44caliber | a02597bfc372534884c7ce8bcab08d0c09c3d52cd8eef83b9b90115bc97a402c

Analysis

max time kernel
92s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2023 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

705927ee5d2f040542d751bf7fdc9507.exe
Size

3.2MB
MD5

705927ee5d2f040542d751bf7fdc9507
SHA1

af6d69dc1f71db1a1665d9cf2f0244ba66af09f0
SHA256

a02597bfc372534884c7ce8bcab08d0c09c3d52cd8eef83b9b90115bc97a402c
SHA512

507403aa3bcdb02778e19efb3bd2b0c12bb6d2a7e0a0d86c0e09c0891e873e26551b169fc5178675fbe5e80784d07a50296d8b5719192df8847b9bf0e9644409
SSDEEP

98304:Rv2SvaBNcLJgOhxEZv140mwijiXQjv4Fg:0AyNcmsE/4hjiXQjgS

Score

10^/10

44caliber evasion spyware stealer themida trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/894942702326677514/imJ4lUzTMjTxjg87EEJcDzxrAj6U6amcp4yRwcfUvSVVePmrzxPj_IrqfdM_lnSBl-27

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	705927ee5d2f040542d751bf7fdc9507.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	705927ee5d2f040542d751bf7fdc9507.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	705927ee5d2f040542d751bf7fdc9507.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	705927ee5d2f040542d751bf7fdc9507.exe

Executes dropped EXE 1 IoCs

pid	Process
3192	Insidious.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2120-11-0x0000000000CC0000-0x000000000151A000-memory.dmp	themida
behavioral2/memory/2120-12-0x0000000000CC0000-0x000000000151A000-memory.dmp	themida
behavioral2/memory/2120-30-0x0000000000CC0000-0x000000000151A000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	705927ee5d2f040542d751bf7fdc9507.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	freegeoip.app
31	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2120	705927ee5d2f040542d751bf7fdc9507.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3192	Insidious.exe
3192	Insidious.exe
3192	Insidious.exe
3192	Insidious.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	Insidious.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 3192	2120	705927ee5d2f040542d751bf7fdc9507.exe	95
PID 2120 wrote to memory of 3192	2120	705927ee5d2f040542d751bf7fdc9507.exe	95

C:\Users\Admin\AppData\Local\Temp\705927ee5d2f040542d751bf7fdc9507.exe
"C:\Users\Admin\AppData\Local\Temp\705927ee5d2f040542d751bf7fdc9507.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
155KB

MD5
07588c23a15d617b732a75ce3ae65a83

SHA1
00569ee3babe83f98b462e7efeda336a62a72c73

SHA256
ec28a4e3723802ac4675bf93df9a26063ce0a0dfbed9404cb47dbd3c64670a0c

SHA512
e0ecf4d3aa87522069c48a31c2d1e60fe52d9f6f313f4241095431be9135642a07d9c74583b42770e7389dd125d58c695072b55afb4d25e31ad4b982452aa62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
97KB

MD5
b788ce261af4d10e6292d36e11ea07c7

SHA1
0ca67d6f3c59ef792b44dbe3a00146d03d1d0f39

SHA256
b181ba1f6fe4b9d5584a4e5158b637c1362ebf0f1d95337458891fd230271918

SHA512
33de36066f8952bfbe87840d240650650ea57ca409e156dfa8950b6030eec1c1519d10716e21640ed5b5c1a1745eaf5509e13d68c1b3746dcf06ac4d74833c8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
200KB

MD5
bf1dd710f39385a106c61a7a226c8fe9

SHA1
2f854ccb5c7b70d5c23686419737debc201f394c

SHA256
96ad99046aa967377cc72d79912b01f01e5caf11a82cf64691178ddb4b913360

SHA512
9859752ce398c6a7f64d3afb8c3667fd1b5e03b21d9af1878bab35ed2bd99912453d7291771d51492875e5ee4e8661ced757dcdf610869e558ae85c467c97a5c

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
d2284ca0304e602735e791f1082328c6

SHA1
d1bcfd2d3552be6b8c5e6fb6d1366dc8c09de91b

SHA256
b9bb9f945a1d4ad277336368dcc17a227db80b9f199ae32533e1342809fb9a6b

SHA512
d8a9e25ad38e4754a6649bd4496ef47f14b037a8120f81fd221283af46686dae69936e8e18cc7ab11ec293c408e0d38c6695f8a5371b937c5a889ced2ea2e220

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
488B

MD5
1aa29b20af4c418c0f61cbb3cd23efe4

SHA1
d33fc1fe2d1feb44165c14e08080c34edd12be7b

SHA256
312d3c6909764336775ecb24865d46e9ed0f27e5c133c9cde2a10d4560309ac3

SHA512
b0d9816fc6baac7f7ea85aee1714cf345ef27e5de458297c14689cd70fd0400c8cc29ca9fd99ee23f565a26e0a52cbf6dce44a7ffc9daac4896010e6a302c3ec

Download Submit
memory/2120-5-0x0000000075E10000-0x0000000075F00000-memory.dmp

Filesize
960KB

Download
memory/2120-40-0x0000000075E10000-0x0000000075F00000-memory.dmp

Filesize
960KB

Download
memory/2120-7-0x0000000077914000-0x0000000077916000-memory.dmp

Filesize
8KB

Download
memory/2120-11-0x0000000000CC0000-0x000000000151A000-memory.dmp

Filesize
8.4MB

Download
memory/2120-12-0x0000000000CC0000-0x000000000151A000-memory.dmp

Filesize
8.4MB

Download
memory/2120-13-0x00000000066C0000-0x0000000006C64000-memory.dmp

Filesize
5.6MB

Download
memory/2120-14-0x00000000061B0000-0x0000000006242000-memory.dmp

Filesize
584KB

Download
memory/2120-0-0x0000000000CC0000-0x000000000151A000-memory.dmp

Filesize
8.4MB

Download
memory/2120-4-0x0000000075E10000-0x0000000075F00000-memory.dmp

Filesize
960KB

Download
memory/2120-1-0x0000000075E10000-0x0000000075F00000-memory.dmp

Filesize
960KB

Download
memory/2120-2-0x0000000075E10000-0x0000000075F00000-memory.dmp

Filesize
960KB

Download
memory/2120-30-0x0000000000CC0000-0x000000000151A000-memory.dmp

Filesize
8.4MB

Download
memory/2120-3-0x0000000075E10000-0x0000000075F00000-memory.dmp

Filesize
960KB

Download
memory/2120-6-0x0000000075E10000-0x0000000075F00000-memory.dmp

Filesize
960KB

Download
memory/3192-58-0x000000001AB00000-0x000000001AB10000-memory.dmp

Filesize
64KB

Download
memory/3192-41-0x00007FFEA5F30000-0x00007FFEA69F1000-memory.dmp

Filesize
10.8MB

Download
memory/3192-29-0x0000000000040000-0x000000000008A000-memory.dmp

Filesize
296KB

Download
memory/3192-155-0x00007FFEA5F30000-0x00007FFEA69F1000-memory.dmp

Filesize
10.8MB

Download