44caliber | 8ff779c61ce341d779d71c4d907627b0a0fd33474ac6f5647fcb4484940a810b

Analysis

max time kernel
457s
max time network
1178s
platform
windows11-21h2_x64
resource
win11-20231222-en
resource tags

arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
submitted
12-02-2024 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoteBook Vitax.exe
Size

303KB
MD5

13de7fe5ae3ca94916e9a2388331ec5b
SHA1

e5650b323a754a49a4c44d966513263224af48ce
SHA256

8ff779c61ce341d779d71c4d907627b0a0fd33474ac6f5647fcb4484940a810b
SHA512

1f7b8946c4d9aed25730dd9952cecb85ea960ca76e39b04d3589f01f44fa522b59af6a26d96821c481b2ce4d96c1f3753835ffdf1a94ec3406444c2331a96563
SSDEEP

6144:kr+UT6MDdbICydeBwtgGJSTZsgPvur8mI1D0k2w:krNsgGJSdsrq1Duw

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1192867889502490784/d5b-GoiYJ0-udNuzCNlHbe17U050Uovs3ONP72ifR0EsXXp5DkvWjQWgRI59ylud8K6j

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 freegeoip.app
2 freegeoip.app
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

NoteBook Vitax.exe

pid process

3956 NoteBook Vitax.exe
3956 NoteBook Vitax.exe
3956 NoteBook Vitax.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NoteBook Vitax.exe

description pid process

Token: SeDebugPrivilege 3956 NoteBook Vitax.exe

flow	ioc
1	freegeoip.app
2	freegeoip.app

pid	process
3956	NoteBook Vitax.exe
3956	NoteBook Vitax.exe
3956	NoteBook Vitax.exe

description	pid	process
Token: SeDebugPrivilege	3956	NoteBook Vitax.exe

C:\Users\Admin\AppData\Local\Temp\NoteBook Vitax.exe
"C:\Users\Admin\AppData\Local\Temp\NoteBook Vitax.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3956-0-0x0000016F590B0000-0x0000016F59102000-memory.dmp

Filesize
328KB

Download
memory/3956-18-0x00007FFFC22F0000-0x00007FFFC2DB2000-memory.dmp

Filesize
10.8MB

Download
memory/3956-31-0x0000016F73720000-0x0000016F73730000-memory.dmp

Filesize
64KB

Download
memory/3956-32-0x00007FFFC22F0000-0x00007FFFC2DB2000-memory.dmp

Filesize
10.8MB

Download