44caliber | 9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed29dcde8768f1e4c759486140c338cd.exe
Size

3.9MB
MD5

ed29dcde8768f1e4c759486140c338cd
SHA1

d721f6ca0615b83fb541fc7600c026ad0a8c1e1d
SHA256

9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe
SHA512

953675610a166f8dbb6423194aa205d75c43ae4ba312540d8ea25b9f48644f35026f62ed61b2660f9597e8f4bf8f2f0447b08b8686d2e52a1edc0326dfdd0bc1
SSDEEP

98304:JngRc3P5083Yf+hW1jfN2C0GnijlUME/w00xpw7V:met3+l9N2GQqME4jEV

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/854662966200762408/UEPTBr2Rw2bbBl8kdAtd687oxi7BxJ7RDU99BRreTgVoN7lgDrh84_ew6GVD5oxR2dPt

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cheat Fortnite.sfx.exeed29dcde8768f1e4c759486140c338cd.exesddssd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	Cheat Fortnite.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	ed29dcde8768f1e4c759486140c338cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	sddssd.exe

Executes dropped EXE 3 IoCs

Processes:

sddssd.exeCheat Fortnite.sfx.exeCheat Fortnite.exe

pid process

4876 sddssd.exe
4416 Cheat Fortnite.sfx.exe
3192 Cheat Fortnite.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 freegeoip.app
8 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Cheat Fortnite.exe

pid process

3192 Cheat Fortnite.exe
3192 Cheat Fortnite.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4876	sddssd.exe
4416	Cheat Fortnite.sfx.exe
3192	Cheat Fortnite.exe

flow	ioc
6	freegeoip.app
8	freegeoip.app

pid	process
3192	Cheat Fortnite.exe
3192	Cheat Fortnite.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cheat Fortnite.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Cheat Fortnite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Cheat Fortnite.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Cheat Fortnite.exe

pid process

3192 Cheat Fortnite.exe
3192 Cheat Fortnite.exe
3192 Cheat Fortnite.exe
3192 Cheat Fortnite.exe
3192 Cheat Fortnite.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Cheat Fortnite.exe

description pid process

Token: SeDebugPrivilege 3192 Cheat Fortnite.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Cheat Fortnite.exe

pid process

3192 Cheat Fortnite.exe

pid	process
3192	Cheat Fortnite.exe
3192	Cheat Fortnite.exe
3192	Cheat Fortnite.exe
3192	Cheat Fortnite.exe
3192	Cheat Fortnite.exe

description	pid	process
Token: SeDebugPrivilege	3192	Cheat Fortnite.exe

pid	process
3192	Cheat Fortnite.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ed29dcde8768f1e4c759486140c338cd.exesddssd.exeCheat Fortnite.sfx.exe

description	pid	process	target process
PID 4456 wrote to memory of 4876	4456	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 4456 wrote to memory of 4876	4456	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 4456 wrote to memory of 4876	4456	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 4876 wrote to memory of 4416	4876	sddssd.exe	Cheat Fortnite.sfx.exe
PID 4876 wrote to memory of 4416	4876	sddssd.exe	Cheat Fortnite.sfx.exe
PID 4876 wrote to memory of 4416	4876	sddssd.exe	Cheat Fortnite.sfx.exe
PID 4416 wrote to memory of 3192	4416	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 4416 wrote to memory of 3192	4416	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 4416 wrote to memory of 3192	4416	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe

C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd.exe
"C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\Temp\sddssd.exe
"C:\Users\Admin\AppData\Local\Temp\sddssd.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4416

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
560B

MD5
5d13ef08c68a355dd1a8e488586c6ae7

SHA1
249a04187b12177c36ce244c56164f1c97635674

SHA256
7c774bcd832437921d2b924f7a6cecfd81c2e8b3b41bb420ecca02663498f60e

SHA512
be7654ff16fc10c6899603964b024f134e1bb3cabbfd056ebb629195be4dd6c9605fecf3920cfbc0315ece1d1ffe4543322a9b6778abfb229463a7c352f583fc

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
738B

MD5
9c86b8bc8bfc8a310a5bb2df81ba6ff3

SHA1
18f440ee828588724e6d56d5925ddf466a73ccad

SHA256
a0a4754b920dce857b26541ea4d582a10abc1b09dde4ca09270af85b5d289e53

SHA512
8f2c2c69f8759723eb03fe65ca4d4989d95057242be126abd5876d9c81039f83c30f24cd94395a426c1aa7feecca4036637afcaeacbad9674f95399580de9045

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
6f069b5013da80144d95e643d11333ad

SHA1
d173e39c380485e65c44f78c9df0887eeecf9288

SHA256
343570f6f2ecf9cc0a07fbdc6e0ab96ea37020853acaf18ec344daa432fc2a92

SHA512
fb4abcfa19be3ba7d4a5b97ebd7db1a2f0383402e2706f47e263a8ee895a30614df53c3af9b71a6deaa688469a06946deab2d504212008dc5115216c62c450c7

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
1KB

MD5
3fc3f9fb1975d57e0b4e3c7ffee28a39

SHA1
896271233dabccbce7be0454fa133d9dfde0bebc

SHA256
9390efd3d4ad8e4cd557771a4b8bc39552c1d71be49d66106680f8b1782e7d31

SHA512
e95e246b7e23e762413967d23f4e6596dfced7aebbd02a2d78f62e5d5a52a0c364c04489c7a1c46fe4fbe3cc4eaa0742be0edcf1665eca87880e186d667ab4f7

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt
Filesize
271B

MD5
27ac6ae9da4e54014d57eab75b5c1a23

SHA1
a7058ebec5a838da259166912db30f273ec7feca

SHA256
12574e63a2ca291a3061c5f09861d75f46cf90f81ce9e6620d32aa2873abbe3c

SHA512
3c6ddf846135220f8a96f3f59cebfd7def191bf738cf2588c765b5795c84410ce674caef19ad5fd1183a06267f64f40644a2821d0f5c01284239b9e27cb6ac56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
628KB

MD5
1a10d8478aea4c19ac3c848726f62850

SHA1
2f1d7ef61e974975802f23a3c288a113a5e47503

SHA256
cd91e873848ba7900f2f4680ec3b60113fdeb221ae43ab4288053350bd2ab417

SHA512
9721791074dc897ddd3e377e4795f2b92f80a804eb7c549b219201992227567ef7f13afde8a955bf10d7b626ab64715113ca5af12af581fab6bb68d09d9f360a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
1.0MB

MD5
35662b0134d9653b354e3c0679de4305

SHA1
a04ee007cd2330faf859342065ccc009ceeb6a80

SHA256
d5676b380382fbe67f6762f3bc26e73070bbeb3989798a7fe6e3da5af03add4e

SHA512
cab70ef0d6df069699551bfdb1422549ebe752c4883faaac12b6d1f17fc373b8761e00735b2678689441d9d197a40a84a503c9bed0a2c6b154d5737c070ee811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
825KB

MD5
6df9a226938c8d6929680b1c994c5abf

SHA1
0336f76d4a58e9c7612d659f4d78c30026434b9b

SHA256
9f5426dc8250047176243fa20476aa74b0de96176ce5a83c71c5ed9374a2c690

SHA512
7fed04b9e91fb2d6de89a08f90ec4c8de9e0e5d4af2e33f4cf7c5dcc4f5746e57cc191ad6580c3cc56969cd3f24d5f65b2bb54b5496cfae1b0f3a6af30e10556

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
Filesize
1.5MB

MD5
afc74fa97393a7032b18952296c72274

SHA1
a57ff2ff6b5859f9ae7ee3d8c3714f46e83e7314

SHA256
2f366b4d028cff3bd66b129429fdf983bd61a0ef09d8f671d53eee1496bea457

SHA512
f985e16ae44af9cbcda23c9d59bba9808cccb86f68fcaca84443fdd357b2f012165f8373e340c494096ba42e082ab8cd9ff3ba4150ee7f51191ced0b9da86155

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
Filesize
1.3MB

MD5
c6e5aa89e30fb9dbc4b09568a701f53d

SHA1
a178c7c4950be84a3cca4233c72f08c50a6323ee

SHA256
9bce26c2a59ed750062066a9f7e239db7a3a06ea4c23bae2cef29a444aca18ed

SHA512
c775889ffd054a21ab68658880f41b97b08f0d6e9b002cfdd1c6c99fac2f4e27ddbf3dbe2a3ef725a3be9fd7ff15a018e46edda364e3dbd70a413f01252c146a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
2.6MB

MD5
4e73d12877305efad0f278894bbf0dc7

SHA1
cf9936b92321e971f57c4cb91824bfb825bc733b

SHA256
971bab6e60995f287c6533dd6fc56d22564a11294f7e1e819b30e08677c5ed0b

SHA512
9158a729f97f8c8a0619600c4868c1df4b78950bea1a44beec49706c812eb6259346ac6b76b416d0fe600aa4b5f6bdeaacbb04c7bac749282bfed374e9ff60ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
2.8MB

MD5
a0f1f254e4ca22a476f7bc46def40445

SHA1
ee591660a951fcbb7d0273ad79fb47275e5895b0

SHA256
9616fd26ab0a3c6d6a18731b3a830692ea19939c01a767eb205ddc693c9b2088

SHA512
5833fbadfc82f4bec0d3b0c0d1ca3ceed9a0162819bdc7dc75baab83906d959b4afceab60f61df820d1e0537fe87e7a59cf44185287823cea052f4935415016f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
2.8MB

MD5
c8f3833c525e44162c3c5055d3656f03

SHA1
977b3e5db3d0d1662312042d2964e01af6a2a0f4

SHA256
25fed3210e70afdc629383e132f1114c305667009c13c41735d7477deb0bd1cc

SHA512
f481eaf6074aa782954f9ab73a9a8bcae9cbcbe134dc65c212edf81021d7d74acce5364ae6b6ecad8b2a1c251d4059c023038e62db5d1f934b920390f01cf3df

Download Submit
memory/3192-34-0x0000000000490000-0x000000000083C000-memory.dmp

Filesize
3.7MB

Download
memory/3192-72-0x0000000006F30000-0x00000000074D4000-memory.dmp

Filesize
5.6MB

Download
memory/3192-39-0x0000000006520000-0x00000000065B2000-memory.dmp

Filesize
584KB

Download
memory/3192-169-0x0000000006DD0000-0x0000000006E36000-memory.dmp

Filesize
408KB

Download
memory/3192-38-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/3192-36-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/3192-37-0x0000000000490000-0x000000000083C000-memory.dmp

Filesize
3.7MB

Download
memory/3192-35-0x0000000000490000-0x000000000083C000-memory.dmp

Filesize
3.7MB

Download
memory/3192-173-0x0000000000490000-0x000000000083C000-memory.dmp

Filesize
3.7MB

Download
memory/3192-174-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download