44caliber | 0ea8e2910cb2a2a4b11be49d5e126ee142006b8081835e0a7df915d7888298ba

General

Target

66721cc45af725f154418a09d4a68ec6.exe
Size

747KB
MD5

66721cc45af725f154418a09d4a68ec6
SHA1

632a75f4263174cc19942a144fc7087b00b5486e
SHA256

0ea8e2910cb2a2a4b11be49d5e126ee142006b8081835e0a7df915d7888298ba
SHA512

dfa77713a46330fec13af7a613713920a0d20ba6ab29fff636c0ce0bfdec4d618f078dbd1ec3b84dd68199275d05d26cce9daf2b2fdfad234e842b01e1911cbd
SSDEEP

12288:VhqxSLo5C1Ps4XhWT+trB8lUvGNVB6d/30BPU54PaklHqs:VHLmCiIhjjGvcdclU5kbp

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/882699814805061663/t2OYL-mIrPiqG-u99L6kOBVeFW3ZztNOFcMlV1t3d2KjSF7XPZFr5kxG0S2tgFW28GHF

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

66721cc45af725f154418a09d4a68ec6.exeDesktop.exeInsidious1.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	66721cc45af725f154418a09d4a68ec6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Desktop.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Insidious1.sfx.exe

Executes dropped EXE 3 IoCs

Processes:

Desktop.exeInsidious1.sfx.exeInsidious1.exe

pid process

496 Desktop.exe
4472 Insidious1.sfx.exe
2860 Insidious1.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 freegeoip.app
23 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Insidious1.exe

pid process

2860 Insidious1.exe
2860 Insidious1.exe
2860 Insidious1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious1.exe

description pid process

Token: SeDebugPrivilege 2860 Insidious1.exe

pid	process
496	Desktop.exe
4472	Insidious1.sfx.exe
2860	Insidious1.exe

flow	ioc
21	freegeoip.app
23	freegeoip.app

pid	process
2860	Insidious1.exe
2860	Insidious1.exe
2860	Insidious1.exe

description	pid	process
Token: SeDebugPrivilege	2860	Insidious1.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

66721cc45af725f154418a09d4a68ec6.execmd.exeDesktop.execmd.exeInsidious1.sfx.exe

description	pid	process	target process
PID 2728 wrote to memory of 1648	2728	66721cc45af725f154418a09d4a68ec6.exe	cmd.exe
PID 2728 wrote to memory of 1648	2728	66721cc45af725f154418a09d4a68ec6.exe	cmd.exe
PID 2728 wrote to memory of 1648	2728	66721cc45af725f154418a09d4a68ec6.exe	cmd.exe
PID 1648 wrote to memory of 496	1648	cmd.exe	Desktop.exe
PID 1648 wrote to memory of 496	1648	cmd.exe	Desktop.exe
PID 1648 wrote to memory of 496	1648	cmd.exe	Desktop.exe
PID 496 wrote to memory of 4824	496	Desktop.exe	cmd.exe
PID 496 wrote to memory of 4824	496	Desktop.exe	cmd.exe
PID 496 wrote to memory of 4824	496	Desktop.exe	cmd.exe
PID 4824 wrote to memory of 4472	4824	cmd.exe	Insidious1.sfx.exe
PID 4824 wrote to memory of 4472	4824	cmd.exe	Insidious1.sfx.exe
PID 4824 wrote to memory of 4472	4824	cmd.exe	Insidious1.sfx.exe
PID 4472 wrote to memory of 2860	4472	Insidious1.sfx.exe	Insidious1.exe
PID 4472 wrote to memory of 2860	4472	Insidious1.sfx.exe	Insidious1.exe

C:\Users\Admin\AppData\Local\Temp\66721cc45af725f154418a09d4a68ec6.exe
"C:\Users\Admin\AppData\Local\Temp\66721cc45af725f154418a09d4a68ec6.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Start1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:1648

\??\c:\Desktop.exe
Desktop.exe -p111 -dc:\
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Start.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4824

\??\c:\Insidious1.sfx.exe
Insidious1.sfx.exe -p11 -dc:\
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472

C:\Insidious1.exe
"C:\Insidious1.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Desktop.exe

Filesize
581KB

MD5
fd5dad667edc46daef933b35d05f8555

SHA1
fe97457b62dc2b71ee3f442ca806f4e020475821

SHA256
e550ae31e23fc9e4f7b543263a85a075ff727690e17e735afd2b999640612be7

SHA512
d416f7d05ab37b2871c74d7c4d504c14eef08a27835c2250e2e38f1a4eba1e5f326e0b19778bbc4a017dfedd1d1ac9d510e651e7ba21d98e0b5df8784f83dd6d

Download Submit
C:\Insidious1.exe

Filesize
303KB

MD5
db8d2a2fcd06de834a1ccbfe1a5f182a

SHA1
2dce3f7bdce5f787d43c42166ec25fbed59470de

SHA256
68c85fe1a8153965c5dcfe7301a14afe652912f75a85eaa7f907ddbdb047a0b4

SHA512
248284eaec4838bc9e474136953886dc4d90ac62d916724a201b9740908a925ccf365ae8f99969f148e75a55a50de9bb28417bdbae0e5def8ecd78a11874815d

Download Submit
C:\Insidious1.sfx.exe

Filesize
418KB

MD5
97d291eaf4c5046fbd724e87e006ce94

SHA1
269738e66f84b27c3dec9e27070d6c7fccfdfb65

SHA256
94b9e1e21470a25b4dfa17d36e70a54e23e1df185b477bf6bddc6b3c7d1743c2

SHA512
45079a4d4b486b71ad9390dc12c765e3a549d5c6499fc66722bd020ad9731dbdf983c8e0475c7405e00d5f4fb97030404f7584042b9dc66b3bb105270ff90e17

Download Submit
C:\Start.bat

Filesize
29B

MD5
71ee9d9a6379f874b0391a811b120ed6

SHA1
d72daa6e8cc433812422c8b83665956a27529296

SHA256
9acfdb4c69071efb2fabc3ef76bdf7cb57c6eb7c03b7882ec8e4556e55afed26

SHA512
e81e38392d33c749bf06fc52cbd2d238891ae1217465f336fbedaeeb3d402c150c2cd16878ce8a0e4684590d95820d0f889d02f3c79fbb8df3715cc693a3f52f

Download Submit
C:\Start1.bat

Filesize
23B

MD5
77b8ac7a86cb4e34951cfff168040f46

SHA1
4e1eaad838d486f4426a46d16c1f764aab36968f

SHA256
19cba8521d8223059b7571874b2a89f8a6cedce5b30cbfd16235487f7a40a606

SHA512
b142844931ec155bbaf442be6815c48c94dcaf3ce85ee29fbb5e5c3f74ca3943d2c3c0b02e71cca7e069250391bf82a07c31bd53e9f11dc1797c0566530a68d0

Download Submit
\??\c:\Desktop.exe

Filesize
514KB

MD5
1aff91676232aba9213de43b5d3b97d3

SHA1
7a925b90020abd023ec729c3ed67288635b0add8

SHA256
07e1618e2c1abf70081ac15aaf945f31338730bf945ac15be36299d99443f77b

SHA512
17db410d38a3bd2489cfa613904ba9ed48b859e83372c4510bacd09477839538ba3e7e39c860aaca92dd1e3f6e074736aa14d7b531d03fe4c2f5f2e26da83966

Download Submit
memory/2860-32-0x0000000000250000-0x00000000002A2000-memory.dmp

Filesize
328KB

Download
memory/2860-59-0x00007FFBDE840000-0x00007FFBDF301000-memory.dmp

Filesize
10.8MB

Download
memory/2860-64-0x000000001AE70000-0x000000001AE80000-memory.dmp

Filesize
64KB

Download
memory/2860-65-0x00007FFBDE840000-0x00007FFBDF301000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing