44caliber | ccc65cc16770cf1f444219f00680f9fe6234d543107e98413bb06c68aea92e86

Analysis

max time kernel
63s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2024 08:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Korepi/Korepi.exe
Size

274KB
MD5

6c10aa7f40c68f01050d041ab9c16417
SHA1

8b447164852a63f79e276396649f98dfb955e053
SHA256

db5cda1822fc9fa50bc6719d835d61692d936b674da3d840ba61ad1b11c616eb
SHA512

9636f49c03203faf53e48945efb3e182ddbcbd143822f7c706d11164d2a1a7e86caa72d3eabf307616011b79fb00b35a894dc6055a2d1cfa9966183e96a12a31
SSDEEP

6144:Bf+BLtABPDMZZzIlzcwKUfmBnxafTy8lI1D0zOy:uZOnKUfmBXx1DNy

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1205378577210548224/LNcoZrLKPyHLEN4pcKhtXlPWyk5g8jRNtbvhK_L1UGxjObYKgJwFG53LqgVJZWP5xjst

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	freegeoip.app
23	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Korepi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Korepi.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2356	Korepi.exe
2356	Korepi.exe
2356	Korepi.exe
2356	Korepi.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	Korepi.exe

C:\Users\Admin\AppData\Local\Temp\Korepi\Korepi.exe
"C:\Users\Admin\AppData\Local\Temp\Korepi\Korepi.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
119B

MD5
cc188307ea92cce91b6046d2e1fee688

SHA1
ef10d4e451d0a8d8f2fbc81ed44140607906e330

SHA256
352687eb2a745c7807fb24ef681b42e310032cadffa0ee6ef4ced70cac62470d

SHA512
cbafc2b7d25e82fbd85f3f66c65ba5e24a69f9b94ba7d66f57139208c49f419cd723ba568f62a290dd3cd980dc13083ff33e2804dfda2947f8723c088ab511a2

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
393B

MD5
563f0f99035b0443b3d0dd612a19ff15

SHA1
5156a081279ca141e2c7fee89ff188de69fbef69

SHA256
17b7269db5549c858139acbf00aca6ea4484b2e6a6e6221b9600ea2fe191deea

SHA512
6010965e365e76554bf3304fa039ec3385a7ef48d545576cb46d57a04d5a4c490b7fd8a71ea1a1455b7cdc4fa3975bbc47722b5284bffa316d43015dcb52dc6d

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
756B

MD5
044cd270d06124c04bc6966d5c72f3b6

SHA1
cf2e95efb2adbd5a78e1af7b95aae14b98a81d5d

SHA256
3cbdeaef8bbee3b5f3424965db76ff03fe98c231e99826445ad08184d06d0a89

SHA512
e16952b7770a0e5e3af3e62ce5b17bd2ba67ed2ce7785869dca7bd039ec44a5e6052e9325e6e82ec51b0409987559da1c02677a8c4d77e3ea3b1f3c2a6cfe9c1

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
72525073d33c542b96c6682ff5170c85

SHA1
9b80249c7c432358b51256dcc9c9edd4c8dc2eff

SHA256
0adfd9c94905ef0c975208d35cbb094821887e306a365e98d589d3ce590a344e

SHA512
2146b90d8e3adae437a6d7144e0f236ae17c486ac75a76be98a14dfbdb132dc29df05109a7b8cc9ecd8d3a53a493a6328338d55d40142dd39c66130e1145fdf3

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
ccf0551c5718ef456cd67254e10f5c7a

SHA1
ca843d0919566a478dfe4154d48bfdb6aa45634b

SHA256
5698491d20ced731d0ee2ffc9632a2f720e0aa6574ede2c96c035e3d6063c41f

SHA512
7d6b201aab6c5bd9c31c4484da8cd171954bdd456ad807ac2593aa1c44e24c6ea475f70c5d40ff2150f4e599fb9cf8c7fbc83de3eb0199a5caabf80626c42215

Download Submit
memory/2356-0-0x000001CDF0B90000-0x000001CDF0BDA000-memory.dmp

Filesize
296KB

Download
memory/2356-16-0x00007FFA73180000-0x00007FFA73C41000-memory.dmp

Filesize
10.8MB

Download
memory/2356-30-0x000001CDF3040000-0x000001CDF3050000-memory.dmp

Filesize
64KB

Download
memory/2356-120-0x00007FFA73180000-0x00007FFA73C41000-memory.dmp

Filesize
10.8MB

Download