44caliber | 9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2024 18:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed29dcde8768f1e4c759486140c338cd.exe
Size

3.9MB
MD5

ed29dcde8768f1e4c759486140c338cd
SHA1

d721f6ca0615b83fb541fc7600c026ad0a8c1e1d
SHA256

9fa20d35011ed9990b8df980830bb843d262a305dac9e22c75780e8f76f58efe
SHA512

953675610a166f8dbb6423194aa205d75c43ae4ba312540d8ea25b9f48644f35026f62ed61b2660f9597e8f4bf8f2f0447b08b8686d2e52a1edc0326dfdd0bc1
SSDEEP

98304:JngRc3P5083Yf+hW1jfN2C0GnijlUME/w00xpw7V:met3+l9N2GQqME4jEV

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/854662966200762408/UEPTBr2Rw2bbBl8kdAtd687oxi7BxJ7RDU99BRreTgVoN7lgDrh84_ew6GVD5oxR2dPt

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ed29dcde8768f1e4c759486140c338cd.exesddssd.exeCheat Fortnite.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	ed29dcde8768f1e4c759486140c338cd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	sddssd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	Cheat Fortnite.sfx.exe

Executes dropped EXE 3 IoCs

Processes:

sddssd.exeCheat Fortnite.sfx.exeCheat Fortnite.exe

pid process

4724 sddssd.exe
2728 Cheat Fortnite.sfx.exe
1556 Cheat Fortnite.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 freegeoip.app
13 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

Cheat Fortnite.exe

pid process

1556 Cheat Fortnite.exe
1556 Cheat Fortnite.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4724	sddssd.exe
2728	Cheat Fortnite.sfx.exe
1556	Cheat Fortnite.exe

flow	ioc
8	freegeoip.app
13	freegeoip.app

pid	process
1556	Cheat Fortnite.exe
1556	Cheat Fortnite.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cheat Fortnite.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Cheat Fortnite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Cheat Fortnite.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Cheat Fortnite.exe

pid process

1556 Cheat Fortnite.exe
1556 Cheat Fortnite.exe
1556 Cheat Fortnite.exe
1556 Cheat Fortnite.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Cheat Fortnite.exe

description pid process

Token: SeDebugPrivilege 1556 Cheat Fortnite.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Cheat Fortnite.exe

pid process

1556 Cheat Fortnite.exe

pid	process
1556	Cheat Fortnite.exe
1556	Cheat Fortnite.exe
1556	Cheat Fortnite.exe
1556	Cheat Fortnite.exe

description	pid	process
Token: SeDebugPrivilege	1556	Cheat Fortnite.exe

pid	process
1556	Cheat Fortnite.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ed29dcde8768f1e4c759486140c338cd.exesddssd.exeCheat Fortnite.sfx.exe

description	pid	process	target process
PID 4068 wrote to memory of 4724	4068	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 4068 wrote to memory of 4724	4068	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 4068 wrote to memory of 4724	4068	ed29dcde8768f1e4c759486140c338cd.exe	sddssd.exe
PID 4724 wrote to memory of 2728	4724	sddssd.exe	Cheat Fortnite.sfx.exe
PID 4724 wrote to memory of 2728	4724	sddssd.exe	Cheat Fortnite.sfx.exe
PID 4724 wrote to memory of 2728	4724	sddssd.exe	Cheat Fortnite.sfx.exe
PID 2728 wrote to memory of 1556	2728	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 2728 wrote to memory of 1556	2728	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe
PID 2728 wrote to memory of 1556	2728	Cheat Fortnite.sfx.exe	Cheat Fortnite.exe

C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd.exe
"C:\Users\Admin\AppData\Local\Temp\ed29dcde8768f1e4c759486140c338cd.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Local\Temp\sddssd.exe
"C:\Users\Admin\AppData\Local\Temp\sddssd.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
696B

MD5
8121e1363413e3e7aab8a9032b03c44b

SHA1
1358bd59aba4a370dfbeff9e122c7882756df7f7

SHA256
cb546c4f951a525a8021ff1feca46be2dcfebc1f70d30198eb9129a0dd464fd3

SHA512
4d607b2470cde5ba9681bfa092190a20cbcc27a11966f5851e72bd5de03a33e6b53ab7ba116637e3e8f19505b7c2f3a591c4b56fca2c03c163de382be1f8ffc7

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
a89ffea52da1e5934293a90060180926

SHA1
7483d28e0c1cb58166d1daf8b8f4c54bea5df181

SHA256
ef555ff834d320cec42b56bfd79fe458b36d07ee539c1577f174045c733f0c5f

SHA512
525076382e98591bfeaf902f9fe7dc00c78334d39f8437ae44b33e57e718f8c7b8276367c3e78f616188a2f7becdf5d26d75221e79e841b62b37578901d1ead5

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
fb5ccb7dbac616dd416acd15ecf0656c

SHA1
3d2128f0a6ee160e422a090319847e8e247df3cb

SHA256
d816d684ddf6323702bbb9a9453631fde6e54b86582dc7b4b421dd81383d0fdc

SHA512
c67481b6f5550d217c02ffae36908d4c0e3a9a5522b5102d83763608d5d3c75be05c323244b912e276f3f8b4e3257b0734e0ff5a0c4b4ed79c7c2e1e4ae3d516

Download Submit
C:\ProgramData\44\Process.txt

Filesize
284B

MD5
fdc863905344de1bec1367661e7d3dbd

SHA1
5020293af86b98913e0dd8b21699e90927a3e4ee

SHA256
249266505392d2ac7b96f71f24441fc313110768e39ed05e4fc15f352300b6eb

SHA512
d34c27dc2877a1db553646a2daae5d82c0b3d26b7121e6a49e58e3d542a5aa563ea958f8daa713b94aaa3370df146a941ecc22b3270d92f1b7493e78a35c8af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
44KB

MD5
86db348ab75f6aaa4ac8af40452c9d7a

SHA1
977244bb54ae140d58b3be4dc1d7eb365efcf934

SHA256
f0bf9e42c820c9c78c1a65417da6aede6c14b9367d84c111df24cd7f9452b0eb

SHA512
aab842c986db786e2df96be46ea44ceff49f69cc501ba38df052d95f28eba11e77a113276670bf1de61560d8b6b1b9bee9a105a2394e1ee6d0f2c52254ad7ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
4KB

MD5
09e959cba8344a8d14f7fa1dc22bb25c

SHA1
fb1e9707147b36549d1d41cc62cf29ae95c16b26

SHA256
af3e381378ee3363ecdb2aac3c3c9831ad87305a8de09b21508cc4bef6f42567

SHA512
cd409877c5e82b206d77147863cee06149df8e5decff4a3434f8c8585ffe3c80943820cb243a7c3c369caf5be3ae74be218f8eba44f250d98e78ae32583c5335

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.exe

Filesize
85KB

MD5
358296ed813aa26c0e04d8d006d3a87c

SHA1
7071e04116ae17b9bcf8dd96455dc90e5cc39b94

SHA256
5d8638350e49626d0fde28f43fa88391ee598cea18efb088ec1a8fc126c1e316

SHA512
c5e2800876f530f2128be950ac6d3c287346837e4b6c4e994535d0724fd9dfc6820a14fe367208e0b43487f5efe1f5b0ff5380a49b39250bf4e3e4b8c3fde203

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe

Filesize
49KB

MD5
4c4a4bbef6276251e625398393c2b546

SHA1
6ed87c566ef97efc96e91cbdc5b964deca103033

SHA256
2234954f217132d20ef90e6a86ff3e0bda27c7226e0c599d667d2be89526863f

SHA512
b5b8a04b1fa3a2e3a39774113c2d0d13b4b3948a221c9576d840b50821314630a2219def6eb4f91e32a1349ab67fe34af2d1b6d740c66db908b9411803b4e089

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat Fortnite.sfx.exe

Filesize
5KB

MD5
9f82bd07d0d2291ca5e6a216d80071af

SHA1
d0b103e3caa610d6ed4de79299ea4a7af4163172

SHA256
9a7c940ed689a515d19e6ee1af9bd5c733c799d1feafbea7581d25c06ef22ede

SHA512
d2da6aa64a2a7c1c8d02e7cbe1528397a6d8887c3ee0d22084c2bca7555912a87be562022db10f6bebcd8638904a1077518d18ba9e9c5deba0179b58fa3a6ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
1.2MB

MD5
5ab7b929f1ca94a68c099368b9ad8280

SHA1
9e79042b652ae58465c151255cacc10b7e2aa3b4

SHA256
64b0cbd5e0eaaa53cb81aa0b1667643107b666080b3d49e36c9794d3d206d1fd

SHA512
8a0997227c12bf20e9ae86d4c27a95d69a24afa04ec9ed2b006ec41084e2d98638387f53fa4ec4cb4ec96e09a0b017bc82e2094834f4568a465085c84f3dc11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
1.4MB

MD5
0512f31f574beee5d7332eaa30f21186

SHA1
0b6672db1a40e4c0446e2d9d905fd5adc251101e

SHA256
5eda0e4513a0f33883389ce2265d2704a9b758b1ba6fb5f003241eb77429aed0

SHA512
ef3e9b5cfc38b1b7f7d1db0267de5401fd1d31062f189dc876bc8f1aa72abac08db6712b79146ee33b8f8713e8e6f99b0a8becc534a199b86f8f80a1f45a0c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sddssd.exe

Filesize
1.4MB

MD5
921575c538996322898870ef862ea5ca

SHA1
c4e632c8c400ba8682785342ad3756014cd32e8d

SHA256
bb15bc27f74157f61d3748aa014acd3c8544e77d112629817807cd258092a874

SHA512
cb339c118674d06040d9424623b9e7351f97028cde1df838bc2e4de84553c7dca69d03722ccc3243744387e34a2ecfce46797d98d06e54ca2d59f4f3b334b5ff

Download Submit
memory/1556-36-0x00000000008D0000-0x0000000000C7C000-memory.dmp

Filesize
3.7MB

Download
memory/1556-42-0x0000000006950000-0x00000000069E2000-memory.dmp

Filesize
584KB

Download
memory/1556-73-0x00000000073A0000-0x0000000007944000-memory.dmp

Filesize
5.6MB

Download
memory/1556-167-0x0000000007250000-0x00000000072B6000-memory.dmp

Filesize
408KB

Download
memory/1556-35-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/1556-38-0x00000000032F0000-0x0000000003300000-memory.dmp

Filesize
64KB

Download
memory/1556-37-0x00000000008D0000-0x0000000000C7C000-memory.dmp

Filesize
3.7MB

Download
memory/1556-34-0x00000000008D0000-0x0000000000C7C000-memory.dmp

Filesize
3.7MB

Download
memory/1556-171-0x00000000008D0000-0x0000000000C7C000-memory.dmp

Filesize
3.7MB

Download
memory/1556-172-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download