44caliber | b94fcf4ac17020c3f379131719c6cfa33b8da8f930a455b952ad4ad44f888eb0

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2024 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a673359f805a9349b7dbaa686cbc6e4.exe
Size

5.7MB
MD5

5a673359f805a9349b7dbaa686cbc6e4
SHA1

2f31abdd1773521363234eb4d73970dbae46bb75
SHA256

b94fcf4ac17020c3f379131719c6cfa33b8da8f930a455b952ad4ad44f888eb0
SHA512

8aa30743bf3601d8395e07ae900f24f2fc7f016556693f0e71f2238165c29e1a296f8b44893f640d7a5d64b74740e76852e65ee844632167b8b4a4d2b7fd4b39
SSDEEP

98304:GswjbjOhJVHrhIW5xvgEEWhl3UE9h4NWvrrhm8AtrljsPojNwn/5xIp:JdtvEykE9hqWXXUMiOn/2

Score

10^/10

44caliber stormkitty spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/867877948820029491/gtNPChnQebtHAxgaee1xYkhdf00jW3BJbkQZcVt_UHg2vTCcm1V7aZkXRIEEl3lxpWMG

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023209-14.dat	family_stormkitty
behavioral2/memory/2004-15-0x0000000000AD0000-0x0000000000AF4000-memory.dmp	family_stormkitty
behavioral2/files/0x0007000000023209-13.dat	family_stormkitty

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	5a673359f805a9349b7dbaa686cbc6e4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	RCC.exe

Executes dropped EXE 3 IoCs

pid	Process
2004	build.exe
4744	RCC.exe
2828	GameWerCheatRust.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	freegeoip.app

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2828	GameWerCheatRust.exe
2828	GameWerCheatRust.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
936	2828	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2828	GameWerCheatRust.exe
2828	GameWerCheatRust.exe
2828	GameWerCheatRust.exe
2828	GameWerCheatRust.exe
2828	GameWerCheatRust.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2828	GameWerCheatRust.exe
Token: SeDebugPrivilege	2004	build.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2828	GameWerCheatRust.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2004	3772	5a673359f805a9349b7dbaa686cbc6e4.exe	22
PID 3772 wrote to memory of 2004	3772	5a673359f805a9349b7dbaa686cbc6e4.exe	22
PID 3772 wrote to memory of 4744	3772	5a673359f805a9349b7dbaa686cbc6e4.exe	23
PID 3772 wrote to memory of 4744	3772	5a673359f805a9349b7dbaa686cbc6e4.exe	23
PID 4744 wrote to memory of 2828	4744	RCC.exe	27
PID 4744 wrote to memory of 2828	4744	RCC.exe	27
PID 4744 wrote to memory of 2828	4744	RCC.exe	27

C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4.exe
"C:\Users\Admin\AppData\Local\Temp\5a673359f805a9349b7dbaa686cbc6e4.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Users\Admin\AppData\Local\Temp\RCC.exe
  "C:\Users\Admin\AppData\Local\Temp\RCC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe
    "C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 1308
      4⤵
      Program crash
      PID:936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2828 -ip 2828
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe

Filesize
61KB

MD5
7bc5af5797568e6bc2fc3b3785bda3ea

SHA1
990b9a2e1c7cd724bb843e57a891eb3429acde13

SHA256
abc658df9d5215e767fbf5e9878b86158a36c645a94620f63321fecbf7a2f66b

SHA512
859cfecfa488c6da89be8be91a9fe5a153d04ae2a5015e8c8f69fc0059a3396d46e69a1c0302af9f1e636653ad316fea8ce06025d72c2c37f24f4dc039688b1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe

Filesize
60KB

MD5
6ade5a64d9c08f84a1eb7a5a7348602a

SHA1
799269b11a957ba45194d1abac3d5f82528e0600

SHA256
47fee2caeabf30d8548e0639ef277ed33c636af15bb4e6ee4c156c6f33d7e598

SHA512
954733d0525862670661b838af508d96905e98757d78c05255fa3a587b631f4546c07e4320d608a1606991568cb52688443fdb4b7cfecd8234c500ace4d94601

Download Submit
C:\Users\Admin\AppData\Local\Temp\GameWerCheatRust.exe

Filesize
67KB

MD5
8b20c9181bc6679302a908ebdc653f3d

SHA1
0218a8177e323702094b14779d1be6b54b1c4ac3

SHA256
31050a74fb35620716d5ba010ca675c9f45498a87adef33de018aa4f6d44a99f

SHA512
499ec102baf11ae509d9b5801381e77195fc4172e9988194cc68f7f03a14085d96d4f94510a0d197f93cd8736c96bb67c732e45b15c99f097b459627e045a3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCC.exe

Filesize
97KB

MD5
0cd341c9812dca07bf277b3458407ed3

SHA1
6176af606de572d9809f5b5844070b352e7141c0

SHA256
449bfa74d6b0b15eee4a8ce8aebd80795d7970bfc24644587ae4845eac2329eb

SHA512
1313a0d98f50b7f02f87b33511afa38a82946cd87d02f63b013f5c2ed02ec8ca2b1de0745b2d02beece1413e27ac3e138214ab151d57e8a20f9d9404ad7ea9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCC.exe

Filesize
113KB

MD5
ca7f218b4965b3288c5be80f70300312

SHA1
28a9e3dd4f5405de3447761e76a62e788121c6b2

SHA256
9324bfa847491966708432a317787d24c9882b9ae7b00dd11a5c59fe41027ef4

SHA512
ab080ef26dfcbe7a8d8edabbfbddb4d3a2337dc0f4a856f17b60ea74300d25622241b8028f13c8cd8c8b997bec62b8ca66a2f64a85b6a07cccc81863dabd8782

Download Submit
C:\Users\Admin\AppData\Local\Temp\RCC.exe

Filesize
105KB

MD5
d61b152f9a9cff66eeeb9314f6ae3d5b

SHA1
f5934c9680f222c3a90c74f07ea2816b2ed8d6a9

SHA256
d5f3181237fad62b354af93eb03c594e5f54f538dc58b08f8bae97b176b02ca5

SHA512
050c5cc8ac6935248eea6f6ed8057d9cb1b8382bd9f106fbb5e066ad8332fde1d9b71d81fd1d8d692cfa7affeb54979c2a0123ec30e00d28f87976ae473486a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
120KB

MD5
16fe7e3582098aaef78c616f1e85dab5

SHA1
3446d42b2cf4fb14e278b2e5f829c3350d5b1f23

SHA256
07cf4c35d8ce3c40a8ea1ee7ae199b676e77cd89d1c6dc8400094fc9ac2aae8e

SHA512
562d462823d0576c743775af481e804f81bb0ff8a5734ba642d2b01df7226e9d0ff95d6d3959b0f8875d2453efc3efe79572a15fca3f8d135ee8932d49c8c902

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
103KB

MD5
57f28ebed189d9179b7eab2e26363e2a

SHA1
71be508ce100783f1388c21b28ba8e3bf10e7ae9

SHA256
e2f78e0673fb98e4aa29f889fed794ca8f24ea1a24f2ea62c9e5aed05f80e35e

SHA512
03d2e4ad538821404a34187bc7cab0866471b9918c64638b53f77ac685ff51eeee1ba9f5badba7cfd0e61c8f6186d8eae8546afa9feb16fb2a625ef6ea02554a

Download Submit
memory/2004-91-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/2004-67-0x0000000002D10000-0x0000000002D20000-memory.dmp

Filesize
64KB

Download
memory/2004-90-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/2004-15-0x0000000000AD0000-0x0000000000AF4000-memory.dmp

Filesize
144KB

Download
memory/2004-16-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/2828-89-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download
memory/2828-88-0x00000000008E0000-0x0000000000C98000-memory.dmp

Filesize
3.7MB

Download
memory/2828-47-0x00000000008E0000-0x0000000000C98000-memory.dmp

Filesize
3.7MB

Download
memory/2828-51-0x00000000008E0000-0x0000000000C98000-memory.dmp

Filesize
3.7MB

Download
memory/2828-50-0x00000000008E0000-0x0000000000C98000-memory.dmp

Filesize
3.7MB

Download
memory/2828-49-0x0000000074030000-0x00000000747E0000-memory.dmp

Filesize
7.7MB

Download
memory/2828-52-0x0000000006060000-0x0000000006070000-memory.dmp

Filesize
64KB

Download
memory/3772-1-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/3772-0-0x0000000000750000-0x0000000000D14000-memory.dmp

Filesize
5.8MB

Download
memory/3772-31-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/3772-4-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

Filesize
64KB

Download
memory/4744-32-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/4744-48-0x00007FFA8B6B0000-0x00007FFA8C171000-memory.dmp

Filesize
10.8MB

Download
memory/4744-30-0x00000000009D0000-0x0000000000F82000-memory.dmp

Filesize
5.7MB

Download
memory/4744-33-0x000000001BC90000-0x000000001BCA0000-memory.dmp

Filesize
64KB

Download