44caliber | 1041b6275ef7bc5b1729fa2b415ccf0e30a83ec298e02a9ec6b85c7fa0ac3418

General

Target

206db0f20482b4ffcf4bf7a72b743a48.exe
Size

1.5MB
MD5

206db0f20482b4ffcf4bf7a72b743a48
SHA1

5952e991897ad99f773b7bf9d8835f7dbc7f274a
SHA256

1041b6275ef7bc5b1729fa2b415ccf0e30a83ec298e02a9ec6b85c7fa0ac3418
SHA512

25df102ec9bdcf038003ae357bef77f06adc07182ebd72bdea25e2f10da4090c48b7347d1e424d5552ad0ccba3df400a6bf6b58d9b0dbc3acadd96eb966eec69
SSDEEP

24576:ATQuKl+Mw5dImXOEULqpKOKH07zIthhfPuD3J2Od4I0WpWeGdjeIPf6+kItzfdhZ:Yt5WjEULmzc3uD3JTd4k5YjeI364xVhZ

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/878380228894937168/1FKbQhM8XJ4ozljtwifZ-1m-XeYw5uknMJLH4X2t0Qxup8aulmWIgdRLa1z0jAtb9Z9u

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	206db0f20482b4ffcf4bf7a72b743a48.exe

Executes dropped EXE 1 IoCs

pid	Process
2828	Insidious (1)_protected.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	freegeoip.app
29	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious (1)_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious (1)_protected.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe
2828	Insidious (1)_protected.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	Insidious (1)_protected.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	Insidious (1)_protected.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 2828	3172	206db0f20482b4ffcf4bf7a72b743a48.exe	61
PID 3172 wrote to memory of 2828	3172	206db0f20482b4ffcf4bf7a72b743a48.exe	61
PID 3172 wrote to memory of 2828	3172	206db0f20482b4ffcf4bf7a72b743a48.exe	61

C:\Users\Admin\AppData\Local\Temp\206db0f20482b4ffcf4bf7a72b743a48.exe
"C:\Users\Admin\AppData\Local\Temp\206db0f20482b4ffcf4bf7a72b743a48.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
1cfbaa3455fa8d81f0ae2910b1953547

SHA1
3502df3199fe7d2f73fa157f3e572af7d5c96b8a

SHA256
9bc56c711093d7cc3809bfafb930f776a25773d40a9f20ebe7a824e029fc2eeb

SHA512
9c144a1463ffeedd826c6a90eda1716425b59fa69591b42f4e8d1c841365109d785a178ab9a6b69a03f29a892dde74c651b5862985bfdb8a177aa825ff3eda5e

Download Submit
C:\ProgramData\44\Process.txt

Filesize
741B

MD5
25b439bce4c8d6076c60ca7d7019a964

SHA1
3c25cb90ad45ebb602af651d2678aa036de699c7

SHA256
5a70e4556761f4a9783c3cbb731bc09ab2a8a67452daacf862823762b958de8f

SHA512
3df0fff0c3078164b993aa467233b8739270e3c5261afbdf7a3abaa78875e3e7c4bb08f910b04c9ba2cda5cbcbbcde28f107416d16c41f98354c9a5a50bbc53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
34KB

MD5
b60c19976c48945718d64b635d2f56c6

SHA1
85d78cc06dab35658d2c39e9486ef16a696e2625

SHA256
569c5702995baece34ab6c28ef4e95974c883422e3bcae35accbe708ecb7600a

SHA512
85261d69a61efc89114a618562e0b3468815b0b8734ac8cf0c8d9f49334c7eff25e0bc6015a93fd249a8e1f7d8751c25b5300ac6b744d39f22c476b4a7ef48b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
57KB

MD5
3ae27ed4ce9d7b26869233290aedcd4a

SHA1
a1d3bcd1eea79b768a198c33113c6662dbc6d0a6

SHA256
22d7f7cca963db7b119e81248b7de4599a605d664491d5fbd13891a2e31ac075

SHA512
2c3b3ced3e8020a0a43393a4fe31be5127528f8f8154acd14c17add11abb869da66c6736a06002914a1ae1e2897f2375956e27ba3d1dafe3ea7e81d2bad87e76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious (1)_protected.exe

Filesize
56KB

MD5
eddeb7f84cf053dd400bba0dd871b99c

SHA1
db7e25d6f1128376754147a0654bd0f279d63f97

SHA256
b25cf4200bb6fc276b8b9be5967eabdfe181fff3a57cb1f380ac2d7e9fbd4e0a

SHA512
3133c81d16a42d98ad6bc54d790153847a4521d999abd3c408933219c50edb868d3a4a08587078a7fda9448e0013a52f6076379d21c6ff62d6aa430e47f73a76

Download Submit
memory/2828-15-0x0000000005AD0000-0x0000000005AE0000-memory.dmp

Filesize
64KB

Download
memory/2828-18-0x00000000064E0000-0x0000000006572000-memory.dmp

Filesize
584KB

Download
memory/2828-14-0x0000000074350000-0x0000000074B00000-memory.dmp

Filesize
7.7MB

Download
memory/2828-52-0x0000000006EF0000-0x0000000007494000-memory.dmp

Filesize
5.6MB

Download
memory/2828-13-0x00000000000E0000-0x000000000048C000-memory.dmp

Filesize
3.7MB

Download
memory/2828-12-0x00000000000E0000-0x000000000048C000-memory.dmp

Filesize
3.7MB

Download
memory/2828-149-0x0000000006DC0000-0x0000000006E26000-memory.dmp

Filesize
408KB

Download
memory/2828-153-0x00000000000E0000-0x000000000048C000-memory.dmp

Filesize
3.7MB

Download
memory/2828-154-0x0000000074350000-0x0000000074B00000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads