44caliber | 24803b2f05f7eaa2d0d13c5655987459ef3ee8169d83be8c78683d70de95ddc0

Analysis

max time kernel
93s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe7fc1c78b51d7a796562e09b0695353.exe
Size

5.1MB
MD5

fe7fc1c78b51d7a796562e09b0695353
SHA1

2df2d7b7edc5db2a94ad4428a7fd354650bfe49d
SHA256

24803b2f05f7eaa2d0d13c5655987459ef3ee8169d83be8c78683d70de95ddc0
SHA512

5d17f20a5a74aab071c5ee0cc98200d46487734dc899d9bae623ae34e5664aa0b315d9178cfee1b8500a3564197bcdd749e428c9832ba2a749e06d1ed2b22607
SSDEEP

98304:n4jbjW+MvAuGdozQQQYeclr+UiO58O72LHozpAsRS1FsQvsw0R:abjhxgHeclA08OAIzpRo1SN

Score

10^/10

44caliber spyware stealer vmprotect

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/892778422043041873/gYqLiMf-cpigl0WIlIn8gWAFktijHzZBx8-bcU6yxyaLimlCeY0552wy36J78fXd1Na8

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fe7fc1c78b51d7a796562e09b0695353.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	fe7fc1c78b51d7a796562e09b0695353.exe

Executes dropped EXE 2 IoCs

Processes:

Insidious.exeNetsh Gang Bat.exe

pid process

1340 Insidious.exe
4428 Netsh Gang Bat.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1340	Insidious.exe
4428	Netsh Gang Bat.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3160-3-0x0000000000400000-0x0000000000C57000-memory.dmp	vmprotect
behavioral2/memory/3160-2-0x0000000000400000-0x0000000000C57000-memory.dmp	vmprotect
behavioral2/memory/3160-24-0x0000000000400000-0x0000000000C57000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 freegeoip.app
14 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

fe7fc1c78b51d7a796562e09b0695353.exe

pid process

3160 fe7fc1c78b51d7a796562e09b0695353.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
13	freegeoip.app
14	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

fe7fc1c78b51d7a796562e09b0695353.exeInsidious.exe

pid	process
3160	fe7fc1c78b51d7a796562e09b0695353.exe
3160	fe7fc1c78b51d7a796562e09b0695353.exe
1340	Insidious.exe
1340	Insidious.exe
1340	Insidious.exe
1340	Insidious.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 1340 Insidious.exe

description	pid	process
Token: SeDebugPrivilege	1340	Insidious.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

fe7fc1c78b51d7a796562e09b0695353.exe

description	pid	process	target process
PID 3160 wrote to memory of 1340	3160	fe7fc1c78b51d7a796562e09b0695353.exe	Insidious.exe
PID 3160 wrote to memory of 1340	3160	fe7fc1c78b51d7a796562e09b0695353.exe	Insidious.exe
PID 3160 wrote to memory of 4428	3160	fe7fc1c78b51d7a796562e09b0695353.exe	Netsh Gang Bat.exe
PID 3160 wrote to memory of 4428	3160	fe7fc1c78b51d7a796562e09b0695353.exe	Netsh Gang Bat.exe

C:\Users\Admin\AppData\Local\Temp\fe7fc1c78b51d7a796562e09b0695353.exe
"C:\Users\Admin\AppData\Local\Temp\fe7fc1c78b51d7a796562e09b0695353.exe"
1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe
"C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe"
2⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
183KB

MD5
72cfff0a85b017939951cfc84f6353ea

SHA1
29fb5700e1b72ed79e664db156531b2d6249b2d1

SHA256
dd1a8de1e8cd1684229e9920cdc91c7aa90b3328b22067449f021ebc423906e0

SHA512
66422558e7de99a224d6f710cd1eba2333d6fa5060b983d75f1c3d4c9dae88ec9560878d3184d5e46d6778fd97ebab38e4694a869b8a4ce72dac081b483514a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
274KB

MD5
2449b1ed616ff673f7207683e618c36a

SHA1
2324a0a9228eb38895256f6e4b38508e3ad3fbf9

SHA256
a01857befcc1726e1026037eefaede516b0ade74ed196cb87c2bf4ee17096923

SHA512
84789d137c3a1617aa670d72296a5346d9f341d4a9bad20336bce1a36452272a6b5aac0f340bf3e6642329146685ad21de8e12962863bf1d9c698f6c6cbdb886

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
224KB

MD5
de85d9add9558c1f75ff7e4468b5f66a

SHA1
7ed3e9f9ed50a810c0d13dc6cfbc4fe6161415f0

SHA256
2ddabc0dcb45d8886a759a78133a26e4159ee5d574c451088fc58e6bb04a5183

SHA512
a1090e816086a9e6c905b0b2f2cb40e8abf4ed91dea9db88f902918a9f98c92331b6339bb3aea20404ed4839cb0636131c5b3ff168cbb996c3e11a939487f261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Netsh Gang Bat.exe
Filesize
122KB

MD5
22f7d003c8304329e091ec4d12da5936

SHA1
0d96344082ad8a05c4d811522776cfeefe3fa2b0

SHA256
c97ab40a01f9c6fb2a866134f401bb5d86f4a9d97b28bd1d81d95704099f91fd

SHA512
fbb352838a5202b2e9ba1ac951a47f4734609a457a8a8419efea5bd768599be8e54095546b954ba68d7e1b7eebe6b220fc2d50201538bdf123eb21eb152b5782

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
912B

MD5
933f1fb6dffef540dbeb3ff88ef3b8cd

SHA1
6e0383aa893cc60ea61f3f9b163c90867cb94327

SHA256
02d625fc1f36f8037954fb3372f9a6b87ebc96293775030b2aa264325fa294af

SHA512
9c45fe18a5a9c813f0fc8efe616a7a895d8e43d691716f7465783bd51082be199a782ad8cfb435c5e578d9aad559f8a69db82b80986433fd6f9e34f56c0ef9a0

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
80cf6a1efccc4fc08e7b7e04158c2e71

SHA1
0058880021ec67f7c21cc5be6a48abcae19393e8

SHA256
efa505744bd0936a772a953985e9e0c7409f6c7aa1919d6d45cfe6d7f9bf00c8

SHA512
040ee6562141eae0b58460ea057498a4c6bcd1c3672e11fcc764c5b94241ee697cd7f648f46fb28e8ffd5c26794a17de27e87bca81c50d4560c8c07b005000a2

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
b696a420da7ab21c9ad549bb76eb4c85

SHA1
04aa9da0c277e62d26a86dfdbac7450199341ef0

SHA256
8f47e02f533f1c72bda36b58431cde01cf8d7274c820421c07551cc3eb10d4dc

SHA512
46b38f8536c7c708f37e31185b70474caff7165696292b5fe1ca18e4f71bb2af1939896ab0c10b0d552d46f6f7cc2806e3547698c4af4ae837ed4d9376f12a49

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
414B

MD5
20d24bbb6209f77471976d0c3031d82d

SHA1
2ae2758ab8a67bf29f6ee5c1faf270c2da70f16c

SHA256
2f8bc8fcdbcc1db0f2e4e3a82938537c00db545265160871722c2039ee63bb04

SHA512
4e5c9f606965633fb7974f466022b19f37c0e6cfd3c0adee1176fa067579ba04a968c6d89029423c3a297742434869e3f8f71a27cfcfdaa39d1090e4113ecbda

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
897B

MD5
4209b89d12a9ca3a8216a6c14a59e65f

SHA1
2cdd70b18836042a392f393b6ca5e048b6a22308

SHA256
a720e1008bc75e5521a014761c546515656a8293a1d6c104ba18e6eb25299994

SHA512
2bdd4c8f04bfeb5f953428a1d5c0091abaad485ad5fa898719b879196cfa5472284df9d86ce043a4fa48d1e88d9b255dc6c4caf44dab80d8168ff52a13b9df5d

Download Submit
memory/1340-27-0x000000001AD10000-0x000000001AD20000-memory.dmp

Filesize
64KB

Download
memory/1340-23-0x00007FFB47C70000-0x00007FFB48731000-memory.dmp

Filesize
10.8MB

Download
memory/1340-16-0x00000000000B0000-0x00000000000FA000-memory.dmp

Filesize
296KB

Download
memory/1340-149-0x00007FFB47C70000-0x00007FFB48731000-memory.dmp

Filesize
10.8MB

Download
memory/3160-24-0x0000000000400000-0x0000000000C57000-memory.dmp

Filesize
8.3MB

Download
memory/3160-2-0x0000000000400000-0x0000000000C57000-memory.dmp

Filesize
8.3MB

Download
memory/3160-0-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/3160-3-0x0000000000400000-0x0000000000C57000-memory.dmp

Filesize
8.3MB

Download
memory/3160-1-0x00000000013A0000-0x00000000013A1000-memory.dmp

Filesize
4KB

Download