44caliber | 644de3a5de2ef66cd455ae70e50fe10ee356e2baa8df88fbb97eb56ea1d1a79c

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 16:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99a488d532eca43a10d3738556a18ffd.exe
Size

6.6MB
MD5

99a488d532eca43a10d3738556a18ffd
SHA1

481a20e20aa566703d7c8b64e7864536ae37b0f0
SHA256

644de3a5de2ef66cd455ae70e50fe10ee356e2baa8df88fbb97eb56ea1d1a79c
SHA512

34e84e3e1861a6daf05ff336811848eecf67062ce8a6d397389b836c76b0039c63866d3968d31aa09cc120cc1c00b27b0ca5d5540cf5e690a468239af3efea96
SSDEEP

196608:Afwd5egC59TScKmJCUwYuRyx5ItGTGI8vuVt:zd5edVCeC0uA5IITGQ

Score

10^/10

44caliber pyinstaller spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/879723240703012945/8DnUmlURQNBRTKRaHbyKS0ELGvIIdoIuBbkkbmM0ZcLBAJj3FlxCIcUk1VDLDyRi-RQK

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 3 IoCs

pid	Process
2300	clarity.exe
2736	Insidious.exe
1364	clarity.exe

Loads dropped DLL 4 IoCs

pid	Process
1948	99a488d532eca43a10d3738556a18ffd.exe
2632	Process not Found
2300	clarity.exe
1364	clarity.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
5	freegeoip.app

Detects Pyinstaller 6 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00090000000122c9-8.dat	pyinstaller
behavioral1/files/0x00090000000122c9-6.dat	pyinstaller
behavioral1/files/0x00090000000122c9-18.dat	pyinstaller
behavioral1/files/0x00090000000122c9-20.dat	pyinstaller
behavioral1/files/0x00090000000122c9-61.dat	pyinstaller
behavioral1/files/0x00090000000122c9-62.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2736	Insidious.exe
2736	Insidious.exe
2736	Insidious.exe
2736	Insidious.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	Insidious.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2300	1948	99a488d532eca43a10d3738556a18ffd.exe	28
PID 1948 wrote to memory of 2300	1948	99a488d532eca43a10d3738556a18ffd.exe	28
PID 1948 wrote to memory of 2300	1948	99a488d532eca43a10d3738556a18ffd.exe	28
PID 1948 wrote to memory of 2736	1948	99a488d532eca43a10d3738556a18ffd.exe	30
PID 1948 wrote to memory of 2736	1948	99a488d532eca43a10d3738556a18ffd.exe	30
PID 1948 wrote to memory of 2736	1948	99a488d532eca43a10d3738556a18ffd.exe	30
PID 2300 wrote to memory of 1364	2300	clarity.exe	31
PID 2300 wrote to memory of 1364	2300	clarity.exe	31
PID 2300 wrote to memory of 1364	2300	clarity.exe	31

C:\Users\Admin\AppData\Local\Temp\99a488d532eca43a10d3738556a18ffd.exe
"C:\Users\Admin\AppData\Local\Temp\99a488d532eca43a10d3738556a18ffd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\clarity.exe
  "C:\Users\Admin\AppData\Local\Temp\clarity.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\clarity.exe
    "C:\Users\Admin\AppData\Local\Temp\clarity.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1364
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
274KB

MD5
6e6a2ffab4dcb3d56243bc870c29c7f9

SHA1
01d3f34d0427b427e04cdb42ca77ae1f8d1a0811

SHA256
f98b5fb29c750ec8c5ea26870eb9c8bf009b5da5ea660d264b69fe7d790cd276

SHA512
291ab7b799d4288249cbdc46bb780dd050c4432ce918d1c1ea232bba25b1eb39bb4e169e78adee64d1d6c658a29d08505a2e8b94114f4cb4c6e81bc6dfd272d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23002\python39.dll

Filesize
2.8MB

MD5
ba8f75d3d98af56b094a7030d08ed544

SHA1
8decded798b7d121580ee340176c5b2f16f6873d

SHA256
56a9a737f2d15c9715b6eefd16f160816d4f0c66c9fa143e6ea9cecc1f672937

SHA512
98b7baa5818b640a5176c9922335ccb3dfc43f4c7b0924e6673e5442ded0ecb74926f20ba34e78585f45a785ceed9fbf880da755d79f984ebefe2c24dd26d45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\clarity.exe

Filesize
576KB

MD5
089e47bd3f7f0e4572c5941b0d11a34d

SHA1
28dc2e684de7bb7e9b6b277029d7ab1b198b0aa2

SHA256
5388adf8082407317aeb56c22cc1869aa9d401e964ca7bbcc8c5a92176792134

SHA512
14398d33ffd622cfa854d3682bd504a3adfb28ac89fbf98b7d7ed93eadefe2b66780f9c5e8aef322d13621531c4994480d9c7dbd5397f8a5acac07ce1cb6dec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\clarity.exe

Filesize
2.8MB

MD5
27b22d1ba4938af291007ff0a06a2423

SHA1
6010e7f99e146a5c7ef598c27167760d6e56cf0d

SHA256
0bc0fdbd161a5c401c2853c308382dcdcb8a02ed0716bcc429c63dbf96c058a9

SHA512
2ccbfd5379baf1293f5028798243c721eec7f7ea42842bd8d11268b74e44fe01e31878f534e9e1d51a430aa18227b6c8d6e2f6e2e4ece11c754d2c1c1a30d5eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\clarity.exe

Filesize
2.4MB

MD5
9c1da831cf78504aaf9d808e4ad36c96

SHA1
af79b2f5b4cd28fc7a0b3afbcbc4532f553f949f

SHA256
295c3ffff704f628456c4778cb2aec95bbfb070c9c16c399cf5cc2940cac08ca

SHA512
549264792828eabfb27429862158bf612fbc4a909d1b968a5392a4873a7c6571f2219dddde4c494da74425518710240308cd87c7e535ab7c11603d4376c7f110

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
419B

MD5
23d92bc75288c8dc622245008694fb4e

SHA1
8516de73460342009311a0359252ef98c81b6a9f

SHA256
5dda5be27b2e448a47adce106a73e3c204cc83655c5d3b03e56f8731e7012f86

SHA512
c6a1c8f519dad16e3626fde7498be2a57751b26ad5170be47c3778db67db98afc853b10aedb1a1d146c183508adfcbf6c390599e6638970407238171355126c7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23002\python39.dll

Filesize
1.2MB

MD5
82b0601075163b5760fdc0f97f08b14d

SHA1
3b04e5165a4ec437d6447c6e0f1b84572f92f968

SHA256
a5864abe60bbdaef5b10512dea1009e1b40d8bc0ee98e9ba2c62feef8efc3a21

SHA512
2d5140627c4a1e381f1229243febc870f161a21e647df772e06e53ca76f272e0d6c9286806404e6d30da49f675092d3d0034532931da5941d9317a5504120cc1

Download Submit
\Users\Admin\AppData\Local\Temp\clarity.exe

Filesize
1.9MB

MD5
0d910b1d7219b84a06523c17e8a5642d

SHA1
1412ac75f1ec46328d2af5037504be31fdd4c1c5

SHA256
b8c35f17f7ffed280ebf7dd5279217d14ec13645a2c7cb4f66ad5cd969b22470

SHA512
6b9664879105ce081019aad1a0736cd2f363fb5d36164c0c3de1f6e90212f981ae4fb74da59d629837fe784729305de0aca040e9dd46f53a04652699177ad3e0

Download Submit
\Users\Admin\AppData\Local\Temp\clarity.exe

Filesize
2.7MB

MD5
f793c15d39241d5259d2730c73407abc

SHA1
3415faf48693a2f9af3f8fc0be1bf3d2400f7a7a

SHA256
9f507db8723357708cd36de4eea6d22c59c3a2c6cab22c3a725d436cb895f5cd

SHA512
8a2eff80cec8da9d91445dd43cfea8553ff2e57214168cad4ac7e041f1b4afe58890df4477703cdf79d7c2af7168949483de780b5364aa8ee80e1cbfa900edaf

Download Submit
\Users\Admin\AppData\Local\Temp\clarity.exe

Filesize
64KB

MD5
087cd629351c3f17b579013ffe73bdf2

SHA1
97ba07f543118f36e051cf8d199c4cef6e0b2c8c

SHA256
2cd793b07f2e788e06546a5824b8a192c031e224dcac5e3ed74fdf8f51383201

SHA512
4a76ba3897f4cc8ff28586706816bc95144e99b17e4e5b3e1bc43f3ae3d35612943553901648d2311b7e6813fdcc0a95376308f5efe89a12bc8375d2699ddf9a

Download Submit
memory/1948-0-0x0000000000DA0000-0x000000000143C000-memory.dmp

Filesize
6.6MB

Download
memory/1948-16-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-2-0x0000000000D10000-0x0000000000D90000-memory.dmp

Filesize
512KB

Download
memory/1948-1-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-19-0x0000000001F00000-0x0000000001F80000-memory.dmp

Filesize
512KB

Download
memory/2736-15-0x0000000000380000-0x00000000003CA000-memory.dmp

Filesize
296KB

Download
memory/2736-17-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/2736-118-0x000007FEF5430000-0x000007FEF5E1C000-memory.dmp

Filesize
9.9MB

Download