44caliber | e1eb28085c40bd7903e9e785c83d7d60e46b01660bb1308d7f631e2297f97257

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/02/2024, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a5b87e5ac2f80812cf19209d42f4efd3.exe
Size

544KB
MD5

a5b87e5ac2f80812cf19209d42f4efd3
SHA1

fa4d5b4a38f469d29d5f193d56a7df0875af2fee
SHA256

e1eb28085c40bd7903e9e785c83d7d60e46b01660bb1308d7f631e2297f97257
SHA512

aa892db6ea15b8fd73306d78f0bcb3a38da617d04be8019eebb6411b9f9983005b02e0bff8df39b483bf175de3d2fe9442b487987c925ef6e0a57eac235c80f2
SSDEEP

12288:dekYQcPFsvcnRjUTZPDnhJ+boEH8TL09MHaWNRKsO:o2vaeZPLxEH86MHaWR

Score

10^/10

44caliber spyware stealer vmprotect

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1640-0-0x0000000000BC0000-0x0000000000CBA000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	a5b87e5ac2f80812cf19209d42f4efd3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a5b87e5ac2f80812cf19209d42f4efd3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1640	a5b87e5ac2f80812cf19209d42f4efd3.exe
1640	a5b87e5ac2f80812cf19209d42f4efd3.exe
1640	a5b87e5ac2f80812cf19209d42f4efd3.exe
1640	a5b87e5ac2f80812cf19209d42f4efd3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	a5b87e5ac2f80812cf19209d42f4efd3.exe

C:\Users\Admin\AppData\Local\Temp\a5b87e5ac2f80812cf19209d42f4efd3.exe
"C:\Users\Admin\AppData\Local\Temp\a5b87e5ac2f80812cf19209d42f4efd3.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
412B

MD5
b3faeb0cd293351b38efc17576215da1

SHA1
a9fc3a1453253acde7eb348cfcdf62340f2620b8

SHA256
5d86094116aed129023d0f2b8786dc2ea9055df698464ad9c705b94e47b66d3d

SHA512
7685315aa0a0301727119f718d38920125f4d20da9841f56a11b465ea5f0fc5e9c92a6cd3fdd9c130cbe511d37b566922f3868d810d990a32614c45c2e25178a

Download Submit
memory/1640-0-0x0000000000BC0000-0x0000000000CBA000-memory.dmp

Filesize
1000KB

Download
memory/1640-1-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download
memory/1640-2-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1640-3-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1640-4-0x000000001B080000-0x000000001B100000-memory.dmp

Filesize
512KB

Download
memory/1640-53-0x000007FEF5A10000-0x000007FEF63FC000-memory.dmp

Filesize
9.9MB

Download