44caliber | 39ad062f3182bdcd954f2c4fbc82ae8404fe85aa0ec119d2e63ec6f6c1983312

General

Target

5905d3f9053ed0c00b17f370e3939858.exe
Size

2.6MB
MD5

5905d3f9053ed0c00b17f370e3939858
SHA1

cd49b4a65523765a0fda10ec5e3957d2c6dd6752
SHA256

39ad062f3182bdcd954f2c4fbc82ae8404fe85aa0ec119d2e63ec6f6c1983312
SHA512

dc8169df03314b27906bb5f99027858580e4a391f20f7a9391739a92c4fcec672ba97312b795598424b2f972c826a0d0609f22a135cbf33dcf3e692fc541e0c9
SSDEEP

49152:Yt5WvcAwxgqAhSyUo99eBQQPim8Pv+RAG/2Xc7xyW2o7uKV9RZSTcZ:Y/jAhg/p78Pv+HxyW2wucRZSTE

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/878380228894937168/1FKbQhM8XJ4ozljtwifZ-1m-XeYw5uknMJLH4X2t0Qxup8aulmWIgdRLa1z0jAtb9Z9u

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5905d3f9053ed0c00b17f370e3939858.exeInsidious.sfx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	5905d3f9053ed0c00b17f370e3939858.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	Insidious.sfx.exe

Executes dropped EXE 2 IoCs

Processes:

Insidious.sfx.exeInsidious.exe

pid process

4548 Insidious.sfx.exe
3636 Insidious.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 freegeoip.app
8 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4548	Insidious.sfx.exe
3636	Insidious.exe

flow	ioc
7	freegeoip.app
8	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Insidious.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Insidious.exe

pid process

3636 Insidious.exe
3636 Insidious.exe
3636 Insidious.exe
3636 Insidious.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 3636 Insidious.exe

pid	process
3636	Insidious.exe
3636	Insidious.exe
3636	Insidious.exe
3636	Insidious.exe

description	pid	process
Token: SeDebugPrivilege	3636	Insidious.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

5905d3f9053ed0c00b17f370e3939858.exeInsidious.sfx.exe

description	pid	process	target process
PID 2604 wrote to memory of 4548	2604	5905d3f9053ed0c00b17f370e3939858.exe	Insidious.sfx.exe
PID 2604 wrote to memory of 4548	2604	5905d3f9053ed0c00b17f370e3939858.exe	Insidious.sfx.exe
PID 2604 wrote to memory of 4548	2604	5905d3f9053ed0c00b17f370e3939858.exe	Insidious.sfx.exe
PID 4548 wrote to memory of 3636	4548	Insidious.sfx.exe	Insidious.exe
PID 4548 wrote to memory of 3636	4548	Insidious.sfx.exe	Insidious.exe

C:\Users\Admin\AppData\Local\Temp\5905d3f9053ed0c00b17f370e3939858.exe
"C:\Users\Admin\AppData\Local\Temp\5905d3f9053ed0c00b17f370e3939858.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
115KB

MD5
20fe652aae94c57e86aceacf24a3cc3b

SHA1
327fdff7b1ff1806815af79791ac82f349a51075

SHA256
7cda6481064b78b68409948a1875dbbed0eb4361adb44a840baa3129e762140a

SHA512
417b750f4f08078b1b3cca7e45620d3f38203ded694c6718cea7a66caa2279cb63fc8991bc634525d15cfb8425d7b64488afb340439f04ff795306cdd65d2d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
217KB

MD5
8961963ba943a0d97b97a07f6d561e15

SHA1
57fdf265fd78cee8f658bbe6d88c44edd67800db

SHA256
73ae2108f7a8aebec507eba8ccb775e7ffdd303d440fecd8beb1c68429ddd577

SHA512
a67e373001ed63f0db8aece80a6b30a9f558fe314b326a1ca926f06f45871a7ca31d75e6d83f953bb257209542adb30fb6a0d4fdbe66d9aed33f90b61aaf6e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
Filesize
94KB

MD5
34d819b2341b01d2c0968f066ef70433

SHA1
010c2451898433f8939ff20b96b827bcb5f153c9

SHA256
4feb3401cb5acd8988d3f134cbfa8d550269d4537f0f85a1ed0b00899dc14b78

SHA512
f81fbfad9de24527eb813fee9b5c9d3f247493d15bbeb2a27d34e742fcd310daa3b01142afceb03ebb9eb4cc7c59497d12f437dc21f3626cedd3e53433115767

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe
Filesize
154KB

MD5
7f8599be618e52f6a7d2a0d07eb8e082

SHA1
1945c39231cf1a3d2c15e9146faa65cbda48e96b

SHA256
70942edd0088c01116271fc80d2f4eec1ce0449f76463a112e0a6b245d0d477e

SHA512
a6f40440eee8ac41674b442850db7eec3cf9606b9c290c28b3f058bc3882b8804ef6d7e1cfa07c9e6a71f2e6fda8e19bb79a65e540a5743e09f10378af28dd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe
Filesize
207KB

MD5
f4da156b31e0e96970ba722a3f3109d8

SHA1
59dc017b66b45f937686f5878b7fc7219f0e0612

SHA256
890cd0cd5139612691d592f3c3ac1f4278f5a7153adad994219e749671f3411d

SHA512
a0e6fc6b92512b9c6f425443ec33d2b08ba19f874a6e3d73ada839686f19fb24e834705d2830db14f1f8ec2d54db3b8e4ddeb1c7f7163d0636484e54bed70656

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.sfx.exe
Filesize
135KB

MD5
4d22fa9c5d9e7e6092993a1dc4aa7ae0

SHA1
23cd761ca41119fde4ff72b6acabc9234e328fd5

SHA256
4045958cb35553cec8969d36a7215d17094395fff38ed7695bc3680aa4ec7ba7

SHA512
eaa72017f5caea95aa0049c283626652a362611001dde5766f21c712f750fa812ff4109268cbc009f81094e9ca6cad25a130a4bf5da72b5363823dfaeaf63c7b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
ac3fd8e736e2099e70515fa2cb010291

SHA1
c1f64136d86cf6d6a073b86901be5865c186fbbd

SHA256
f17eb529ba0ad03bf03f5503a32f7089ba566360f208734fda6788066076e446

SHA512
44bffe3e4c1e39ab2bbee46d54f5be4765fd0c48863198d277fffa09ee969534a4bf32637b14f5d368d1702cfc31836421f3a639e96c3baac0f9a6cef8480b23

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
735B

MD5
f59496ae736c682712d63849ff346cbe

SHA1
60c8bb546da1fc4ab1a5f2cc39a38822d4c3260e

SHA256
5be7082211aa3e1d681457e1a1c475c393c998aafcad745bb930ba122b4fe1a0

SHA512
115c2e0fb3721ef2b318c4c07950a1732c7714f39a163ebb242f129ffda4221e511315743b7a2e3b201da6daa826fc2da607da3f63957a926597790e4d6ac515

Download Submit
memory/3636-23-0x00000000006F0000-0x000000000073A000-memory.dmp

Filesize
296KB

Download
memory/3636-55-0x000000001B3B0000-0x000000001B3C0000-memory.dmp

Filesize
64KB

Download
memory/3636-47-0x00007FFEDB110000-0x00007FFEDBBD1000-memory.dmp

Filesize
10.8MB

Download
memory/3636-150-0x00007FFEDB110000-0x00007FFEDBBD1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads