44caliber | 1041b6275ef7bc5b1729fa2b415ccf0e30a83ec298e02a9ec6b85c7fa0ac3418

Analysis

max time kernel
120s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

206db0f20482b4ffcf4bf7a72b743a48.exe
Size

1.5MB
MD5

206db0f20482b4ffcf4bf7a72b743a48
SHA1

5952e991897ad99f773b7bf9d8835f7dbc7f274a
SHA256

1041b6275ef7bc5b1729fa2b415ccf0e30a83ec298e02a9ec6b85c7fa0ac3418
SHA512

25df102ec9bdcf038003ae357bef77f06adc07182ebd72bdea25e2f10da4090c48b7347d1e424d5552ad0ccba3df400a6bf6b58d9b0dbc3acadd96eb966eec69
SSDEEP

24576:ATQuKl+Mw5dImXOEULqpKOKH07zIthhfPuD3J2Od4I0WpWeGdjeIPf6+kItzfdhZ:Yt5WjEULmzc3uD3JTd4k5YjeI364xVhZ

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/878380228894937168/1FKbQhM8XJ4ozljtwifZ-1m-XeYw5uknMJLH4X2t0Qxup8aulmWIgdRLa1z0jAtb9Z9u

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 1 IoCs

Processes:

Insidious (1)_protected.exe

pid process

3048 Insidious (1)_protected.exe

pid	process
3048	Insidious (1)_protected.exe

Loads dropped DLL 4 IoCs

Processes:

206db0f20482b4ffcf4bf7a72b743a48.exe

pid	process
1648	206db0f20482b4ffcf4bf7a72b743a48.exe
1648	206db0f20482b4ffcf4bf7a72b743a48.exe
1648	206db0f20482b4ffcf4bf7a72b743a48.exe
1648	206db0f20482b4ffcf4bf7a72b743a48.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Insidious (1)_protected.exe

pid process

3048 Insidious (1)_protected.exe
3048 Insidious (1)_protected.exe
3048 Insidious (1)_protected.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	freegeoip.app
3	freegeoip.app

pid	process
3048	Insidious (1)_protected.exe
3048	Insidious (1)_protected.exe
3048	Insidious (1)_protected.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious (1)_protected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious (1)_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious (1)_protected.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Insidious (1)_protected.exe

pid process

3048 Insidious (1)_protected.exe
3048 Insidious (1)_protected.exe
3048 Insidious (1)_protected.exe
3048 Insidious (1)_protected.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious (1)_protected.exe

description pid process

Token: SeDebugPrivilege 3048 Insidious (1)_protected.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Insidious (1)_protected.exe

pid process

3048 Insidious (1)_protected.exe

pid	process
3048	Insidious (1)_protected.exe
3048	Insidious (1)_protected.exe
3048	Insidious (1)_protected.exe
3048	Insidious (1)_protected.exe

description	pid	process
Token: SeDebugPrivilege	3048	Insidious (1)_protected.exe

pid	process
3048	Insidious (1)_protected.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

206db0f20482b4ffcf4bf7a72b743a48.exe

description	pid	process	target process
PID 1648 wrote to memory of 3048	1648	206db0f20482b4ffcf4bf7a72b743a48.exe	Insidious (1)_protected.exe
PID 1648 wrote to memory of 3048	1648	206db0f20482b4ffcf4bf7a72b743a48.exe	Insidious (1)_protected.exe
PID 1648 wrote to memory of 3048	1648	206db0f20482b4ffcf4bf7a72b743a48.exe	Insidious (1)_protected.exe
PID 1648 wrote to memory of 3048	1648	206db0f20482b4ffcf4bf7a72b743a48.exe	Insidious (1)_protected.exe

C:\Users\Admin\AppData\Local\Temp\206db0f20482b4ffcf4bf7a72b743a48.exe
"C:\Users\Admin\AppData\Local\Temp\206db0f20482b4ffcf4bf7a72b743a48.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
419B

MD5
9c9912aeff7a15b4d5feaf1222684be9

SHA1
dade6a7baca15242ccf4824cfdb6b6f7961f3f26

SHA256
2fce42406dc16b32e7cdaa499182ea419b4fcb27a9b15aac303627bafffd0ae7

SHA512
91b0ee9a66eecc67db92b16363ca1f3d749c0684adc20b6ea9ec8871e1078baeeb691da79109a92355cb9e9a07b379acc31193b513f30a94f46e2c1dc7ea7f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
304KB

MD5
7dd3bc789d4c11211304814c19d263d9

SHA1
b69b177a8ddb986f74cc226459eb972b10459909

SHA256
cb233784a01de84b5dba24ab9ac49042fdbe90fc2cec65c13279aa4b2901009c

SHA512
7cafc6530fe791393436604a70c5cc2fda3ee314145344789b52e0c17eb8eac017f372f19eac45d83080a26745acb9bbbc4fec0fa9bea58b4c51e922a41587c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
783KB

MD5
aaac8b9094e988160fd1f38e021a659a

SHA1
e5ff80fb7c0e76640850f490b20f4ae2cb41cce6

SHA256
9690ef73e284ce47c62774a6e09cb571a1789699c5782152f82a67c98119058f

SHA512
57f9784d32b1b508f87b327120776373c3f863fa3dc4047332a104b30864d0d67191ad6275da766ffb9ef2bc35ac200604354017df9d0504692ca4f4d0920d0c

Download Submit
\??\c:\users\admin\appdata\local\temp\insidious (1)_protected.exe

Filesize
445KB

MD5
e9a383d69239d35f23d19f19fb797d1b

SHA1
1578731ec44b03f45883774730c637896203f4d0

SHA256
f5ba013e197a745eb56b04e0607cffe6c1003b49708f5ad1d5f705650d306597

SHA512
62c91f759c6116a3db55c347a3af83356e526e1c9ebfbbd76bd091d8448c24e522772c6c967a799ae3a2d97925968309c343d470b9755eaf65e621ce6e4212bb

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
411KB

MD5
a190507c89e21798e26c1559c7acd93f

SHA1
0403eb2b0bce1c304afc993e78fa1cedf745c515

SHA256
538914ceb34012db5ab9a03e3633d31d12a34d6ee5e0b96e1a9b6c1914ebe0ea

SHA512
374e1c1c41385166764d844c8444fd5ff13d81bb3ae50d8a51e8c67a081a8297d358da6b7c471edcd621d6ea673cbb0de44a32bb769b2ee08eb170ec510ddcfd

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
415KB

MD5
2b4baea2c079892886ed8d9e4ececfbd

SHA1
6e26537338dd066bc1ce721fbf6854cc937b1c9d

SHA256
ede9b2753d5b6f1d0287ce2b2beea27b312ccc6b8ddaf04cde0d0eec5771dbb6

SHA512
688f8c7cffdd6fa18b1a9b5f8cc13fdbb4ac67dbeb104000de06dad094a6669c2894b0a32d317ee2e8d9b62f38b6af0ab1b6ea5b92687bb628fa4224bf0a705f

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
1.2MB

MD5
7786d92296517e19d9ef43301d5e9683

SHA1
846dcd8fca2ee19c26b0b8b79b0f41c8982ce907

SHA256
8f727f5b33bac619cc7bbfe7ff24352319657cc603c687777b845babf018b932

SHA512
03dd20dd3def940ed6813405f986c172470a5c16cfc4163adfccb6ae3368e2ab4d042409d3b8e20abaa371838fae853a3ddf9f4e7b61d7167c06046a7381ce3a

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
547KB

MD5
14782ed87517285c4f64e68ba438c25e

SHA1
97a73404d9b3c9d25c613c834734b620f60b4ac3

SHA256
b7e6bde88283283eac1711beb25f1daedc4037995cfb8548018b69decc51f4eb

SHA512
648293d59b382887849e5101f251a175f735aa8ee70cec8690e29b003c6e8a24de5e18e706206323fedceb4996fe19e1fd6662016296f1229309376ffdde394d

Download Submit
memory/1648-15-0x00000000031C0000-0x000000000356C000-memory.dmp

Filesize
3.7MB

Download
memory/1648-16-0x00000000031C0000-0x000000000356C000-memory.dmp

Filesize
3.7MB

Download
memory/1648-6-0x00000000031B0000-0x000000000355C000-memory.dmp

Filesize
3.7MB

Download
memory/3048-19-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-20-0x00000000008E0000-0x0000000000C8C000-memory.dmp

Filesize
3.7MB

Download
memory/3048-21-0x0000000005950000-0x0000000005990000-memory.dmp

Filesize
256KB

Download
memory/3048-75-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-78-0x00000000008E0000-0x0000000000C8C000-memory.dmp

Filesize
3.7MB

Download
memory/3048-79-0x0000000073DB0000-0x000000007449E000-memory.dmp

Filesize
6.9MB

Download