44caliber | 9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed29dcde8768f1e4c759486140c338cd.exe
Size

3.9MB
MD5

ed29dcde8768f1e4c759486140c338cd
SHA1

d721f6ca0615b83fb541fc7600c026ad0a8c1e1d
SHA256

9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe
SHA512

953675610a166f8dbb6423194aa205d75c43ae4ba312540d8ea25b9f48644f35026f62ed61b2660f9597e8f4bf8f2f0447b08b8686d2e52a1edc0326dfdd0bc1
SSDEEP

98304:JngRc3P5083Yf+hW1jfN2C0GnijlUME/w00xpw7V:met3+l9N2GQqME4jEV

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/854662966200762408/UEPTBr2Rw2bbBl8kdAtd687oxi7BxJ7RDU99BRreTgVoN7lgDrh84_ew6GVD5oxR2dPt

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 3 IoCs

pid	Process
1504	sddssd.exe
2700	Cheat Fortnite.sfx.exe
2868	Cheat Fortnite.exe

Loads dropped DLL 10 IoCs

pid	Process
2236	ed29dcde8768f1e4c759486140c338cd.exe
2236	ed29dcde8768f1e4c759486140c338cd.exe
2236	ed29dcde8768f1e4c759486140c338cd.exe
1504	sddssd.exe
1504	sddssd.exe
1504	sddssd.exe
2700	Cheat Fortnite.sfx.exe
2700	Cheat Fortnite.sfx.exe
2700	Cheat Fortnite.sfx.exe
2700	Cheat Fortnite.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app
4	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
2868	Cheat Fortnite.exe
2868	Cheat Fortnite.exe
2868	Cheat Fortnite.exe
2868	Cheat Fortnite.exe
2868	Cheat Fortnite.exe
2868	Cheat Fortnite.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Cheat Fortnite.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Cheat Fortnite.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2868	Cheat Fortnite.exe
2868	Cheat Fortnite.exe
2868	Cheat Fortnite.exe
2868	Cheat Fortnite.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	Cheat Fortnite.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2868	Cheat Fortnite.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1504	2236	ed29dcde8768f1e4c759486140c338cd.exe	28
PID 2236 wrote to memory of 1504	2236	ed29dcde8768f1e4c759486140c338cd.exe	28
PID 2236 wrote to memory of 1504	2236	ed29dcde8768f1e4c759486140c338cd.exe	28
PID 2236 wrote to memory of 1504	2236	ed29dcde8768f1e4c759486140c338cd.exe	28
PID 1504 wrote to memory of 2700	1504	sddssd.exe	29
PID 1504 wrote to memory of 2700	1504	sddssd.exe	29
PID 1504 wrote to memory of 2700	1504	sddssd.exe	29
PID 1504 wrote to memory of 2700	1504	sddssd.exe	29
PID 2700 wrote to memory of 2868	2700	Cheat Fortnite.sfx.exe	30
PID 2700 wrote to memory of 2868	2700	Cheat Fortnite.sfx.exe	30
PID 2700 wrote to memory of 2868	2700	Cheat Fortnite.sfx.exe	30
PID 2700 wrote to memory of 2868	2700	Cheat Fortnite.sfx.exe	30

C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd.exe
"C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\sddssd.exe
  "C:\Users\Admin\AppData\Local\Temp\sddssd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
      "C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
410B

MD5
f42ddf2942fe43599fac75718c19927d

SHA1
fe9e603d07a8b06822c7164355153a18c60613a4

SHA256
cf6065a5a88818dcc3a3390407a24576ec9da1d2532c4cc38c1d4d5823727911

SHA512
d4ca5590b96b963e2519f5e69c3a30f08bc52a6cc01136fb143d4e320effdff27e2625c22d07e8fd4f2a348aa01f7ee07c7cb2530cfc768e44ca4023ec6137a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
123KB

MD5
4a832b23bf01cc39db544ede084203ce

SHA1
0756058a7d6655569decc0ad016733cc3cb73fa0

SHA256
60a70d0d5afc7b542f284003a579f3b3a9356b1d1a72e6db59748e835708579f

SHA512
694a549aaa6e1f8096c88a4277b118742af86d3f6f74d4146439705bbe824c9a69b0406f720e02f96d82ab759ed68b53657f8a5658bdb30bccdb95d9885f6b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
163KB

MD5
37757018a3c8c996a95647bd787e08a7

SHA1
576e8d5d6c1d568748cb7c1a78b45c7eea01eaba

SHA256
1a04b9c960c743dbea5b08c8dc2fb9b544f13a8bec2de5d429c672352549c6ed

SHA512
158940e0e22ec154729fc9779039b2bc7a54871d6c13e4f9a6a885d2fb5a893231fbf7582486d065b211359e9ee4f0c8c3fdbd4f3f2df9e5a1cce8625f5f11cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe

Filesize
131KB

MD5
f4f16edd4f652be56c821f45273c4353

SHA1
ecc0c48d11a67f7372bacfdb1438a681cb0c5e9a

SHA256
a79f47f3dbe5f1dab0506f762e3c65413682589d2f25a9314cb20310eea43cdb

SHA512
cedc3c463f0ad28437a16aaa3e56251e6675535612773c87c6601e40ce4fd467b43a9bc9e44923b461ce79ac0e6caf84c1e91403444977cc56106d2a87b6a262

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe

Filesize
77KB

MD5
a23f3cc74a2fafc2d14b64ccf0b44b77

SHA1
4293d4b42a994066c08ca7cf0ea7f29da39aeb5c

SHA256
62575c343a5f9b8a275268d2b985cf78e8830991d1d21241f34ac935586b8a36

SHA512
9aa6ad44d259cbf17c64772b759bdbe3124aaa5f8dcfde82bca0a7f7aa66553989408cbace0e37def38eb0075721883d0a825b0bea93138ddb7973649e6df5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
247KB

MD5
9023f1f589c61d029355e1bd8fa0e716

SHA1
e8dd822202151268f5010eec7271e6e49152ad1b

SHA256
20dfc7d48065ac0a6ea683cb3328e3784f91d776bd689a40c4cc4fad544fdfe4

SHA512
873296898e9c38a01fca9fc4c161726384a54189ea3f24d802b51cada54b44e5c55b817ef24ccd3ca0987c959f299ada59e90f5b3a2d956501020966ff293c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
206KB

MD5
a5f4a69d3439e191d39eb39b83ae24b0

SHA1
67db9940eaf382877b2841bffeddea1e82043ffd

SHA256
ca0b9cabaeebbe7aa242fc65527a733b2208d2b8f2759185467671b94fd5ccaf

SHA512
8d5bbb0ca6d98e5ee598f4ebcb42d1f20f1655ad3093e8ae0de3b3c8b84554556d985995a17fe494658a9795b54b0da4629dff02979e7e6e04016e97d593fcce

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
1.1MB

MD5
1e63d6004a3c60bd08c141adedfb37fb

SHA1
f6692c5cd679f4760331de2f42f41e94e7394a5c

SHA256
4053823970ab0b3c200a5a3828b016719cf9d6d6213b430d00fd047387388cac

SHA512
ff6eefcd95934a526cf678f8439704a928fb7cbe66812656a0e90d8d732ef7b19a8e447c3c8d3fcb9d403105f77a1bbdda893a6ec4687d4693894d8120a66a0c

Download Submit
\??\c:\users\admin\appdata\local\temp\cheat fortnite.exe

Filesize
99KB

MD5
a9fdcd3ea6aff182a1908a99b48cdf59

SHA1
a2a9cb2ee5599be92853d41a47a9e224d721b8f3

SHA256
c2807542bccb050ccc59dcdb7acafd4f97e95705e15c76e0dc0b952032d9d6a0

SHA512
f8eedbb7007241e7af58e4232b1daeefb6c9ce31f4a9049b2505fe216d4e533c35f2eacb08ba87bd5668b161a68cbfb5b87b536d30147ab2586f047f1118e0d2

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
174KB

MD5
f2276f4bba4d1ca96bb11b03175ddb2d

SHA1
4474621ec68800694e678fc0119c1e93ab8e1ae8

SHA256
f58f44057899cf91cf95e22618f188769bc1a9e4cb3f3262d42ac4f66305d2a4

SHA512
431bdbd102728d7a3b3e0532713a416ceb90f70313829d20501866af06b8fd7d104c142fa4de75d64a247c4fc85a48e3c05c661d7942f143d5860caa86739390

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
169KB

MD5
b2d62ee9af9831e32e02825a7c988f50

SHA1
e0e200ebf32fda4035d5a53e97a79593861d22c0

SHA256
462f5284981c85f79bfd9b7e30da09edb2eec100436a3f7adccba8f55df7ee52

SHA512
59d668bacf0b485d343364ffbf86bc52f886ab79dbef668357b0dd039dd99fc19f9327e4133bf7d9a21a5ea2457894d1f282f34208d154cf86ce60d8d9456442

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
215KB

MD5
f5215da0118fc2fcf1a46debf093b759

SHA1
830482be1f1304cb8be469a72fceb1c9526c89ed

SHA256
9878ff789b7b6d6cdfdf36138d39f9d224a7198e6e7b33c19d9dcfaf46a38f34

SHA512
21e327846ae626b0fbdfd73302b6e42bf36b549ccc697ffcfb2932c97da449107048946a96811d6b19b3c5ca13af5f32e71f0d0a44576f1955b6f4c05366d4a6

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
4KB

MD5
22477ecde51f10357823ffbf50eeb998

SHA1
60277272be6291b81b1c993788434ec478afdf12

SHA256
04531f936781fcf7350df984326045d52fca606b96afbb8c81f3ae5ea1d468b9

SHA512
be5ad32d66ac2cc12add929c46be936562e15348c7d6587f68ee1f81759f7a3a32dd4ddbd079f9fa2b3c2b33d6f3e09628c6f78fa6163faa17c7fdc133942603

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe

Filesize
68KB

MD5
af680657d349e4e37f24d6db76e892bc

SHA1
e6bddcb7c0a1c6b5f1d52853945c0101849a8dde

SHA256
20d887762650266a7f9b9efcb56bf5efd5e625a63a9ad7035aacd14022b975ae

SHA512
8b9aeb984dc93d3e93fb92ce35a0afc06528968471f7c06d5135c9b6cdd036d6af0d778664c839e1d3fdeb2627e22a8c49130095e5c38e1a38cf9efd818c1e85

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe

Filesize
119KB

MD5
4c3efdf7d4ba8adb96cfe8993f1d988b

SHA1
7ca63b8f011b6f70fc21d3718fa4a93dc9e66c2c

SHA256
8dad59e68a2bca2291834ee8a6f198d6996f696d05b8c207ade06d66d4e7871f

SHA512
d489929421fbdd603032e0fd7db0db63ddb0c1e5a377ec9c7ae9ae471528dc419dd46a38b40823085591cfcf347754c4ae440afad54b9f9c244f5d0b16130f33

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe

Filesize
105KB

MD5
49f7073934559fbe9602c6d5308c09c3

SHA1
915f82432c895bd64a52b6e3ca64c6f896e30a36

SHA256
84cd8cbece6e1841cabf0e91ec299f03f34a1746f387af203cc9c4ec60f3a228

SHA512
9586f0c7dd51de0b83fb3d73640eccfa83f8386530499912b95142423acbf08a1794b4ed9779ffee69ecc663c7043b1d4c71a546ef008bb029a3cf3d54bd5067

Download Submit
\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
150KB

MD5
2f92c02e11365fe4d1099ea1b6e922ad

SHA1
8c2819e282f0787e07a288a729d0529bd52c90ae

SHA256
14e27651ced3b0beda45d05b474999404c7f6832bbb4dd58157e9e8430819455

SHA512
a35a734ffc63e71bc73aad83f076368f2a6a1a9f8050f772175dab9d5f70a32d468aa1f2274ccd8b6426eab0c4b0656f3b38844646082031fd9169c61ff1dfba

Download Submit
\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
890KB

MD5
bcd5602d4e8dccb701245cb39ece7bfe

SHA1
eebf945451ccc87e82f8906d9aea4c64ff16c3ce

SHA256
eadfbb29a0fac73391d8981ad3ad6022671564533ca8eab9a13c9292b827fb8c

SHA512
34232ded3dccc46d62aa81bf0f5c9375106db0b54d9ee9582b290c47a59cdd0a3702a8c02b4dbb14359dfe5e0f661701cfd6cffde64e8930cfd8818f05d7ec29

Download Submit
\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
196KB

MD5
60dbe9e1feb69b8a2d4695a64e58c0fd

SHA1
242a4eb44e8e8fe3fba338c1e0d38f882d1e9585

SHA256
69d9a237a9fa31d855136bdb0ff3e449cc85c1e79c762cab09568bc1d740db9b

SHA512
ed57fb5c99e665a02aa9eaeafa7ff27b29ca8492f0ef2decb9d60e87f7316304e3f7493b86ed8e23789fd758bef788104174e48caae3c2e02bf3fda9780b61c1

Download Submit
memory/2868-49-0x0000000001080000-0x000000000142C000-memory.dmp

Filesize
3.7MB

Download
memory/2868-51-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/2868-50-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-75-0x0000000001080000-0x000000000142C000-memory.dmp

Filesize
3.7MB

Download
memory/2868-76-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-77-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/2868-47-0x0000000001080000-0x000000000142C000-memory.dmp

Filesize
3.7MB

Download
memory/2868-111-0x0000000001080000-0x000000000142C000-memory.dmp

Filesize
3.7MB

Download
memory/2868-112-0x0000000074380000-0x0000000074A6E000-memory.dmp

Filesize
6.9MB

Download