44caliber | 1a7c622544bc7fce75780a488bbf9d66a68176405c40d196a7afb7124244bd41

General

Target

WexSide Crack.exe
Size

718KB
MD5

e5701891f96e5727971f223551b64f45
SHA1

dcc476ee7b6c9bb75195c1ab81512d5c6efacd40
SHA256

1a7c622544bc7fce75780a488bbf9d66a68176405c40d196a7afb7124244bd41
SHA512

2c8a44b882bce13e226ab0a7941c57a8b383c793626cf15a16e81abbcaa033b78a536cbeb03e2bdbd4c923102bb6d967f90e4cc38570fb2f5ebd32706da9e998
SSDEEP

12288:jccr2M0k0CTUxid6rfBCWxskGxo5PlAXY5sMIGH/c4j:IcpBjN6rfBCWmx42I5HIGfcY

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/1049356312187772968/RhGBI5VRUa2070gE61YTrZzr1G_QOPG0A5RvRIUDuTemlVPlposGOfVeFkkYgdFFQO5I

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WexSide Crack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	WexSide Crack.exe

Executes dropped EXE 2 IoCs

Processes:

Insidious.exeloader.exe

pid process

1300 Insidious.exe
208 loader.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 freegeoip.app
17 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1300	Insidious.exe
208	loader.exe

flow	ioc
16	freegeoip.app
17	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Insidious.exe

pid process

1300 Insidious.exe
1300 Insidious.exe
1300 Insidious.exe
1300 Insidious.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 1300 Insidious.exe

pid	process
1300	Insidious.exe
1300	Insidious.exe
1300	Insidious.exe
1300	Insidious.exe

description	pid	process
Token: SeDebugPrivilege	1300	Insidious.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

WexSide Crack.exeloader.exe

description	pid	process	target process
PID 4628 wrote to memory of 1300	4628	WexSide Crack.exe	Insidious.exe
PID 4628 wrote to memory of 1300	4628	WexSide Crack.exe	Insidious.exe
PID 4628 wrote to memory of 208	4628	WexSide Crack.exe	loader.exe
PID 4628 wrote to memory of 208	4628	WexSide Crack.exe	loader.exe
PID 4628 wrote to memory of 208	4628	WexSide Crack.exe	loader.exe
PID 208 wrote to memory of 4068	208	loader.exe	javaw.exe
PID 208 wrote to memory of 4068	208	loader.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\WexSide Crack.exe
"C:\Users\Admin\AppData\Local\Temp\WexSide Crack.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    PID:4068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
1f80822d1dee6fd72b631b49e3c162a6

SHA1
ec6d5a98eec60beb779a6fb3d0bc64ba290fcc04

SHA256
eb50a68f7be55f9aa7e124e7a7fb7b98669918c17952ed58dc29cd1339860e50

SHA512
b1252dc716c796d9c488efd528763e14441e94747ead9b2570b252658bfe52cb12920cb0bcdc104bf063ff52a1cdb3c6e9460e74d98b4c26a1abcc3499463b4d

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
1f80822d1dee6fd72b631b49e3c162a6

SHA1
ec6d5a98eec60beb779a6fb3d0bc64ba290fcc04

SHA256
eb50a68f7be55f9aa7e124e7a7fb7b98669918c17952ed58dc29cd1339860e50

SHA512
b1252dc716c796d9c488efd528763e14441e94747ead9b2570b252658bfe52cb12920cb0bcdc104bf063ff52a1cdb3c6e9460e74d98b4c26a1abcc3499463b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
082a96ffc0b5c79bba76f7614a855ee3

SHA1
b44a3ced7c9db4dc25ff5235d2b8e7ffb64200f7

SHA256
ee8cec604cd3b8273898f378a6a9490b7d530df3d7841c22b41b003d688543a9

SHA512
85dc97673d1967670e953897d51a9ca012860759a27b15d4668fb961184ecf2e49a7c32216bede507246828c4aa114eb8b04bec4579b096b38d0fa0f7603b526

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
082a96ffc0b5c79bba76f7614a855ee3

SHA1
b44a3ced7c9db4dc25ff5235d2b8e7ffb64200f7

SHA256
ee8cec604cd3b8273898f378a6a9490b7d530df3d7841c22b41b003d688543a9

SHA512
85dc97673d1967670e953897d51a9ca012860759a27b15d4668fb961184ecf2e49a7c32216bede507246828c4aa114eb8b04bec4579b096b38d0fa0f7603b526

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
082a96ffc0b5c79bba76f7614a855ee3

SHA1
b44a3ced7c9db4dc25ff5235d2b8e7ffb64200f7

SHA256
ee8cec604cd3b8273898f378a6a9490b7d530df3d7841c22b41b003d688543a9

SHA512
85dc97673d1967670e953897d51a9ca012860759a27b15d4668fb961184ecf2e49a7c32216bede507246828c4aa114eb8b04bec4579b096b38d0fa0f7603b526

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
610KB

MD5
1ff7c7c08621c82d68330f0f5a15fb46

SHA1
2930047d59c82f2c943bbbe766389474995617a7

SHA256
479c4f5c81bf090205a00f953c03400c3a411c731caffa75b67c280a4cbe5c81

SHA512
491ad95296a048b1fc609d8c9ceb8ba4383f8b452a8c273d9d869539adb2f7f8c343d9072acf4a86d4c0d9d679e7da6dcb8527484a728e3c32fb1c0f42370e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
610KB

MD5
1ff7c7c08621c82d68330f0f5a15fb46

SHA1
2930047d59c82f2c943bbbe766389474995617a7

SHA256
479c4f5c81bf090205a00f953c03400c3a411c731caffa75b67c280a4cbe5c81

SHA512
491ad95296a048b1fc609d8c9ceb8ba4383f8b452a8c273d9d869539adb2f7f8c343d9072acf4a86d4c0d9d679e7da6dcb8527484a728e3c32fb1c0f42370e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
610KB

MD5
1ff7c7c08621c82d68330f0f5a15fb46

SHA1
2930047d59c82f2c943bbbe766389474995617a7

SHA256
479c4f5c81bf090205a00f953c03400c3a411c731caffa75b67c280a4cbe5c81

SHA512
491ad95296a048b1fc609d8c9ceb8ba4383f8b452a8c273d9d869539adb2f7f8c343d9072acf4a86d4c0d9d679e7da6dcb8527484a728e3c32fb1c0f42370e67

Download Submit
memory/208-158-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1300-287-0x00000229628F0000-0x0000022962A99000-memory.dmp

Filesize
1.7MB

Download
memory/1300-157-0x00000229480B0000-0x00000229480FA000-memory.dmp

Filesize
296KB

Download
memory/1300-187-0x0000022949D30000-0x0000022949D40000-memory.dmp

Filesize
64KB

Download
memory/1300-307-0x00000229628F0000-0x0000022962A99000-memory.dmp

Filesize
1.7MB

Download
memory/4068-281-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4068-282-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4068-387-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4068-389-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4068-395-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4068-397-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4068-401-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/4068-405-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads