44caliber | 927bd6cdc3db441da001022f2e9a4091027f857ca6b7787a2acf87766cc8d9a3

Analysis

max time kernel
155s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

548a6a63ed47c3ffec35a49139a71537.exe
Size

13.1MB
MD5

548a6a63ed47c3ffec35a49139a71537
SHA1

efd633af58692e7189a6c3c63317c310884841c9
SHA256

927bd6cdc3db441da001022f2e9a4091027f857ca6b7787a2acf87766cc8d9a3
SHA512

a6097350d0f3df88c553e0a8b498162515754ab29e92cb3ca2b2299f62b2c5dde6c5310d7d3aef1225376fc08db8bfb6fc24600bffb39859fc872d8df25c8965
SSDEEP

393216:pcChW/Sh1Y8pgQBL1jpQIcaMzWz8yNb3:aV/Sh18adMzWIyh3

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/873463242905755648/toN0X9zZYgcbFlkZ7jCqLk4I_sGhgsbHl5HJ9jgcfMn_Sw0HRHJneP9bBZz01msNSKLJ

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

548a6a63ed47c3ffec35a49139a71537.exeMultiHack.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	548a6a63ed47c3ffec35a49139a71537.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	MultiHack.exe

Executes dropped EXE 3 IoCs

Processes:

autoit.exeMultiHack.exeMultiHack v2.exe

pid process

4036 autoit.exe
1160 MultiHack.exe
3044 MultiHack v2.exe
Loads dropped DLL 5 IoCs

Processes:

autoit.exe

pid process

4036 autoit.exe
4036 autoit.exe
4036 autoit.exe
4036 autoit.exe
4036 autoit.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

56 freegeoip.app
57 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

MultiHack v2.exe

pid process

3044 MultiHack v2.exe
3044 MultiHack v2.exe
3044 MultiHack v2.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4036	autoit.exe
1160	MultiHack.exe
3044	MultiHack v2.exe

pid	process
4036	autoit.exe
4036	autoit.exe
4036	autoit.exe
4036	autoit.exe
4036	autoit.exe

flow	ioc
56	freegeoip.app
57	freegeoip.app

pid	process
3044	MultiHack v2.exe
3044	MultiHack v2.exe
3044	MultiHack v2.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\autoit.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\autoit.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MultiHack v2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	MultiHack v2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	MultiHack v2.exe

Modifies registry class 1 IoCs

Processes:

548a6a63ed47c3ffec35a49139a71537.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	548a6a63ed47c3ffec35a49139a71537.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

548a6a63ed47c3ffec35a49139a71537.exeMultiHack v2.exe

pid	process
1680	548a6a63ed47c3ffec35a49139a71537.exe
1680	548a6a63ed47c3ffec35a49139a71537.exe
1680	548a6a63ed47c3ffec35a49139a71537.exe
3044	MultiHack v2.exe
3044	MultiHack v2.exe
3044	MultiHack v2.exe
3044	MultiHack v2.exe
3044	MultiHack v2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

548a6a63ed47c3ffec35a49139a71537.exeMultiHack v2.exe

description pid process

Token: SeDebugPrivilege 1680 548a6a63ed47c3ffec35a49139a71537.exe
Token: SeDebugPrivilege 3044 MultiHack v2.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MultiHack v2.exe

pid process

3044 MultiHack v2.exe

description	pid	process
Token: SeDebugPrivilege	1680	548a6a63ed47c3ffec35a49139a71537.exe
Token: SeDebugPrivilege	3044	MultiHack v2.exe

pid	process
3044	MultiHack v2.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

548a6a63ed47c3ffec35a49139a71537.exeMultiHack.exe

description	pid	process	target process
PID 1680 wrote to memory of 4036	1680	548a6a63ed47c3ffec35a49139a71537.exe	autoit.exe
PID 1680 wrote to memory of 4036	1680	548a6a63ed47c3ffec35a49139a71537.exe	autoit.exe
PID 1680 wrote to memory of 4036	1680	548a6a63ed47c3ffec35a49139a71537.exe	autoit.exe
PID 1680 wrote to memory of 1160	1680	548a6a63ed47c3ffec35a49139a71537.exe	MultiHack.exe
PID 1680 wrote to memory of 1160	1680	548a6a63ed47c3ffec35a49139a71537.exe	MultiHack.exe
PID 1680 wrote to memory of 1160	1680	548a6a63ed47c3ffec35a49139a71537.exe	MultiHack.exe
PID 1160 wrote to memory of 3044	1160	MultiHack.exe	MultiHack v2.exe
PID 1160 wrote to memory of 3044	1160	MultiHack.exe	MultiHack v2.exe
PID 1160 wrote to memory of 3044	1160	MultiHack.exe	MultiHack v2.exe

C:\Users\Admin\AppData\Local\Temp\548a6a63ed47c3ffec35a49139a71537.exe
"C:\Users\Admin\AppData\Local\Temp\548a6a63ed47c3ffec35a49139a71537.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Users\Admin\AppData\Local\Temp\autoit.exe
"C:\Users\Admin\AppData\Local\Temp\autoit.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4036

C:\Users\Admin\AppData\Local\Temp\MultiHack.exe
"C:\Users\Admin\AppData\Local\Temp\MultiHack.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1160

C:\Users\Admin\AppData\Local\Temp\MultiHack v2.exe
"C:\Users\Admin\AppData\Local\Temp\MultiHack v2.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
1f6906436536060571ddfea6cb0b5e18

SHA1
5e8862545eaeadf03b76efbddb5b870b84b700a4

SHA256
cd1fd4a7637111dcc582ebe6e9d7cd8d705f8c922cff71e36fe0bf8888117c9a

SHA512
e91444d9a4a3cb793458cdc877509ce32467d85f6be97204e6012257d4f90ec6f6bb0545c8ea57447325269f3f74362bdefa67b6328bd7afffc0aad2eeb5b6e4

Download Submit
C:\ProgramData\44\Process.txt
Filesize
1KB

MD5
bc0b5c20126d5849e0f1ad27c5965b33

SHA1
36c3992d1624509271cf13eed91b99c37bfcf28e

SHA256
a1676c0795f7888f9e4c8a203a788fd35779b2c49c99c817790b087c28b2dc24

SHA512
32a1883d6e4c4fc5712713e6ce5ac51cbcab444a252ae37696d3ec6a3c73ffb13065c46e8d7cf362029f47901b9560456197056191551ab497e5ca2433ca93c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MultiHack v2.exe
Filesize
1.2MB

MD5
f915e72fe9d0d9f8f28158077b825b38

SHA1
b5db3ae9c671b2593d7288acf54189fd33f0da94

SHA256
097bb99cfcbbf739f5c361673fb5efb6e5b0ea81e4efbffcd3824b5b94c38bc7

SHA512
28f16a55a471563139b9d24460f1d938968938796b5efdf79c6def2a411109bfbbaef83c00881674824f9baef114ba045c25af69a65bb9173b2be25550ae0dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MultiHack.exe
Filesize
1.5MB

MD5
e00bd983fd36b8f59e79ecc773adb273

SHA1
838b71043e090a5aa7ccfa1ce4c0d5f202cf337c

SHA256
2bbd6d7fe32ce72337be76abd548def8c28fa67a72d0d7d0c1a71272a97f1e80

SHA512
0a0e984f2ebd3effbc1f13b40b446e838d007d5edbf921888658588c61a2d3dd69531d4186cc258536f4080935730b2a6256e5d8db07644ef66c21647fb42a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\autoit.exe
Filesize
11.7MB

MD5
d50d5712566f1df16b5aea21b9e0ee24

SHA1
f442aa68ec8d838625f382bcf273f5d0f66427ea

SHA256
e102238100a8b97d22559065e3b19379757aeda932c36916d2c84a4178921854

SHA512
f9b8d6762a8b00392519b949083d5f0a3670ed24583ed4aaa7570cbc24914e0c19933486004d8949fbee930b8f0e66b50a05e3c478c193ba269677dcd619d7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslFADD.tmp\InstallOptions.dll
Filesize
14KB

MD5
d753362649aecd60ff434adf171a4e7f

SHA1
3b752ad064e06e21822c8958ae22e9a6bb8cf3d0

SHA256
8f24c6cf0b06d18f3c07e7bfca4e92afce71834663746cfaa9ddf52a25d5c586

SHA512
41bf41add275867553fa3bd8835cd7e2a2a362a2d5670ccbfad23700448bad9fe0f577fb6ee9d4eb81dfc10d463b325b8a873fe5912eb580936d4ad96587aa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslFADD.tmp\System.dll
Filesize
10KB

MD5
56a321bd011112ec5d8a32b2f6fd3231

SHA1
df20e3a35a1636de64df5290ae5e4e7572447f78

SHA256
bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1

SHA512
5354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslFADD.tmp\UserInfo.dll
Filesize
4KB

MD5
e840e7f30c85e22b09a41098ff3f3343

SHA1
ad1eb7b2ba66ae87641947025736c67efbc4b9d8

SHA256
6707e9e88dec460c2cf421bd2bc6a314f15717527cb60dcad2fbb7352ae711a3

SHA512
ea1362c9e7ac9666d6cbfc02939a6e9c411f6aef113dc8ec898c383fc4ecf9d957c6ad8f75c33847d5da0b4427c861f0ccaf240cb1def189313de2948881dc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslFADD.tmp\ioSpecial.ini
Filesize
700B

MD5
d839997f9e018d6335982fe68fc76e1c

SHA1
dc68e0f2887a094ad555db9b7a76456e3afcd6ed

SHA256
11e2438f0ab95635adc3d823a5ab9625ca338577cfcfe370ddaf6b4fb9c21b65

SHA512
e30e10c81d5ea63a3030019d451f2139f90519c8adcc5222b797f316b88964d1213040e758390b36b9335261931ffb514acf91249e7fc7d2a475e026895fd7ce

Download Submit
memory/1680-2-0x00000000039A0000-0x00000000039B0000-memory.dmp

Filesize
64KB

Download
memory/1680-4-0x00000000039A0000-0x00000000039B0000-memory.dmp

Filesize
64KB

Download
memory/1680-0-0x0000000000BD0000-0x00000000018EC000-memory.dmp

Filesize
13.1MB

Download
memory/1680-3-0x00000000039A0000-0x00000000039B0000-memory.dmp

Filesize
64KB

Download
memory/1680-97-0x00007FFCD1EA0000-0x00007FFCD2961000-memory.dmp

Filesize
10.8MB

Download
memory/1680-1-0x00007FFCD1EA0000-0x00007FFCD2961000-memory.dmp

Filesize
10.8MB

Download
memory/3044-212-0x0000000000DF0000-0x000000000119C000-memory.dmp

Filesize
3.7MB

Download
memory/3044-215-0x0000000003FB0000-0x0000000003FC0000-memory.dmp

Filesize
64KB

Download
memory/3044-217-0x0000000006CF0000-0x0000000006D82000-memory.dmp

Filesize
584KB

Download
memory/3044-250-0x0000000007600000-0x0000000007BA4000-memory.dmp

Filesize
5.6MB

Download
memory/3044-214-0x0000000000DF0000-0x000000000119C000-memory.dmp

Filesize
3.7MB

Download
memory/3044-213-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download
memory/3044-348-0x0000000008660000-0x00000000086C6000-memory.dmp

Filesize
408KB

Download
memory/3044-350-0x0000000000DF0000-0x000000000119C000-memory.dmp

Filesize
3.7MB

Download
memory/3044-354-0x0000000000DF0000-0x000000000119C000-memory.dmp

Filesize
3.7MB

Download
memory/3044-355-0x00000000734E0000-0x0000000073C90000-memory.dmp

Filesize
7.7MB

Download