Analysis Report

2024-11-13 14:22

Sample ID 220617-wmfhqachbm
Target Auto Block.exe.vir
SHA256 98f61a34d1b53907d24096b09b5530b80ca42ce9dd4c50eafcc6fab3f45a0119
Tags
44caliber spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98f61a34d1b53907d24096b09b5530b80ca42ce9dd4c50eafcc6fab3f45a0119

Threat Level: Known bad

The file Auto Block.exe.vir was found to be: Known bad.

Malicious Activity Summary

44caliber spyware stealer

44Caliber

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies registry class

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-17 18:02

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-17 18:02

Reported

2022-06-17 18:04

Platform

win10v2004-20220414-en

Max time kernel

61s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Auto Block.exe"

Signatures

44Caliber

stealer 44caliber

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\БХ.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Auto Block.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\Auto Block.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\БХ.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\БХ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\БХ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Auto Block.exe

"C:\Users\Admin\AppData\Local\Temp\Auto Block.exe"

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"

C:\Users\Admin\AppData\Local\Temp\БХ.exe

"C:\Users\Admin\AppData\Local\Temp\БХ.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 188.114.97.0:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 75.2.60.5:443 ipbase.com tcp

Files

memory/916-130-0x0000000000400000-0x000000000062F000-memory.dmp

memory/1088-131-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5 9dff4650d113fe21dcc45c13ef90defd
SHA1 1d45ce5878d6ed0ac9b03588a9aafad752e15db3
SHA256 ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99
SHA512 8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5 9dff4650d113fe21dcc45c13ef90defd
SHA1 1d45ce5878d6ed0ac9b03588a9aafad752e15db3
SHA256 ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99
SHA512 8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

memory/1088-134-0x000002045ED20000-0x000002045ED6A000-memory.dmp

memory/1088-135-0x00007FF902350000-0x00007FF902E11000-memory.dmp

memory/1088-136-0x00007FF902350000-0x00007FF902E11000-memory.dmp

memory/4056-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\БХ.exe

MD5 5fdb43b73957e39125b2005848c23b82
SHA1 0769336c1254b44b87c7ec881f73c149ba95d406
SHA256 454a12fe83683aede8ee95934b45d7cb4ecde8315496b42e280614dca3b6c299
SHA512 5a623d429be286f4c95c0597e766a5723002d752a93eec5f709bc9ce28309dbbe5cdb2cf118360ad607480d5d862ad67d76fdeedadf026d5649777bdf6f7aad0

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-17 18:02

Reported

2022-06-17 18:04

Platform

win7-20220414-en

Max time kernel

43s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Auto Block.exe"

Signatures

44Caliber

stealer 44caliber

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\БХ.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Auto Block.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Auto Block.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\БХ.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\БХ.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\БХ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Auto Block.exe

"C:\Users\Admin\AppData\Local\Temp\Auto Block.exe"

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"

C:\Users\Admin\AppData\Local\Temp\БХ.exe

"C:\Users\Admin\AppData\Local\Temp\БХ.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 188.114.97.0:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 75.2.60.5:443 ipbase.com tcp

Files

memory/1784-54-0x0000000000400000-0x000000000062F000-memory.dmp

memory/1784-55-0x00000000765F1000-0x00000000765F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5 9dff4650d113fe21dcc45c13ef90defd
SHA1 1d45ce5878d6ed0ac9b03588a9aafad752e15db3
SHA256 ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99
SHA512 8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

memory/1948-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5 9dff4650d113fe21dcc45c13ef90defd
SHA1 1d45ce5878d6ed0ac9b03588a9aafad752e15db3
SHA256 ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99
SHA512 8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5 9dff4650d113fe21dcc45c13ef90defd
SHA1 1d45ce5878d6ed0ac9b03588a9aafad752e15db3
SHA256 ba8e080a84946ed54cb2b10247081c845c72f1c9809258a643c6e8aeff0e3d99
SHA512 8b37d92863ed81fd53268800f745766b43e57b502140ad1a394e0be069f3a2631e01947e79712cba3575ee0aa59081bd1461ecfa606aae3e2331706477b02f17

memory/1948-60-0x00000000009D0000-0x0000000000A1A000-memory.dmp

\Users\Admin\AppData\Local\Temp\БХ.exe

MD5 5fdb43b73957e39125b2005848c23b82
SHA1 0769336c1254b44b87c7ec881f73c149ba95d406
SHA256 454a12fe83683aede8ee95934b45d7cb4ecde8315496b42e280614dca3b6c299
SHA512 5a623d429be286f4c95c0597e766a5723002d752a93eec5f709bc9ce28309dbbe5cdb2cf118360ad607480d5d862ad67d76fdeedadf026d5649777bdf6f7aad0

memory/1260-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\БХ.exe

MD5 5fdb43b73957e39125b2005848c23b82
SHA1 0769336c1254b44b87c7ec881f73c149ba95d406
SHA256 454a12fe83683aede8ee95934b45d7cb4ecde8315496b42e280614dca3b6c299
SHA512 5a623d429be286f4c95c0597e766a5723002d752a93eec5f709bc9ce28309dbbe5cdb2cf118360ad607480d5d862ad67d76fdeedadf026d5649777bdf6f7aad0

memory/1260-64-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp