44caliber | e1eb28085c40bd7903e9e785c83d7d60e46b01660bb1308d7f631e2297f97257

Analysis

max time kernel
92s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2024, 07:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a5b87e5ac2f80812cf19209d42f4efd3.exe
Size

544KB
MD5

a5b87e5ac2f80812cf19209d42f4efd3
SHA1

fa4d5b4a38f469d29d5f193d56a7df0875af2fee
SHA256

e1eb28085c40bd7903e9e785c83d7d60e46b01660bb1308d7f631e2297f97257
SHA512

aa892db6ea15b8fd73306d78f0bcb3a38da617d04be8019eebb6411b9f9983005b02e0bff8df39b483bf175de3d2fe9442b487987c925ef6e0a57eac235c80f2
SSDEEP

12288:dekYQcPFsvcnRjUTZPDnhJ+boEH8TL09MHaWNRKsO:o2vaeZPLxEH86MHaWR

Score

10^/10

44caliber spyware stealer vmprotect

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/memory/4832-0-0x0000000000750000-0x000000000084A000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
6	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	a5b87e5ac2f80812cf19209d42f4efd3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	a5b87e5ac2f80812cf19209d42f4efd3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4832	a5b87e5ac2f80812cf19209d42f4efd3.exe
4832	a5b87e5ac2f80812cf19209d42f4efd3.exe
4832	a5b87e5ac2f80812cf19209d42f4efd3.exe
4832	a5b87e5ac2f80812cf19209d42f4efd3.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4832	a5b87e5ac2f80812cf19209d42f4efd3.exe

C:\Users\Admin\AppData\Local\Temp\a5b87e5ac2f80812cf19209d42f4efd3.exe
"C:\Users\Admin\AppData\Local\Temp\a5b87e5ac2f80812cf19209d42f4efd3.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
741B

MD5
d5448af1a90d4f3787677088ae270062

SHA1
cc1db5eb8174cab6de3e309c057a20247d87fbda

SHA256
2be01006ca5e018d5208ea0d3d1822568d5000c6d1376b390628cd07cdecf85e

SHA512
d6d0e0c96432538f09493a144bef0a1ccc77571e84004c34609bf0ed4299427249bf9b4ed0a2ea7fa8a949a0444b64c54fb7dfed32d0bb5544f40402b1de75a8

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt

Filesize
1KB

MD5
caa66fc9ba9263e9cefcead2ded96bcf

SHA1
2be35eab7228e296fa8d7bb35eac5ae6c8062c1b

SHA256
def2d2573d5e58eba6c24739aca34d80452485d2f0e1a1e1a951d14d2a8a640f

SHA512
453403616755071a70ad5f7c5535bfb806e3a05ee58177b8af37273059cd2a72db638d44f20040b3b1e261ce9db2433ff02eae35e63a2c53f5ef5d334bf4d91a

Download Submit
memory/4832-0-0x0000000000750000-0x000000000084A000-memory.dmp

Filesize
1000KB

Download
memory/4832-1-0x00007FFD7EB40000-0x00007FFD7F601000-memory.dmp

Filesize
10.8MB

Download
memory/4832-2-0x0000000002990000-0x00000000029A0000-memory.dmp

Filesize
64KB

Download
memory/4832-3-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4832-4-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/4832-124-0x000000001D450000-0x000000001D5F9000-memory.dmp

Filesize
1.7MB

Download
memory/4832-125-0x00007FFD7EB40000-0x00007FFD7F601000-memory.dmp

Filesize
10.8MB

Download