44caliber | 9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed29dcde8768f1e4c759486140c338cd.exe
Size

3.9MB
MD5

ed29dcde8768f1e4c759486140c338cd
SHA1

d721f6ca0615b83fb541fc7600c026ad0a8c1e1d
SHA256

9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe
SHA512

953675610a166f8dbb6423194aa205d75c43ae4ba312540d8ea25b9f48644f35026f62ed61b2660f9597e8f4bf8f2f0447b08b8686d2e52a1edc0326dfdd0bc1
SSDEEP

98304:JngRc3P5083Yf+hW1jfN2C0GnijlUME/w00xpw7V:met3+l9N2GQqME4jEV

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/854662966200762408/UEPTBr2Rw2bbBl8kdAtd687oxi7BxJ7RDU99BRreTgVoN7lgDrh84_ew6GVD5oxR2dPt

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 3 IoCs

Processes:

sddssd.exeCheat Fortnite.sfx.exeCheat Fortnite.exe

pid process

1668 sddssd.exe
2820 Cheat Fortnite.sfx.exe
1744 Cheat Fortnite.exe

pid	process
1668	sddssd.exe
2820	Cheat Fortnite.sfx.exe
1744	Cheat Fortnite.exe

Loads dropped DLL 10 IoCs

Processes:

ed29dcde8768f1e4c759486140c338cd.exesddssd.exeCheat Fortnite.sfx.exe

pid	process
1632	ed29dcde8768f1e4c759486140c338cd.exe
1632	ed29dcde8768f1e4c759486140c338cd.exe
1632	ed29dcde8768f1e4c759486140c338cd.exe
1668	sddssd.exe
1668	sddssd.exe
1668	sddssd.exe
2820	Cheat Fortnite.sfx.exe
2820	Cheat Fortnite.sfx.exe
2820	Cheat Fortnite.sfx.exe
2820	Cheat Fortnite.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

Cheat Fortnite.exe

pid process

1744 Cheat Fortnite.exe
1744 Cheat Fortnite.exe
1744 Cheat Fortnite.exe
1744 Cheat Fortnite.exe
1744 Cheat Fortnite.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	freegeoip.app
3	freegeoip.app

pid	process
1744	Cheat Fortnite.exe
1744	Cheat Fortnite.exe
1744	Cheat Fortnite.exe
1744	Cheat Fortnite.exe
1744	Cheat Fortnite.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cheat Fortnite.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Cheat Fortnite.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Cheat Fortnite.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Cheat Fortnite.exe

pid process

1744 Cheat Fortnite.exe
1744 Cheat Fortnite.exe
1744 Cheat Fortnite.exe
1744 Cheat Fortnite.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Cheat Fortnite.exe

description pid process

Token: SeDebugPrivilege 1744 Cheat Fortnite.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Cheat Fortnite.exe

pid process

1744 Cheat Fortnite.exe

pid	process
1744	Cheat Fortnite.exe
1744	Cheat Fortnite.exe
1744	Cheat Fortnite.exe
1744	Cheat Fortnite.exe

description	pid	process
Token: SeDebugPrivilege	1744	Cheat Fortnite.exe

pid	process
1744	Cheat Fortnite.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ed29dcde8768f1e4c759486140c338cd.exesddssd.exeCheat Fortnite.sfx.exe

description	pid	process	target process
PID 1632 wrote to memory of 1668	1632	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 1632 wrote to memory of 1668	1632	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 1632 wrote to memory of 1668	1632	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 1632 wrote to memory of 1668	1632	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 1668 wrote to memory of 2820	1668	sddssd.exe	Cheat Fortnite.sfx.exe
PID 1668 wrote to memory of 2820	1668	sddssd.exe	Cheat Fortnite.sfx.exe
PID 1668 wrote to memory of 2820	1668	sddssd.exe	Cheat Fortnite.sfx.exe
PID 1668 wrote to memory of 2820	1668	sddssd.exe	Cheat Fortnite.sfx.exe
PID 2820 wrote to memory of 1744	2820	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 2820 wrote to memory of 1744	2820	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 2820 wrote to memory of 1744	2820	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 2820 wrote to memory of 1744	2820	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe

C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd.exe
"C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\sddssd.exe
"C:\Users\Admin\AppData\Local\Temp\sddssd.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1744

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
379KB

MD5
a8ec4d007b4311d93d39aee8fae207be

SHA1
85cedcab20ef5e3fbad0d63ac4bc140b983fb59f

SHA256
c7a25d99f03e95e7c98f916cbcb599b6062269089d62af0b6af59da69ce14f39

SHA512
370f2792fda124f08b3c61781496a4280dc96d6a33e7213ce436ffa00a8b9f519ad8b75dcc4807062f7cfa26ff1734a0bb6235619eb3bde084e92a95605d48fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
218KB

MD5
7694cd824742ecd33f0fc955f69e7f1b

SHA1
37cb7f4f742b71bf25a908ed5664de10989c96b0

SHA256
cf2f96a83df14102f663d88fb08e1f1c4376578be2653dc8d962f3043906abd3

SHA512
138ee9d779c0c7aa6bcf9900d75eebe1aacec355f7d3ec0d5f2141aa840cd515c3df5224a8330299dc06b28450c9ceeee20eda88be50e6283d19698440b605e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
Filesize
20KB

MD5
b3fed9413c44d4c35d4953cc88b102f5

SHA1
58e320567eeee036ac59b67f2ea946c2eda2dbd7

SHA256
f8378298afb31eec6bd8fbe6a4c236fa5ae5f7755530108b7338bd12cbeecf32

SHA512
65d3792d59c7b926a4f6998731bd75b88aee631c0635fb573c12fd4c466ec840c3469c19267fd54fda799676eb162f3414030dcbdb8ef8d8bd19605d71544aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
Filesize
267KB

MD5
4c677801b48ecd80eeca601569a82c1b

SHA1
d74e09106e2433aad1e78621b800a56f6ca77f5f

SHA256
423486f3f9a8dfd71e21342afce748ddf93cca700b87591dd85872a9b66f86b1

SHA512
24390ec9ad4c45605b760bf1c79d26930099510853744a725a372a75b5606af15c33649ce1b7889de5e519e1d4c7b5aa21735089c40ec792396a6f8f134fb1c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
102KB

MD5
23d122ce93bd77c91f4078a7e42fbe7a

SHA1
d9a41556b3d49e150871ac9a03b80af870687311

SHA256
7b1450522f2fe3add8ec0df4572e2af6e6833e11884fc8a6d753c4d09bdf94a2

SHA512
a927936223a495dc71cee1d1aff94af1aec46c444d2f0ba51de964db4f707b8b5c4603cdf1f10b059d61d26f54145b327837485165eb4248adcb291d2d808d96

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
109KB

MD5
ffd58cd34e8984b781a9131cb01742d6

SHA1
0e0419d57485b580bf4352467e965dd5a35aa665

SHA256
8737f93a8308a863c612a7570de22fff9033046bbb6e61227c10ee4bed4d85f5

SHA512
edf4037d5c946d4637a1ebc53dd06c582a95e6fdb8875c728c9401b5054e59fe9dd251142b1880ef836ac4a7e863a6c3877ae53c9b926ffdd8dd850533d8813b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
120KB

MD5
46c7997aa1db3615b8a0158951f3a6a7

SHA1
31724e4bb86a3744b2bf353c8b8451bbc0745bda

SHA256
2a8bbd883b78b0286c6368a2d5608d92ba12f60791242382749619cab56428a8

SHA512
ddd64e92572302695bb51665a623a360a77d66eb91be82a563157d524cc23a112e0b9581378fb409a61cd55783ca15d609bee2d598770d6171ccd7df77c6c08a

Download Submit
\??\c:\users\admin\appdata\local\temp\cheat fortnite.exe
Filesize
243KB

MD5
4186fcebd3d85192d797e4cd8bdb4553

SHA1
04faf3e49cbb105bec1e1b5e4f4068a8aebde003

SHA256
4580c5e305bb3767a4ca179954dc795e5603d5f006f21d31223399dabfb116a7

SHA512
f6751f78d82fc87ed2c15c9b3ea2ac07ff351ff501a7cf75f89fdbfc7dfb5668447c564908af8e403212945e720c9157606cab8d3fe36c378960fd83ed1e9770

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
318KB

MD5
3c95e0fa93de89bf79bb7efea5f89835

SHA1
b7aed50441bd76dafed178d2448b8f0829602dd9

SHA256
7e260f615414f00d125f8c688c54afc17d0d7ab50fb64233d0524d4806527c5a

SHA512
3c953a34974bb1893907355305a6f11b2006f7b6680aa8d3ab80ad6ae94be7cdddd468a4951aec95d96a701815d2a61b86113b3378bcb209cac387059791d887

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
402KB

MD5
662a3b9f31b33d10fa42829d487163f6

SHA1
66c3fc2a9717afebb591e011c0048a347c667ded

SHA256
bdb383c120393e65c90f74c4bc51a1d67c31b9f9851d550ef0123870c98f8bb3

SHA512
902763466a62171d717907c580cb33265d6bc92526f269e322a0f99312cd6f6b9eb31a5f518c1287bfe7b7617ccd28ecd7b84cf87a6a3843ee8e70dbdfaf71b7

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
371KB

MD5
1d8a603f5c6ea4f09307ef6f7733e11b

SHA1
b611c79b10fc4a6cc6b2897d863eb3e68a107e6a

SHA256
b4a0e49d8fca12850f5069ccfdb52eda26134761272886a32d6f21494fd33d08

SHA512
4e02b1434fabe8b1c4cd582029e9a16af4d2f5bca84c8b2f5f4f3a27b71236e0ee741c76684747e94390e816443ef18326afe628fd24980dc57d0e2076da741d

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
Filesize
307KB

MD5
17f1be089ed4252e0beac456ba499735

SHA1
03d314a25c6f93b2b5545c842ad5603e25588178

SHA256
9580a1035cf0a9a5417006a26cd36a2e2bf58ec83f6c083aa93c566e47d86042

SHA512
407f6013f6cc1efc13bb9eecbc7918e381ea7d5d9f3670c3be8ec5acc795aa6f9849c927c4a7d6a082df20c86893afce42914324994674e7aaee5e75eb9df686

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
Filesize
365KB

MD5
c06dadf0867abfb58a1b853040292d4b

SHA1
15deb471e85e2a244b4707985d31fc6128dc90df

SHA256
3d98bead43b3e83e5ca5332a4df62940ba1f8933e58d28ace04b187afafe4a41

SHA512
755f3f31f0292b8d5b4cbaefaf71355b24e76c74faa445073400ae82bca001ab52ecc3ed3fbd0625879d2ce7f9f457c2ba77417a00e415327ca62d8df581d3a7

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
Filesize
39KB

MD5
bf5ac6ea18ed9337d78ef94ba6180e9d

SHA1
48b7004a0cb9cd6ae198f6bb3338686c53931986

SHA256
828a67a250d466089b3823696c7a7fbb08585eda05dd093c28d148d621723335

SHA512
95bfd1a05fc576fd6d64116380565bc86d957c203935f8148d3b155f7fd2151b30615d58254678e47b0dac16f01235624da6282a879d48dd423f98a34ee014bf

Download Submit
\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
Filesize
416KB

MD5
f10e6cd6928332aa87ec9d2a1c5fab88

SHA1
2a668481612ee6b62a68703e9124aeb06f400b22

SHA256
27edc06fa08f968aa1cb478535ec485b1f701a2d6be178df1aae1ad477aef352

SHA512
3e1dbd3c95fe6a57b3c48418cbe969b08e0aa3ec85103c07b087953fc13d9d5bd23da2a7d12c29083a7c2e11db8d07916e5d54bb58775d7798a9fe0a50ba4294

Download Submit
\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
119KB

MD5
867bb47166ed9d7524feca124474d897

SHA1
de7a729158df4ed14bc05bf4b0b0d974a3f2d35e

SHA256
4bdbde79a37ebcfb1acebff23a51521bf42234e5e7ebb74298d51922a3699d24

SHA512
28d3dcc2de77ceb9278e9e2320ab293670dc7a703c398186317e39bde3a41a9075407f1362ed5f6e6490adc0900b500fce7ea29c92a17ccb93dad5db9f4cd080

Download Submit
\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
143KB

MD5
fb2e0558ee628a8e272c4f6d70ca2328

SHA1
d67eef4dbe68ef71859bc351b8353ab36f2e42fb

SHA256
4f83a61fa90a36e76d789753217b9b35eb1a292ee61c668b7ae497a4658735a1

SHA512
20fc1b0fe2e91512ebce03ad296f7359d96b62af144d85178bd9f7c969d1f52411b5b3982710766f5302a6de9669f660b37c4b9c89170cb4a7a6974f0597e9dc

Download Submit
\Users\Admin\AppData\Local\Temp\sddssd.exe
Filesize
216KB

MD5
6d3460a33bead42443238f22e2436132

SHA1
37e6e4f55fd12f7ca19166c7441af231d52bdfa9

SHA256
37f974ca60dd382cf8609ca84d4fb56f13a2349f78a4bc726f35e008da6a0f26

SHA512
f6355f43ea993958907dd2ae04a10cabc7d04f2daeb8d3e5fcff8879d1605059427f4adcafeb8b61d0851e708e33b9d4e7cac55de327da1003c4c4d190599439

Download Submit
memory/1744-67-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-51-0x0000000000060000-0x000000000040C000-memory.dmp

Filesize
3.7MB

Download
memory/1744-50-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-52-0x0000000005650000-0x0000000005690000-memory.dmp

Filesize
256KB

Download
memory/1744-68-0x0000000005650000-0x0000000005690000-memory.dmp

Filesize
256KB

Download
memory/1744-109-0x0000000000060000-0x000000000040C000-memory.dmp

Filesize
3.7MB

Download
memory/1744-110-0x0000000074990000-0x000000007507E000-memory.dmp

Filesize
6.9MB

Download
memory/2820-48-0x0000000003940000-0x0000000003CEC000-memory.dmp

Filesize
3.7MB

Download
memory/2820-46-0x0000000003940000-0x0000000003CEC000-memory.dmp

Filesize
3.7MB

Download