44caliber | 0ea8e2910cb2a2a4b11be49d5e126ee142006b8081835e0a7df915d7888298ba

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66721cc45af725f154418a09d4a68ec6.exe
Size

747KB
MD5

66721cc45af725f154418a09d4a68ec6
SHA1

632a75f4263174cc19942a144fc7087b00b5486e
SHA256

0ea8e2910cb2a2a4b11be49d5e126ee142006b8081835e0a7df915d7888298ba
SHA512

dfa77713a46330fec13af7a613713920a0d20ba6ab29fff636c0ce0bfdec4d618f078dbd1ec3b84dd68199275d05d26cce9daf2b2fdfad234e842b01e1911cbd
SSDEEP

12288:VhqxSLo5C1Ps4XhWT+trB8lUvGNVB6d/30BPU54PaklHqs:VHLmCiIhjjGvcdclU5kbp

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/882699814805061663/t2OYL-mIrPiqG-u99L6kOBVeFW3ZztNOFcMlV1t3d2KjSF7XPZFr5kxG0S2tgFW28GHF

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 3 IoCs

Processes:

Desktop.exeInsidious1.sfx.exeInsidious1.exe

pid process

2844 Desktop.exe
2732 Insidious1.sfx.exe
2572 Insidious1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Insidious1.exe

pid process

2572 Insidious1.exe
2572 Insidious1.exe
2572 Insidious1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious1.exe

description pid process

Token: SeDebugPrivilege 2572 Insidious1.exe

pid	process
2844	Desktop.exe
2732	Insidious1.sfx.exe
2572	Insidious1.exe

pid	process
2572	Insidious1.exe
2572	Insidious1.exe
2572	Insidious1.exe

description	pid	process
Token: SeDebugPrivilege	2572	Insidious1.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

66721cc45af725f154418a09d4a68ec6.execmd.exeDesktop.execmd.exeInsidious1.sfx.exeInsidious1.exe

description	pid	process	target process
PID 1740 wrote to memory of 2664	1740	66721cc45af725f154418a09d4a68ec6.exe	cmd.exe
PID 1740 wrote to memory of 2664	1740	66721cc45af725f154418a09d4a68ec6.exe	cmd.exe
PID 1740 wrote to memory of 2664	1740	66721cc45af725f154418a09d4a68ec6.exe	cmd.exe
PID 1740 wrote to memory of 2664	1740	66721cc45af725f154418a09d4a68ec6.exe	cmd.exe
PID 2664 wrote to memory of 2844	2664	cmd.exe	Desktop.exe
PID 2664 wrote to memory of 2844	2664	cmd.exe	Desktop.exe
PID 2664 wrote to memory of 2844	2664	cmd.exe	Desktop.exe
PID 2664 wrote to memory of 2844	2664	cmd.exe	Desktop.exe
PID 2844 wrote to memory of 2772	2844	Desktop.exe	cmd.exe
PID 2844 wrote to memory of 2772	2844	Desktop.exe	cmd.exe
PID 2844 wrote to memory of 2772	2844	Desktop.exe	cmd.exe
PID 2844 wrote to memory of 2772	2844	Desktop.exe	cmd.exe
PID 2772 wrote to memory of 2732	2772	cmd.exe	Insidious1.sfx.exe
PID 2772 wrote to memory of 2732	2772	cmd.exe	Insidious1.sfx.exe
PID 2772 wrote to memory of 2732	2772	cmd.exe	Insidious1.sfx.exe
PID 2772 wrote to memory of 2732	2772	cmd.exe	Insidious1.sfx.exe
PID 2732 wrote to memory of 2572	2732	Insidious1.sfx.exe	Insidious1.exe
PID 2732 wrote to memory of 2572	2732	Insidious1.sfx.exe	Insidious1.exe
PID 2732 wrote to memory of 2572	2732	Insidious1.sfx.exe	Insidious1.exe
PID 2732 wrote to memory of 2572	2732	Insidious1.sfx.exe	Insidious1.exe
PID 2572 wrote to memory of 1328	2572	Insidious1.exe	WerFault.exe
PID 2572 wrote to memory of 1328	2572	Insidious1.exe	WerFault.exe
PID 2572 wrote to memory of 1328	2572	Insidious1.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\66721cc45af725f154418a09d4a68ec6.exe
"C:\Users\Admin\AppData\Local\Temp\66721cc45af725f154418a09d4a68ec6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Start1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2664

\??\c:\Desktop.exe
Desktop.exe -p111 -dc:\
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Start.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2772

\??\c:\Insidious1.sfx.exe
Insidious1.sfx.exe -p11 -dc:\
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2732

C:\Insidious1.exe
"C:\Insidious1.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2572 -s 824
3⤵
PID:1328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Desktop.exe

Filesize
249KB

MD5
9f100a143b8b15584bdf871f59a2b6f1

SHA1
31819ab462ee6322d935826165af1c92009e5c31

SHA256
ec2c364972101804de325c3bfdc55cecde6e950c4e485a2da6e92391ef871206

SHA512
b4c93314eefae0ccdf0fdc54e8bbf9a41d410a3e565af2cb6aad0755279e686d47389d6d59e36cc509bcc8d552b2ced77756a14ad9850d190951ab1afa251fcf

Download Submit
C:\Insidious1.exe

Filesize
222KB

MD5
5781d0b5d0f9d730515c1f42d344f7dd

SHA1
2b7145dd942bffeda11cd0bd132adc46df4da2e1

SHA256
b4bb632630732537ebdc16c1d339c43e82dc7a4e624b39c8bd53ce85236bf6c3

SHA512
36398c5ae132312d6eedfac9c6861c85c2652889a560de7aafa8d3006cf7372a2e45c74b611d3e6a78282d4dbec74a1e10a99936ba7c574c9e5bd491f3ef27d8

Download Submit
C:\Insidious1.exe

Filesize
111KB

MD5
94845d83d187751e7f8bcdff465b38ea

SHA1
fdf46a4cfab611b1e77371672fd6c7f6d0614953

SHA256
6a51725aebdac207e67517bbb7768697e6c264b36c8cb998c807adc79c9a242f

SHA512
f126b667a32677cac42751793d941d344e61798fcd36b2a59d476fb5774faf833faf9cb218f7f2a0091618537b7fce6129a4520ba833426108c604c55aeb6b81

Download Submit
C:\Insidious1.exe

Filesize
303KB

MD5
db8d2a2fcd06de834a1ccbfe1a5f182a

SHA1
2dce3f7bdce5f787d43c42166ec25fbed59470de

SHA256
68c85fe1a8153965c5dcfe7301a14afe652912f75a85eaa7f907ddbdb047a0b4

SHA512
248284eaec4838bc9e474136953886dc4d90ac62d916724a201b9740908a925ccf365ae8f99969f148e75a55a50de9bb28417bdbae0e5def8ecd78a11874815d

Download Submit
C:\Insidious1.sfx.exe

Filesize
288KB

MD5
14f905f2135884efec73572a5c532a73

SHA1
34ec7bf5f1177ece38b1af955707ed2593a59756

SHA256
8ecd4dca99b9c427ac83988b3c1219e3452187c486ea60466ea4b2dc9802452b

SHA512
9311fdeae04e03a3cd7695618baacab5116232766c81a9a816971e0022c8c9863f0f46fd7561fb7a52330caf2b5eca5e8540ecfd1e25f5dcea94376288f2e14a

Download Submit
C:\Start.bat

Filesize
29B

MD5
71ee9d9a6379f874b0391a811b120ed6

SHA1
d72daa6e8cc433812422c8b83665956a27529296

SHA256
9acfdb4c69071efb2fabc3ef76bdf7cb57c6eb7c03b7882ec8e4556e55afed26

SHA512
e81e38392d33c749bf06fc52cbd2d238891ae1217465f336fbedaeeb3d402c150c2cd16878ce8a0e4684590d95820d0f889d02f3c79fbb8df3715cc693a3f52f

Download Submit
C:\Start1.bat

Filesize
23B

MD5
77b8ac7a86cb4e34951cfff168040f46

SHA1
4e1eaad838d486f4426a46d16c1f764aab36968f

SHA256
19cba8521d8223059b7571874b2a89f8a6cedce5b30cbfd16235487f7a40a606

SHA512
b142844931ec155bbaf442be6815c48c94dcaf3ce85ee29fbb5e5c3f74ca3943d2c3c0b02e71cca7e069250391bf82a07c31bd53e9f11dc1797c0566530a68d0

Download Submit
\??\c:\Desktop.exe

Filesize
236KB

MD5
e9333e59de3ddb0dcd92a4f057905cf3

SHA1
fc63a9f1a5fad841766fb077c4f355f21c7a4766

SHA256
ddeb36859294f1350c8734251460471302d2f1820b5926416598eb612ae49510

SHA512
bfd25e9f296ae447a2d75c1b2cfd301c302b023976d390ee080d517a06f436ed89ef9f39d9d124e3410402348b29892e7a8fc9fee4ab7909c708d62bd1e004c8

Download Submit
\??\c:\Insidious1.sfx.exe

Filesize
207KB

MD5
abef1b66b50a33b6e4ef8f85de4394fc

SHA1
a66bd3e5346f783afb5e7fb15a6a269c8cc425d3

SHA256
ae485b928422cd1e8ef2111b10d5eed7c612df45b22bea7cb2948668bd7c0eea

SHA512
c4ee8561d57e5161549beb421c5b9833c7b74da94a802c5f9d50d66a89dc5b8234ea7e8c0c51f71fe1e65bf6359c5c3eac8a947799181e871e3395050e4da8d4

Download Submit
memory/2572-51-0x0000000001360000-0x00000000013B2000-memory.dmp

Filesize
328KB

Download
memory/2572-52-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-53-0x000000001B7E0000-0x000000001B860000-memory.dmp

Filesize
512KB

Download
memory/2572-72-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download