44caliber | 1041b6275ef7bc5b1729fa2b415ccf0e30a83ec298e02a9ec6b85c7fa0ac3418

General

Target

206db0f20482b4ffcf4bf7a72b743a48.exe
Size

1.5MB
MD5

206db0f20482b4ffcf4bf7a72b743a48
SHA1

5952e991897ad99f773b7bf9d8835f7dbc7f274a
SHA256

1041b6275ef7bc5b1729fa2b415ccf0e30a83ec298e02a9ec6b85c7fa0ac3418
SHA512

25df102ec9bdcf038003ae357bef77f06adc07182ebd72bdea25e2f10da4090c48b7347d1e424d5552ad0ccba3df400a6bf6b58d9b0dbc3acadd96eb966eec69
SSDEEP

24576:ATQuKl+Mw5dImXOEULqpKOKH07zIthhfPuD3J2Od4I0WpWeGdjeIPf6+kItzfdhZ:Yt5WjEULmzc3uD3JTd4k5YjeI364xVhZ

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/878380228894937168/1FKbQhM8XJ4ozljtwifZ-1m-XeYw5uknMJLH4X2t0Qxup8aulmWIgdRLa1z0jAtb9Z9u

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

206db0f20482b4ffcf4bf7a72b743a48.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	206db0f20482b4ffcf4bf7a72b743a48.exe

Executes dropped EXE 1 IoCs

Processes:

Insidious (1)_protected.exe

pid process

2828 Insidious (1)_protected.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 freegeoip.app
29 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Insidious (1)_protected.exe

pid process

2828 Insidious (1)_protected.exe
2828 Insidious (1)_protected.exe
2828 Insidious (1)_protected.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
12	freegeoip.app
29	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious (1)_protected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious (1)_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious (1)_protected.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Insidious (1)_protected.exe

pid	process
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious (1)_protected.exe

description pid process

Token: SeDebugPrivilege 2828 Insidious (1)_protected.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Insidious (1)_protected.exe

pid process

2828 Insidious (1)_protected.exe

description	pid	process
Token: SeDebugPrivilege	2828	Insidious (1)_protected.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

206db0f20482b4ffcf4bf7a72b743a48.exe

description	pid	process	target process
PID 3172 wrote to memory of 2828	3172	206db0f20482b4ffcf4bf7a72b743a48.exe	Insidious (1)_protected.exe
PID 3172 wrote to memory of 2828	3172	206db0f20482b4ffcf4bf7a72b743a48.exe	Insidious (1)_protected.exe
PID 3172 wrote to memory of 2828	3172	206db0f20482b4ffcf4bf7a72b743a48.exe	Insidious (1)_protected.exe

C:\Users\Admin\AppData\Local\Temp\206db0f20482b4ffcf4bf7a72b743a48.exe
"C:\Users\Admin\AppData\Local\Temp\206db0f20482b4ffcf4bf7a72b743a48.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3172

C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
1cfbaa3455fa8d81f0ae2910b1953547

SHA1
3502df3199fe7d2f73fa157f3e572af7d5c96b8a

SHA256
9bc56c711093d7cc3809bfafb930f776a25773d40a9f20ebe7a824e029fc2eeb

SHA512
9c144a1463ffeedd826c6a90eda1716425b59fa69591b42f4e8d1c841365109d785a178ab9a6b69a03f29a892dde74c651b5862985bfdb8a177aa825ff3eda5e

Download Submit
C:\ProgramData\44\Process.txt

Filesize
741B

MD5
25b439bce4c8d6076c60ca7d7019a964

SHA1
3c25cb90ad45ebb602af651d2678aa036de699c7

SHA256
5a70e4556761f4a9783c3cbb731bc09ab2a8a67452daacf862823762b958de8f

SHA512
3df0fff0c3078164b993aa467233b8739270e3c5261afbdf7a3abaa78875e3e7c4bb08f910b04c9ba2cda5cbcbbcde28f107416d16c41f98354c9a5a50bbc53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
34KB

MD5
b60c19976c48945718d64b635d2f56c6

SHA1
85d78cc06dab35658d2c39e9486ef16a696e2625

SHA256
569c5702995baece34ab6c28ef4e95974c883422e3bcae35accbe708ecb7600a

SHA512
85261d69a61efc89114a618562e0b3468815b0b8734ac8cf0c8d9f49334c7eff25e0bc6015a93fd249a8e1f7d8751c25b5300ac6b744d39f22c476b4a7ef48b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
57KB

MD5
3ae27ed4ce9d7b26869233290aedcd4a

SHA1
a1d3bcd1eea79b768a198c33113c6662dbc6d0a6

SHA256
22d7f7cca963db7b119e81248b7de4599a605d664491d5fbd13891a2e31ac075

SHA512
2c3b3ced3e8020a0a43393a4fe31be5127528f8f8154acd14c17add11abb869da66c6736a06002914a1ae1e2897f2375956e27ba3d1dafe3ea7e81d2bad87e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
56KB

MD5
eddeb7f84cf053dd400bba0dd871b99c

SHA1
db7e25d6f1128376754147a0654bd0f279d63f97

SHA256
b25cf4200bb6fc276b8b9be5967eabdfe181fff3a57cb1f380ac2d7e9fbd4e0a

SHA512
3133c81d16a42d98ad6bc54d790153847a4521d999abd3c408933219c50edb868d3a4a08587078a7fda9448e0013a52f6076379d21c6ff62d6aa430e47f73a76

Download Submit
memory/2828-15-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/2828-18-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/2828-14-0x0000000074350000-0x0000000074B00000-memory.dmp

Filesize
7.7MB

Download
memory/2828-52-0x0000000006EF0000-0x0000000007494000-memory.dmp

Filesize
5.6MB

Download
memory/2828-13-0x00000000000E0000-0x000000000048C000-memory.dmp

Filesize
3.7MB

Download
memory/2828-12-0x00000000000E0000-0x000000000048C000-memory.dmp

Filesize
3.7MB

Download
memory/2828-149-0x0000000006DC0000-0x0000000006E26000-memory.dmp

Filesize
408KB

Download
memory/2828-153-0x00000000000E0000-0x000000000048C000-memory.dmp

Filesize
3.7MB

Download
memory/2828-154-0x0000000074350000-0x0000000074B00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads