44caliber | d5c05da57fa20048e35e6ef498b3dd0bcb92eaea3997e8a7009b38b8a15c4e86

Analysis

max time kernel
161s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yandex.exe
Size

274KB
MD5

40e3881d6c0898f6a5c24940b54a69a2
SHA1

f3da392ee4fb703255eff7ee8a83f23c2bb02987
SHA256

d5c05da57fa20048e35e6ef498b3dd0bcb92eaea3997e8a7009b38b8a15c4e86
SHA512

9013a696cda9be776f0a5ee66aece8716662121e69c5be056c8567eabed8fea91641e50714962438efb57da1b1ff1d4a2c3211e65be10a9e7833e647f700eb8b
SSDEEP

6144:ef+BLtABPDMtBBfn1Y0gIoHOQZafTy8lI1D0Cbg:1tVvgIoHO+x1DRg

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1155120137612034188/cdy5wHbWmzOOyiX6nZbn5OlBuBidB8er7f1281hl7JRUP1iVFGnh9s57SwGqJtsdtgrx

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 freegeoip.app
10 freegeoip.app

flow	ioc
9	freegeoip.app
10	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Yandex.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Yandex.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Yandex.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Yandex.exe

pid process

3676 Yandex.exe
3676 Yandex.exe
3676 Yandex.exe
3676 Yandex.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Yandex.exe

description pid process

Token: SeDebugPrivilege 3676 Yandex.exe

pid	process
3676	Yandex.exe
3676	Yandex.exe
3676	Yandex.exe
3676	Yandex.exe

description	pid	process
Token: SeDebugPrivilege	3676	Yandex.exe

C:\Users\Admin\AppData\Local\Temp\Yandex.exe
"C:\Users\Admin\AppData\Local\Temp\Yandex.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
463B

MD5
c8b6d2243bfffbcfd18dc929b1e94a1e

SHA1
4f0cb94a9debf5eab3fddedc67ca675bb61426a7

SHA256
89141eda5155d99eb35fe083dad90ff17d0e2e135786b0d6b5804dea258c8223

SHA512
086d9093a4eb82c17c76a66531bd98c063a6dc36be6f53bdcc0403372f49c19d32e97a352bfe30ea06127941db6ceb9d994bb4ca5d6fe52ab8c9f7a0d0450830

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
756B

MD5
dfa4c0e72be71d5ce1f5ac3e58a4450a

SHA1
6a3160bef3964130974b610ba2bad16a817fad99

SHA256
194d6164d9f89b5edb0a2869c31c46b432be9cac1844e7d4edf3a1f9a8692e34

SHA512
8f14778caa86ad0083b7443727a13aa5f2567e2b5ad2fc3dbfc0df05c586cc2061d715fb11f01964d0c8e2c7465ba31c42d42aaf565ea5ceec8d2b1aa45dfda2

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
57eb49fb12610fd50cfd0b9bddbb1e82

SHA1
92b7991c8fe48fc15728ef3e4d2d810ca38c8361

SHA256
a35b2d6f3f915b0bf371eca17844e79ddc263077c549d4ae519b105c0932fc4b

SHA512
ef2e1d89031cd31577aa623272bb513924a622107bef14868ea2c75454eee7d520f36e01868e8aabaa472cee5fcbc24db764417492d4f4b9a7200a265475125b

Download Submit
memory/3676-0-0x0000020606820000-0x000002060686A000-memory.dmp

Filesize
296KB

Download
memory/3676-19-0x00007FF9DC950000-0x00007FF9DD411000-memory.dmp

Filesize
10.8MB

Download
memory/3676-20-0x0000020608640000-0x0000020608650000-memory.dmp

Filesize
64KB

Download
memory/3676-121-0x00007FF9DC950000-0x00007FF9DD411000-memory.dmp

Filesize
10.8MB

Download