44caliber | 24803b2f05f7eaa2d0d13c5655987459ef3ee8169d83be8c78683d70de95ddc0

General

Target

fe7fc1c78b51d7a796562e09b0695353.exe
Size

5.1MB
MD5

fe7fc1c78b51d7a796562e09b0695353
SHA1

2df2d7b7edc5db2a94ad4428a7fd354650bfe49d
SHA256

24803b2f05f7eaa2d0d13c5655987459ef3ee8169d83be8c78683d70de95ddc0
SHA512

5d17f20a5a74aab071c5ee0cc98200d46487734dc899d9bae623ae34e5664aa0b315d9178cfee1b8500a3564197bcdd749e428c9832ba2a749e06d1ed2b22607
SSDEEP

98304:n4jbjW+MvAuGdozQQQYeclr+UiO58O72LHozpAsRS1FsQvsw0R:abjhxgHeclA08OAIzpRo1SN

Score

10^/10

44caliber spyware stealer vmprotect

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/892778422043041873/gYqLiMf-cpigl0WIlIn8gWAFktijHzZBx8-bcU6yxyaLimlCeY0552wy36J78fXd1Na8

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

Insidious.exeNetsh Gang Bat.exe

pid process

2924 Insidious.exe
2444 Netsh Gang Bat.exe
Loads dropped DLL 3 IoCs

Processes:

fe7fc1c78b51d7a796562e09b0695353.exe

pid process

2496 fe7fc1c78b51d7a796562e09b0695353.exe
2496 fe7fc1c78b51d7a796562e09b0695353.exe
2484
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2924	Insidious.exe
2444	Netsh Gang Bat.exe

pid	process
2496	fe7fc1c78b51d7a796562e09b0695353.exe
2496	fe7fc1c78b51d7a796562e09b0695353.exe
2484

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2496-2-0x0000000000400000-0x0000000000C57000-memory.dmp	vmprotect
behavioral1/memory/2496-12-0x0000000000400000-0x0000000000C57000-memory.dmp	vmprotect
behavioral1/memory/2496-25-0x0000000000400000-0x0000000000C57000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
2 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

fe7fc1c78b51d7a796562e09b0695353.exe

pid process

2496 fe7fc1c78b51d7a796562e09b0695353.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
3	freegeoip.app
2	freegeoip.app

pid	process
2496	fe7fc1c78b51d7a796562e09b0695353.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

fe7fc1c78b51d7a796562e09b0695353.exeInsidious.exe

pid process

2496 fe7fc1c78b51d7a796562e09b0695353.exe
2924 Insidious.exe
2924 Insidious.exe
2924 Insidious.exe
2924 Insidious.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 2924 Insidious.exe

pid	process
2496	fe7fc1c78b51d7a796562e09b0695353.exe
2924	Insidious.exe
2924	Insidious.exe
2924	Insidious.exe
2924	Insidious.exe

description	pid	process
Token: SeDebugPrivilege	2924	Insidious.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fe7fc1c78b51d7a796562e09b0695353.exe

description	pid	process	target process
PID 2496 wrote to memory of 2924	2496	fe7fc1c78b51d7a796562e09b0695353.exe	Insidious.exe
PID 2496 wrote to memory of 2924	2496	fe7fc1c78b51d7a796562e09b0695353.exe	Insidious.exe
PID 2496 wrote to memory of 2924	2496	fe7fc1c78b51d7a796562e09b0695353.exe	Insidious.exe
PID 2496 wrote to memory of 2924	2496	fe7fc1c78b51d7a796562e09b0695353.exe	Insidious.exe
PID 2496 wrote to memory of 2444	2496	fe7fc1c78b51d7a796562e09b0695353.exe	Netsh Gang Bat.exe
PID 2496 wrote to memory of 2444	2496	fe7fc1c78b51d7a796562e09b0695353.exe	Netsh Gang Bat.exe
PID 2496 wrote to memory of 2444	2496	fe7fc1c78b51d7a796562e09b0695353.exe	Netsh Gang Bat.exe
PID 2496 wrote to memory of 2444	2496	fe7fc1c78b51d7a796562e09b0695353.exe	Netsh Gang Bat.exe

C:\Users\Admin\AppData\Local\Temp\fe7fc1c78b51d7a796562e09b0695353.exe
"C:\Users\Admin\AppData\Local\Temp\fe7fc1c78b51d7a796562e09b0695353.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe
"C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe"
2⤵
- Executes dropped EXE
PID:2444

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
136KB

MD5
4f1f86508659e90a83626016d5ad6dca

SHA1
3a0e2825263f7467c8769fc95f445be9f9df9dd0

SHA256
4090c811f71b5d3cd36a31138971b974ad4dce8d3ca9bc1be7928f1653333c7a

SHA512
3e81bfd1fbc9685c81e1728822969da7c087757087d2fa335c952a4365add3b5e7856c0c582d0e3c619b067d05bcfa88acca735b6d816d78e8c8fafdbdd01537

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
78KB

MD5
dc602000a4582c9d5fd1455ae8c67885

SHA1
f3510b1ec43b1fbf594d8769fd31b659c3cc5fbb

SHA256
3bc955d726497f396688b72e9efb1af6d14af3a3e06d483f28ca0547a247f37a

SHA512
2dde989b423b587c66ed85bb55f9f12ec91533dd1ede2ddfb287ce096b0bcac1de7f99f4db4df813de437c9fa53c7f3673c51d5bedb61c289271917ce504278d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe

Filesize
122KB

MD5
22f7d003c8304329e091ec4d12da5936

SHA1
0d96344082ad8a05c4d811522776cfeefe3fa2b0

SHA256
c97ab40a01f9c6fb2a866134f401bb5d86f4a9d97b28bd1d81d95704099f91fd

SHA512
fbb352838a5202b2e9ba1ac951a47f4734609a457a8a8419efea5bd768599be8e54095546b954ba68d7e1b7eebe6b220fc2d50201538bdf123eb21eb152b5782

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
133KB

MD5
1e3fcd0fab58510599891c0dbd662e58

SHA1
bcf072bc3a0e613dcf147ef323dee04ffc3f6bd2

SHA256
4cd1f2a5fe09b6b99846b64afee77327c3b415f1e9e44b41aa916b3b8a26c070

SHA512
9957b1cb55ef5d0d397e7ffe61ddc48b32a74d8d00521ee59e2829dedd12e5622ced051cc89c05cdef5793f2b409099c40ac8f2f673baa6ca243035e26c16f6f

Download Submit
\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe

Filesize
57KB

MD5
138493ef4aa7cb8339bd40d3667644db

SHA1
707e44541288cca6136f00c056a4df8c1a526ccd

SHA256
e93bde086a694de4f86f058d771ae69a5f82559517073cac3e5684057592ec62

SHA512
e7c666ba69dbef05fc480e641da5c6b5722d24090992edab28a6cf7e6d03caaafcdcc9b02c4a6fc52ff8c15c5b08f0b7429695208c286d82e418dc3d43a07bbb

Download Submit
\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe

Filesize
65KB

MD5
3cb2092468a3c30a0ee401773f9733a3

SHA1
608c23bd5511b9852eab02ddb5134e8291c66d2a

SHA256
68c13cf3cf4349196566f0c34a28a318c7796125b4c589600ae9bbeea50b3384

SHA512
63932ea227a140640fb22cfe5287dacdad78d3b6f292c78d0d4bf18ca3cb71bb608a0aecba65856bfc8149a05d8dfc233f620f0b89d877454df1db01bc75e695

Download Submit
memory/2496-25-0x0000000000400000-0x0000000000C57000-memory.dmp

Filesize
8.3MB

Download
memory/2496-9-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-12-0x0000000000400000-0x0000000000C57000-memory.dmp

Filesize
8.3MB

Download
memory/2496-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2496-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2496-11-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2496-6-0x0000000077980000-0x0000000077981000-memory.dmp

Filesize
4KB

Download
memory/2496-2-0x0000000000400000-0x0000000000C57000-memory.dmp

Filesize
8.3MB

Download
memory/2496-3-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2924-26-0x00000000010F0000-0x000000000113A000-memory.dmp

Filesize
296KB

Download
memory/2924-27-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download
memory/2924-28-0x0000000000EA0000-0x0000000000F20000-memory.dmp

Filesize
512KB

Download
memory/2924-77-0x000007FEF5B90000-0x000007FEF657C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads