44caliber | 39ad062f3182bdcd954f2c4fbc82ae8404fe85aa0ec119d2e63ec6f6c1983312

General

Target

5905d3f9053ed0c00b17f370e3939858.exe
Size

2.6MB
MD5

5905d3f9053ed0c00b17f370e3939858
SHA1

cd49b4a65523765a0fda10ec5e3957d2c6dd6752
SHA256

39ad062f3182bdcd954f2c4fbc82ae8404fe85aa0ec119d2e63ec6f6c1983312
SHA512

dc8169df03314b27906bb5f99027858580e4a391f20f7a9391739a92c4fcec672ba97312b795598424b2f972c826a0d0609f22a135cbf33dcf3e692fc541e0c9
SSDEEP

49152:Yt5WvcAwxgqAhSyUo99eBQQPim8Pv+RAG/2Xc7xyW2o7uKV9RZSTcZ:Y/jAhg/p78Pv+HxyW2wucRZSTE

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/878380228894937168/1FKbQhM8XJ4ozljtwifZ-1m-XeYw5uknMJLH4X2t0Qxup8aulmWIgdRLa1z0jAtb9Z9u

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

Insidious.sfx.exeInsidious.exe

pid process

1668 Insidious.sfx.exe
2796 Insidious.exe

pid	process
1668	Insidious.sfx.exe
2796	Insidious.exe

Loads dropped DLL 7 IoCs

Processes:

5905d3f9053ed0c00b17f370e3939858.exeInsidious.sfx.exe

pid	process
2196	5905d3f9053ed0c00b17f370e3939858.exe
2196	5905d3f9053ed0c00b17f370e3939858.exe
2196	5905d3f9053ed0c00b17f370e3939858.exe
1668	Insidious.sfx.exe
1668	Insidious.sfx.exe
1668	Insidious.sfx.exe
1668	Insidious.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Insidious.exe

pid process

2796 Insidious.exe
2796 Insidious.exe
2796 Insidious.exe
2796 Insidious.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 2796 Insidious.exe

pid	process
2796	Insidious.exe
2796	Insidious.exe
2796	Insidious.exe
2796	Insidious.exe

description	pid	process
Token: SeDebugPrivilege	2796	Insidious.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

5905d3f9053ed0c00b17f370e3939858.exeInsidious.sfx.exe

description	pid	process	target process
PID 2196 wrote to memory of 1668	2196	5905d3f9053ed0c00b17f370e3939858.exe	Insidious.sfx.exe
PID 2196 wrote to memory of 1668	2196	5905d3f9053ed0c00b17f370e3939858.exe	Insidious.sfx.exe
PID 2196 wrote to memory of 1668	2196	5905d3f9053ed0c00b17f370e3939858.exe	Insidious.sfx.exe
PID 2196 wrote to memory of 1668	2196	5905d3f9053ed0c00b17f370e3939858.exe	Insidious.sfx.exe
PID 1668 wrote to memory of 2796	1668	Insidious.sfx.exe	Insidious.exe
PID 1668 wrote to memory of 2796	1668	Insidious.sfx.exe	Insidious.exe
PID 1668 wrote to memory of 2796	1668	Insidious.sfx.exe	Insidious.exe
PID 1668 wrote to memory of 2796	1668	Insidious.sfx.exe	Insidious.exe

C:\Users\Admin\AppData\Local\Temp\5905d3f9053ed0c00b17f370e3939858.exe
"C:\Users\Admin\AppData\Local\Temp\5905d3f9053ed0c00b17f370e3939858.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196

C:\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt
Filesize
374B

MD5
91ea8d226904eaeabaf6b14257c05422

SHA1
f0333bf33d9ee145bec0329a62e8558abc1fe3d2

SHA256
35638485721aafae4162827067952bed3dd019577141fb42e9d855f26619e711

SHA512
fb860e4411fee164075ec2d19939b6f39b39d42bfd53bbfb6f7ab0209067d1a770e8f752d03bb66fb5d94bdc7dd279e7d700ead29c1d9b8b047d6b09d9cdc436

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
273KB

MD5
62dfbbc74614cba9c6aec7747d9dde9c

SHA1
a3e2c444128a771599ab53065f74964875e3de30

SHA256
77179bbcac42cd1be0c59a23327b1f367b37169b7c80fe534e3df30aa431f44d

SHA512
ccfa40603d81721d5a6929690ddb2a49e9ac42ba17b5c4157ae098a9874a0f942fe135dc45ff8a35090d7696b2f6b2968e5686a51617d5a4a5196be34e20607d

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe
Filesize
64KB

MD5
4e43d5f249eae755d4f4b3fd727964d3

SHA1
534a3a14e796cbf021116bcd69c3ebcf46d22705

SHA256
2b112d49a8a1ffe46587f165360fdc4c02068520c90648be8f4889ad7d6489f1

SHA512
86feb0ca26f360e83e61cfa8510d9efdc0225e33ae442005da969388623e5276f8268bbaec4c9dc90d8d744be4d1411c036b977ce8b3cf0ba704ec864fed50ae

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe
Filesize
412KB

MD5
169187271a88b6324dd55f9f576c40e6

SHA1
649e4d799c39cbbf2eb8f807264c2ee02ffabd6f

SHA256
992d1df253a75246ba608209e7298f1d0dffd86e82e2b14b39e9ff6fc488947d

SHA512
e613e33a3a4c520834dbe6f25815584e08d305b9143a65d571e96b6e5897a7a577a0b9452fc736ad33d943f91f49fe7e8db866ee05f84d88413cd53a2d45a5cd

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe
Filesize
384KB

MD5
99dcf63fc316c6ce61f088e13b0458ed

SHA1
e8e7e4c72d52282849f0a736da0bf4585ea3d2f1

SHA256
e7e4e72d7ce92b62871ee6c259174d8d6071f3efadb263fc4a43480a4e0a54ce

SHA512
8a9206787454b29ccdd08cb901bc49f9b91a8afa48d6b29918482cb229179fddbea0c62b23566f1a7a8da58bae92cf8191c6ab45f17e7a166b7385acff4178ae

Download Submit
memory/2796-31-0x0000000000130000-0x000000000017A000-memory.dmp

Filesize
296KB

Download
memory/2796-32-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-33-0x000000001B360000-0x000000001B3E0000-memory.dmp

Filesize
512KB

Download
memory/2796-79-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads