44caliber | b94fcf4ac17020c3f379131719c6cfa33b8da8f930a455b952ad4ad44f888eb0

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14-01-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a673359f805a9349b7dbaa686cbc6e4.exe
Size

5.7MB
MD5

5a673359f805a9349b7dbaa686cbc6e4
SHA1

2f31abdd1773521363234eb4d73970dbae46bb75
SHA256

b94fcf4ac17020c3f379131719c6cfa33b8da8f930a455b952ad4ad44f888eb0
SHA512

8aa30743bf3601d8395e07ae900f24f2fc7f016556693f0e71f2238165c29e1a296f8b44893f640d7a5d64b74740e76852e65ee844632167b8b4a4d2b7fd4b39
SSDEEP

98304:GswjbjOhJVHrhIW5xvgEEWhl3UE9h4NWvrrhm8AtrljsPojNwn/5xIp:JdtvEykE9hqWXXUMiOn/2

Score

10^/10

44caliber stormkitty spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/867877948820029491/gtNPChnQebtHAxgaee1xYkhdf00jW3BJbkQZcVt_UHg2vTCcm1V7aZkXRIEEl3lxpWMG

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\build.exe	family_stormkitty
C:\Users\Admin\AppData\Local\Temp\build.exe	family_stormkitty
behavioral1/memory/2144-9-0x0000000001070000-0x0000000001094000-memory.dmp	family_stormkitty

Executes dropped EXE 3 IoCs

Processes:

build.exeRCC.exeGameWerCheatRust.exe

pid process

2144 build.exe
2752 RCC.exe
2924 GameWerCheatRust.exe
Loads dropped DLL 5 IoCs

Processes:

WerFault.exe

pid process

2608 WerFault.exe
2608 WerFault.exe
2608 WerFault.exe
2608 WerFault.exe
2608 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

GameWerCheatRust.exe

pid process

2924 GameWerCheatRust.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

2608 2924 WerFault.exe

pid	process
2144	build.exe
2752	RCC.exe
2924	GameWerCheatRust.exe

pid	process
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe
2608	WerFault.exe

pid	process
2924	GameWerCheatRust.exe

pid	pid_target	process
2608	2924	WerFault.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	build.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

GameWerCheatRust.exe

pid process

2924 GameWerCheatRust.exe
2924 GameWerCheatRust.exe
2924 GameWerCheatRust.exe
2924 GameWerCheatRust.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

GameWerCheatRust.exebuild.exe

description pid process

Token: SeDebugPrivilege 2924 GameWerCheatRust.exe
Token: SeDebugPrivilege 2144 build.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

GameWerCheatRust.exe

pid process

2924 GameWerCheatRust.exe

pid	process
2924	GameWerCheatRust.exe
2924	GameWerCheatRust.exe
2924	GameWerCheatRust.exe
2924	GameWerCheatRust.exe

description	pid	process
Token: SeDebugPrivilege	2924	GameWerCheatRust.exe
Token: SeDebugPrivilege	2144	build.exe

pid	process
2924	GameWerCheatRust.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

5a673359f805a9349b7dbaa686cbc6e4.exeRCC.exeGameWerCheatRust.exe

description	pid	process	target process
PID 1564 wrote to memory of 2144	1564	5a673359f805a9349b7dbaa686cbc6e4.exe	build.exe
PID 1564 wrote to memory of 2144	1564	5a673359f805a9349b7dbaa686cbc6e4.exe	build.exe
PID 1564 wrote to memory of 2144	1564	5a673359f805a9349b7dbaa686cbc6e4.exe	build.exe
PID 1564 wrote to memory of 2752	1564	5a673359f805a9349b7dbaa686cbc6e4.exe	RCC.exe
PID 1564 wrote to memory of 2752	1564	5a673359f805a9349b7dbaa686cbc6e4.exe	RCC.exe
PID 1564 wrote to memory of 2752	1564	5a673359f805a9349b7dbaa686cbc6e4.exe	RCC.exe
PID 2752 wrote to memory of 2924	2752	RCC.exe	GameWerCheatRust.exe
PID 2752 wrote to memory of 2924	2752	RCC.exe	GameWerCheatRust.exe
PID 2752 wrote to memory of 2924	2752	RCC.exe	GameWerCheatRust.exe
PID 2752 wrote to memory of 2924	2752	RCC.exe	GameWerCheatRust.exe
PID 2924 wrote to memory of 2608	2924	GameWerCheatRust.exe	WerFault.exe
PID 2924 wrote to memory of 2608	2924	GameWerCheatRust.exe	WerFault.exe
PID 2924 wrote to memory of 2608	2924	GameWerCheatRust.exe	WerFault.exe
PID 2924 wrote to memory of 2608	2924	GameWerCheatRust.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4.exe
"C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Users\Admin\AppData\Local\Temp\RCC.exe
"C:\Users\Admin\AppData\Local\Temp\RCC.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
"C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 860
1⤵
- Loads dropped DLL
- Program crash
PID:2608

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt
Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
Filesize
176KB

MD5
3f5b4bea8e541a538b424c24edc7008c

SHA1
f7906ba7a2da3db7a7514df177535c9a91f1ae60

SHA256
77915f0f550a056db656d7bf8e1063a484f1babfdbf9ec916f9bbb41280edc29

SHA512
df8116e5fb16e45e4322549a5af682b6bafb96ce09fb998ce0c2aaf717645ca7ea4ebfaaaeca1435c4b03175a16dc520fb543235bd7debc6f669b0941d5e8e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
Filesize
85KB

MD5
1994d2134cc123cfd8ff40ae2719f96b

SHA1
559aa12359fe38e6c4d78d53cd90c7159eeccca3

SHA256
3e75a8ab911d8f2b6cc9e47df4a92de3e7d6713fa70b47ad94025cf654ba9fde

SHA512
38d306882ceaa9d6716c9b10132a6c4f7401653b44096fdd178aac608dc73ead4ee48b052e740726bff6c442c0703325c56841aceca21bfa029aa3ed0f9cd4af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCC.exe
Filesize
93KB

MD5
9a9b7a6931890cd30f1d09768117fd40

SHA1
fea1e663416a3024608c559030369c392629c8cc

SHA256
aa0efa5d7aeddfe913a64582d9206020689c067d5deb7465b073c589395106f0

SHA512
e762294bbd9cfbfb2db77d46d3978c4273296ba31498cf8e61d17c46da2747d9d8d9fd971059b966c3c19484cfab4996b6a4351f6c351e2928c7925c219eeb1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCC.exe
Filesize
179KB

MD5
581cb214ba0dfd7b4884be39342ace15

SHA1
cc27991b1b475f3dac4b1bf12ddaab8e8aa7b38a

SHA256
1c5b13026b90cd0424cfb64dc4651968ba51187e5dbe6ab85be3d2fb9ff5555b

SHA512
e44d22fba5fed263f125fe1420ff4674fa69fc01d37a1e77e8a1c28d49ce17f7ec15de63996ff5f691b95a31f1cd045f4eed8750b133e8b6c0641981eccb5b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
2KB

MD5
30fe5e155607f6ed0f5dcbb54a7361db

SHA1
164c2927b6d9a7821de0ea5f0a2ec1a966285b25

SHA256
de11f83bda511f2285daeb35f695b0812690720f9d6f8dd1b1fcfc25a46d6c4f

SHA512
05161c120f7930bb6bb033db046b464a341c90312b922eb1b2907a637f0af5c159549a42baa54c3a81430a13ba80ab5ef90f1d58aa3e94771538344b3d104fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe
Filesize
13KB

MD5
df9825b9f7e1d9985fe822ac872da2ae

SHA1
eb34eb518d0e94b17bfb9c569c71ec398d693a76

SHA256
9374d6ac6cdb29a050afce1ac45ff7e96ad5d6fffe7cda0fdba5063f8402f04b

SHA512
af2b9cc70f6b47772932e8b3f12c8a98230e1f2ce292b5f8382c9c424c150039b75e8e158931964dfacd7c6cf6b40315b7661d3c20c7f8ab1cb4c426fe62d56a

Download Submit
\??\c:\users\admin\appdata\local\temp\gamewercheatrust.exe
Filesize
43KB

MD5
e86c2edc47f2c3c67917ac13ef8ce2e3

SHA1
aa368d99b4e66ee3f9d14ab9bd6c3d1f0752f50b

SHA256
6870dfdc675b096ca039d56d3b4d905b831eb2067f4ef1bdb9793b929e8212ea

SHA512
99f1ff18508abe5dbb75ed3e77e375f10e08fc1d8b2a855cdc25fdff9f34fc427ef938d8c6b725f6e694afb35d87d1db6f7cb19883d012a124b1d14d3d4d027d

Download Submit
\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
Filesize
72KB

MD5
a683f420dabfe4165d57920e4fbf18d9

SHA1
ca755a9bd00a084e09cee9f7f4abc8d2d1acdbfc

SHA256
2647e34eb734d16aaeb55ba2f23ecbd5ed655bbba22b888affa0ed69a36aa208

SHA512
d8a2674b3f19e134e8ec6857fd9b3fa10fa2f7d20c4915d74f156622f20f7448c911dfd79369a96f25694f5e5f4608ddac463560d8ab5b5d8eabadb774d27049

Download Submit
\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
Filesize
45KB

MD5
ad98a1a48457958668fe5ab81a3ad051

SHA1
b82a375578d12ae81a97488e9012539de3980637

SHA256
248fa7ed2c6e812599d8886a4b57ff07b2822ca4d043da085bed59a8f63d7fec

SHA512
12b7d8e56ad8adc53d6d4727d000d7c4db34eda63c04b604bd3c8326044577867ec812c12978bde36aa575b71e655ce1b744ada764bb7edeed8236abc1a8dd64

Download Submit
\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
Filesize
63KB

MD5
05eb98fffdd71dc642553ee60ff4a4b2

SHA1
69a95de33cd09e06d6e37c4a5225f161985aa0fc

SHA256
7e5a03ddbbae71957304d9c12bd1844b4fda31ded1f2431958cd9c65a75eea0f

SHA512
600956ef33ad166000fd44c0d21cf134575a7e92ac2e3ac66796820123162f39419b27767d0c6c4cfe5d1c99d8c12fdd2ef6b206ad382edb0ae2e57baa93996d

Download Submit
\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
Filesize
85KB

MD5
4e68bf35e59f83298daeab46b9fdecaf

SHA1
772127c2ed03bb131ee5d335a25df697371b869c

SHA256
45e37aa8c7d9f127a5cef7c630098040e8fcf6b93c46a26574dd2e7d109ebe79

SHA512
56ab43fdb898eac5e064ef5f8607f149443a2df2d24d34cba58c1a1c69320eb4f41cf4b23a6d8d8fe319c6c65664a6c148004729d2681267823cfe18740a8a1f

Download Submit
\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
Filesize
73KB

MD5
58b5143a4c0fa7b02a91d48209c703d3

SHA1
5b064de43a6626fed09922ac4cc4b61d0aaa52e4

SHA256
6cd1672dff978a114c34ca5ae10d82538f8611256f883b1a519e818e984c5cf6

SHA512
08d0ff19968b1deea49f6bae62ff102d449cef73bdcc8f5d2ea1bdb34ef2a596fa6aefc68e43b01589e8ce1c3b60d35aaf12e60b07f275eb7486787378a18444

Download Submit
memory/1564-19-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1564-0-0x0000000000C20000-0x00000000011E4000-memory.dmp

Filesize
5.8MB

Download
memory/1564-1-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/1564-2-0x000000001B560000-0x000000001B5E0000-memory.dmp

Filesize
512KB

Download
memory/2144-10-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2144-58-0x000000001B360000-0x000000001B3E0000-memory.dmp

Filesize
512KB

Download
memory/2144-65-0x000000001B360000-0x000000001B3E0000-memory.dmp

Filesize
512KB

Download
memory/2144-9-0x0000000001070000-0x0000000001094000-memory.dmp

Filesize
144KB

Download
memory/2144-60-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-18-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-20-0x000000001B800000-0x000000001B880000-memory.dmp

Filesize
512KB

Download
memory/2752-28-0x000007FEF5300000-0x000007FEF5CEC000-memory.dmp

Filesize
9.9MB

Download
memory/2752-17-0x0000000000C30000-0x00000000011E2000-memory.dmp

Filesize
5.7MB

Download
memory/2924-32-0x0000000005A30000-0x0000000005A70000-memory.dmp

Filesize
256KB

Download
memory/2924-31-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-30-0x00000000001E0000-0x0000000000598000-memory.dmp

Filesize
3.7MB

Download
memory/2924-61-0x00000000001E0000-0x0000000000598000-memory.dmp

Filesize
3.7MB

Download
memory/2924-62-0x0000000073D40000-0x000000007442E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-64-0x0000000005A30000-0x0000000005A70000-memory.dmp

Filesize
256KB

Download
memory/2924-27-0x00000000001E0000-0x0000000000598000-memory.dmp

Filesize
3.7MB

Download