44caliber | a2119eeffe066d388268d02e56303423b8ec267efae306609c1b316dc0c04cab

Analysis

max time kernel
93s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e3b448a401c6b9662d1e3d0d5cb2143.exe
Size

2.7MB
MD5

5e3b448a401c6b9662d1e3d0d5cb2143
SHA1

f290401040a78886975024e54b9e53d20169563d
SHA256

a2119eeffe066d388268d02e56303423b8ec267efae306609c1b316dc0c04cab
SHA512

677aba5e6ec76d3e21242638b0f31eb5ff4351c7fa14676d0ed87ac8c999552ef02de7423e5acd8bbdc9d43fcd45ff1330151d29f685ef0319e038d63dbd4cba
SSDEEP

49152:Izosmx2LWrn4StMIlux28xPmXtNMGi72arIPR5pl20hukH5jE9PlU/goROD+e8WD:zZnr4yRl6xPmXtNML7zA12OFHMNU/bRW

Score

10^/10

44caliber echelon collection discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/877099784312328213/gbN3AhFr-HwOYeSmi-AjLnTIHhnG8GV5LfjEhIncHO-_rtFM2jafytOi5GkZCyhMgXTd

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe	family_echelon
behavioral2/memory/2292-27-0x00000194BCA20000-0x00000194BCAB8000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

5e3b448a401c6b9662d1e3d0d5cb2143.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 5e3b448a401c6b9662d1e3d0d5cb2143.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5e3b448a401c6b9662d1e3d0d5cb2143.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5e3b448a401c6b9662d1e3d0d5cb2143.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5e3b448a401c6b9662d1e3d0d5cb2143.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5e3b448a401c6b9662d1e3d0d5cb2143.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5e3b448a401c6b9662d1e3d0d5cb2143.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	5e3b448a401c6b9662d1e3d0d5cb2143.exe

Executes dropped EXE 2 IoCs

Processes:

ProtonHack.exeProtonHackers.exe

pid process

3472 ProtonHack.exe
2292 ProtonHackers.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3472	ProtonHack.exe
2292	ProtonHackers.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4172-0-0x0000000000400000-0x0000000000A84000-memory.dmp	themida
behavioral2/memory/4172-31-0x0000000000400000-0x0000000000A84000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ProtonHackers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

5e3b448a401c6b9662d1e3d0d5cb2143.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5e3b448a401c6b9662d1e3d0d5cb2143.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 freegeoip.app
8 freegeoip.app
10 api.ipify.org
11 api.ipify.org
38 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

5e3b448a401c6b9662d1e3d0d5cb2143.exe

pid process

4172 5e3b448a401c6b9662d1e3d0d5cb2143.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
7	freegeoip.app
8	freegeoip.app
10	api.ipify.org
11	api.ipify.org
38	ip-api.com

pid	process
4172	5e3b448a401c6b9662d1e3d0d5cb2143.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ProtonHack.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ProtonHack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProtonHack.exe

NTFS ADS 2 IoCs

Processes:

5e3b448a401c6b9662d1e3d0d5cb2143.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\40==K5 >B 0::0.txt	5e3b448a401c6b9662d1e3d0d5cb2143.exe
File created	C:\Users\Admin\AppData\Local\Temp\40==K5 >B 0::0.txt	5e3b448a401c6b9662d1e3d0d5cb2143.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

ProtonHack.exeProtonHackers.exe

pid process

3472 ProtonHack.exe
3472 ProtonHack.exe
3472 ProtonHack.exe
3472 ProtonHack.exe
2292 ProtonHackers.exe
2292 ProtonHackers.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ProtonHack.exeProtonHackers.exe

description pid process

Token: SeDebugPrivilege 3472 ProtonHack.exe
Token: SeDebugPrivilege 2292 ProtonHackers.exe

pid	process
3472	ProtonHack.exe
3472	ProtonHack.exe
3472	ProtonHack.exe
3472	ProtonHack.exe
2292	ProtonHackers.exe
2292	ProtonHackers.exe

description	pid	process
Token: SeDebugPrivilege	3472	ProtonHack.exe
Token: SeDebugPrivilege	2292	ProtonHackers.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5e3b448a401c6b9662d1e3d0d5cb2143.exe

description	pid	process	target process
PID 4172 wrote to memory of 3472	4172	5e3b448a401c6b9662d1e3d0d5cb2143.exe	ProtonHack.exe
PID 4172 wrote to memory of 3472	4172	5e3b448a401c6b9662d1e3d0d5cb2143.exe	ProtonHack.exe
PID 4172 wrote to memory of 2292	4172	5e3b448a401c6b9662d1e3d0d5cb2143.exe	ProtonHackers.exe
PID 4172 wrote to memory of 2292	4172	5e3b448a401c6b9662d1e3d0d5cb2143.exe	ProtonHackers.exe

outlook_office_path 1 IoCs

Processes:

ProtonHackers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe

outlook_win_path 1 IoCs

Processes:

ProtonHackers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe

C:\Users\Admin\AppData\Local\Temp\5e3b448a401c6b9662d1e3d0d5cb2143.exe
"C:\Users\Admin\AppData\Local\Temp\5e3b448a401c6b9662d1e3d0d5cb2143.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:4172

C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"
2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe
Filesize
274KB

MD5
9df1e86f0c44b525df31975949fe225a

SHA1
a1869bd91c12f6e96339d112d2acb0f018c31f6e

SHA256
13685d73ac437d3d5f976b9f600b183a489aa8871596ee9bec5d27ceb53c0b13

SHA512
7dfe7348e4934aa5d5b21af64ed0d90397fb430ea8dd6f5b104b69edc80e51766c6150f8db37749912dc47f604fa18dff4e9cfbf7a850248d16cf8acdd2d5bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
Filesize
581KB

MD5
ae9fc2812c2a6d55c9f66b626963639f

SHA1
22b0e3477e075bb7fbe70121f51567d50c6d5d39

SHA256
c46ae05c8aecb322d21d504e5dc4665304c12f4a23da2222f58bc940ee53345c

SHA512
37ef5617f2fda51865f850a9d089e9e56de29508a1b153ada6fd8e32375fdd0f8750b9c5946508a5b0a7a06d61f271fc3d4ffca66d2a8ae72adfed11fc226e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D22ED8715E.tmp
Filesize
92KB

MD5
ec564f686dd52169ab5b8535e03bb579

SHA1
08563d6c547475d11edae5fd437f76007889275a

SHA256
43c07a345be732ff337e3826d82f5e220b9474b00242e335c0abb9e3fcc03433

SHA512
aa9e3cb1ae365fd5a20439bca6f7c79331a08d2f7660a36c5b8b4f57a0e51c2392b8e00f3d58af479134531dc0e6b4294210b3633f64723abd7f4bc4db013df9

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
7b3ea807c0ea9fc4647a73f5c08c7f8f

SHA1
c5748c5ab5b05a05a7ca0db82521fc7bcc3f2109

SHA256
33926d45c688179f283327b335b99c974c935b58265dfcd139fdd8bd7a782292

SHA512
b9985aca26de73190ddaa93c17aeff94294303d302c31e5cac625c31c7062af311395bbaef9ce411e63a426553aed62eba56ac7adfdadc44f2e4681c756481c0

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
45281db3021cc392385e03b0b2e89b23

SHA1
f3f4b7c00e44c10f17b45764249733080626384b

SHA256
572ebd9c1cf15afbfb602445fc150fd48d02fe8078a7abc5a13eafd30f0cf303

SHA512
2ca210b211131021997d0fd2a9463f930d4c93f8016cfe57157c03c1d3569c76ff10b896401e409afba1ebd2e1e67f0127b2288e0d5f8bb5b838aa95e439717b

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
376B

MD5
6fa5ccf33b67952483ff75552bf5dc01

SHA1
c3d70ad87bac2c98fe867c8ea32f18037491c318

SHA256
a5a36020c80202c8a13685ea321d97b1308cbef7fa36f4c4381cffe633c44d21

SHA512
05f3f5274647364545e956494cd76b30ce7d43d6f3299b445226f63f34cbdfc00b61e1470d3876ea910f9b6f025e48d2f1f78ba87d2475f97e5a5e5b7871491b

Download Submit
memory/2292-62-0x00000194BCF00000-0x00000194BCF10000-memory.dmp

Filesize
64KB

Download
memory/2292-174-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-176-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-51-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

Filesize
10.8MB

Download
memory/2292-63-0x00000194D71A0000-0x00000194D7216000-memory.dmp

Filesize
472KB

Download
memory/2292-27-0x00000194BCA20000-0x00000194BCAB8000-memory.dmp

Filesize
608KB

Download
memory/2292-175-0x00000194BCF00000-0x00000194BCF10000-memory.dmp

Filesize
64KB

Download
memory/3472-29-0x000000001B190000-0x000000001B1A0000-memory.dmp

Filesize
64KB

Download
memory/3472-28-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

Filesize
10.8MB

Download
memory/3472-26-0x00000000004C0000-0x000000000050A000-memory.dmp

Filesize
296KB

Download
memory/3472-157-0x00007FFC8CB20000-0x00007FFC8D5E1000-memory.dmp

Filesize
10.8MB

Download
memory/4172-0-0x0000000000400000-0x0000000000A84000-memory.dmp

Filesize
6.5MB

Download
memory/4172-1-0x0000000077654000-0x0000000077656000-memory.dmp

Filesize
8KB

Download
memory/4172-31-0x0000000000400000-0x0000000000A84000-memory.dmp

Filesize
6.5MB

Download