44caliber | 81e5007b1563752afaded075c7d864a85da680f1a07f4f38cdb0326a31658401

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-03-2024 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d008b5ac1b929144d485b6042baebe2b.exe
Size

14.7MB
MD5

d008b5ac1b929144d485b6042baebe2b
SHA1

d3f1da5864d24d0f1c86e24ab56322df55206100
SHA256

81e5007b1563752afaded075c7d864a85da680f1a07f4f38cdb0326a31658401
SHA512

6e1c2d1edd951856b4fedd2b8e2226124e80c4fee101597ec82f71197e24c1cef86034add6336d0f3d3a0cd95edeb4409a33e832a8dec3f29e790678328b5146
SSDEEP

393216:Xa664wtF3JuBnaO6Fje2fXVI/Hy3AYtDDD:v6j3U541e8VqS3AKDD

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/869968115126128690/9HuocC8P0OFpxwEHR7UGW0ZtseqV8b95oQ9ExN0rHkwTjipAQLrkOqPzDiDXxXky3kUL

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 3 IoCs

Processes:

Custom voopoo.exevoopoo.exevoopoo.tmp

pid process

2784 Custom voopoo.exe
636 voopoo.exe
2836 voopoo.tmp

pid	process
2784	Custom voopoo.exe
636	voopoo.exe
2836	voopoo.tmp

Loads dropped DLL 9 IoCs

Processes:

d008b5ac1b929144d485b6042baebe2b.exevoopoo.exe

pid	process
1692	d008b5ac1b929144d485b6042baebe2b.exe
1692	d008b5ac1b929144d485b6042baebe2b.exe
1692	d008b5ac1b929144d485b6042baebe2b.exe
1692	d008b5ac1b929144d485b6042baebe2b.exe
1692	d008b5ac1b929144d485b6042baebe2b.exe
1692	d008b5ac1b929144d485b6042baebe2b.exe
1692	d008b5ac1b929144d485b6042baebe2b.exe
1692	d008b5ac1b929144d485b6042baebe2b.exe
636	voopoo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Custom voopoo.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Custom voopoo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Custom voopoo.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Custom voopoo.exe

pid process

2784 Custom voopoo.exe
2784 Custom voopoo.exe
2784 Custom voopoo.exe
2784 Custom voopoo.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

voopoo.tmp

pid process

2836 voopoo.tmp
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Custom voopoo.exe

description pid process

Token: SeDebugPrivilege 2784 Custom voopoo.exe

pid	process
2784	Custom voopoo.exe
2784	Custom voopoo.exe
2784	Custom voopoo.exe
2784	Custom voopoo.exe

pid	process
2836	voopoo.tmp

description	pid	process
Token: SeDebugPrivilege	2784	Custom voopoo.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d008b5ac1b929144d485b6042baebe2b.exevoopoo.exe

description	pid	process	target process
PID 1692 wrote to memory of 2784	1692	d008b5ac1b929144d485b6042baebe2b.exe	Custom voopoo.exe
PID 1692 wrote to memory of 2784	1692	d008b5ac1b929144d485b6042baebe2b.exe	Custom voopoo.exe
PID 1692 wrote to memory of 2784	1692	d008b5ac1b929144d485b6042baebe2b.exe	Custom voopoo.exe
PID 1692 wrote to memory of 2784	1692	d008b5ac1b929144d485b6042baebe2b.exe	Custom voopoo.exe
PID 1692 wrote to memory of 636	1692	d008b5ac1b929144d485b6042baebe2b.exe	voopoo.exe
PID 1692 wrote to memory of 636	1692	d008b5ac1b929144d485b6042baebe2b.exe	voopoo.exe
PID 1692 wrote to memory of 636	1692	d008b5ac1b929144d485b6042baebe2b.exe	voopoo.exe
PID 1692 wrote to memory of 636	1692	d008b5ac1b929144d485b6042baebe2b.exe	voopoo.exe
PID 1692 wrote to memory of 636	1692	d008b5ac1b929144d485b6042baebe2b.exe	voopoo.exe
PID 1692 wrote to memory of 636	1692	d008b5ac1b929144d485b6042baebe2b.exe	voopoo.exe
PID 1692 wrote to memory of 636	1692	d008b5ac1b929144d485b6042baebe2b.exe	voopoo.exe
PID 636 wrote to memory of 2836	636	voopoo.exe	voopoo.tmp
PID 636 wrote to memory of 2836	636	voopoo.exe	voopoo.tmp
PID 636 wrote to memory of 2836	636	voopoo.exe	voopoo.tmp
PID 636 wrote to memory of 2836	636	voopoo.exe	voopoo.tmp
PID 636 wrote to memory of 2836	636	voopoo.exe	voopoo.tmp
PID 636 wrote to memory of 2836	636	voopoo.exe	voopoo.tmp
PID 636 wrote to memory of 2836	636	voopoo.exe	voopoo.tmp

C:\Users\Admin\AppData\Local\Temp\d008b5ac1b929144d485b6042baebe2b.exe
"C:\Users\Admin\AppData\Local\Temp\d008b5ac1b929144d485b6042baebe2b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Custom voopoo.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Custom voopoo.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Users\Admin\AppData\Local\Temp\is-QKEA3.tmp\voopoo.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QKEA3.tmp\voopoo.tmp" /SL5="$301E4,14825652,721408,C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
433B

MD5
a0bd008f1784270ab5d5819224c20278

SHA1
2d48ab14d3b48b094e3f9d784a3009f5d1d7756a

SHA256
03b38d0fc40588e23800082f878f9333bffd955ebc49c23fcc01f1fcd45823e9

SHA512
9bc71a5da16f4c77a05d857e24fc9f7aebfb3323c5f8328d1893988b02861d46b0446f748d4b6df3a79ee789e94519b3ec145214657728a21fbfbfd21d102a0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
1.6MB

MD5
9ebe99ba9998161386623f2ce52c0e32

SHA1
28111b5b1b87df3cde2f0a1ae773807e80602ffb

SHA256
12faf5b43777b6b4df8c553cb8f54c8aeb1e30d9d7bfa25925b27303d8bf3ef6

SHA512
4f15a660ab05a88cffbcd7ffc08a2d3ae82b8af562f6c37388e72e4284d40cc1191608522ce5c9cb60194355a1266a8fc4ebafb1662f2dc9e52ae0c2a08dd781

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
1.4MB

MD5
faeb4d5e1539290dfb273470039c9091

SHA1
5db21e5127da16ae709f4179cb89c014e9f096a7

SHA256
d51c1c53d4f5b11f3d647bb1a4392364be90a1aa88be9fb198b0a583fdcabb9e

SHA512
676947e2abb1d4b31929609c00ae47f60d31e3eae66c102060e5e1119f2ad40346214b21fe372331c8b9c4fbd76a18780d018d684fd0b24a21e58a7106651975

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
1.4MB

MD5
301ed5b076aa54c8366a91c285870ae7

SHA1
4530fbfc7c0acbbba1005b75beadd6c9bd08bff6

SHA256
2564a9ba3cd28b1628a2915b81c25335d5122a495e8995b9292b2be87e8023a4

SHA512
8a7ce8229c1cfb06b9bf87ac7741891c76152b63cdfa1ed0dd1c60bf8cd3e3b28b32ebbab546e8988af7d938f00c88945bc3b28b9b4becce8e7f965508ea647f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QKEA3.tmp\voopoo.tmp

Filesize
770KB

MD5
6152a4ec960a9f763358626e1633abd7

SHA1
b5dd3c5569ab0af0ea22243e1eb56fdd0181946d

SHA256
28d6ef22fa184e64be2dfc1e6c08d56f8e51df305c4d8b30a5884f11d1ede0f2

SHA512
13fd36b9a6895c291175e54acf7626ecd0b2bfb1a05c152482ea4781eaa93a71d9dd34a2a9bdb9a9537abbac5ebd3d6e58fef67eb7444289440cfd8e43dd733f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Custom voopoo.exe

Filesize
275KB

MD5
ebc6d55a45996861c5a84937d2a990da

SHA1
db9e42e191c95168d03274cc4d0ab18e35d3f314

SHA256
42f1065841dc77643d3a3c33fb40de4c2931e3a4d15d9802fff0a194c821ea2b

SHA512
927560123afb2d46c4a57065402182bf5522bc3be9d4d9593ec79d72eb4fdd12edc85dbe77d24e2801550bf1c09ac950521b52a62c384de2aad2304edf8db477

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
2.0MB

MD5
16640f3e9b39a261e4abf6b1d970e345

SHA1
8b90fd9ee19dd0e7e0c04bdd53baa8126239c4ed

SHA256
16a46e5a280c9e00b5f4c605a8184b383547e17fdf1c794cfd98a8ecc2f76c2d

SHA512
1d72f082b5efc0793c099f55c3c81d4f50bdde219b9a437b87b74bf30d7a10db72784911ce43d555598d3bd4bbbdd38f11a9555df741193a25b60ea5407d5775

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
1.7MB

MD5
eabe288149f1763932421a9c2fb7214f

SHA1
cda4e5dc84651c29638c9c651455c8f24e5feb95

SHA256
4052da2cd5039e4d217170c81247f7f47d947e52851fd014212204bd72d77cb0

SHA512
36b4035daef46858c47b9af14e4805e2663af728da3af8c98d51439c9c5dbb0fe52596d3665138d746a49605d196731d312ae77e3af9e58755c7a9901e0d74a2

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
1.8MB

MD5
271dd4f733349d8c418d1bcea989f892

SHA1
5be9d04af9d9a7d04ecd26ee4bc3f72a79b78628

SHA256
270299c9c9a95e15d011a6168d7a6bcf126f9eb0e9338376b010e0a32a2c685b

SHA512
2f52504497688ecc0dedc02d8c9ca939bedc88783d9e38bdd7a8a5f60095b62ecc34fa24622adf1244b88cc65516405b74e0b4f74323c7084812a9bf8fdeca25

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\voopoo.exe

Filesize
1.7MB

MD5
9af74d3edeebaff03af954416fc8ad61

SHA1
ad7494cd6c80faeab3d3fb0c95f6e555f14bc897

SHA256
c5d38b7603fd8dd0c473a75d60032642ff8b7da9e9c378b3853b8da43069475f

SHA512
82f26b631f830649f70e0f9af2c8ce9258bed1af0998957613da7128868a7fc2fd9e586bbdc1734a382f8f6c71ba3167f686530b61934ea8eeb67666ac3d765a

Download Submit
\Users\Admin\AppData\Local\Temp\is-QKEA3.tmp\voopoo.tmp

Filesize
1.0MB

MD5
0c1d90e7ca1620ccfaec73e042d75045

SHA1
35ce11a5f5d26ff8796701387d3121cda0f5c9b8

SHA256
a8868f711bc6bc4b1f6c7596c1527330f1fd9406ba45a62d4651aa30132959ff

SHA512
b450264eef1ce7b211fdbaa299ef702101768552c4da07b6381b1e977ac48624ff010aee640e6e52738e4f8ac2ef8bdd38aafa8c0b171f768de8afea26e851d0

Download Submit
memory/636-83-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/636-93-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2784-18-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-17-0x0000000000E20000-0x0000000000E6C000-memory.dmp

Filesize
304KB

Download
memory/2784-69-0x000007FEF5740000-0x000007FEF612C000-memory.dmp

Filesize
9.9MB

Download
memory/2784-19-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/2836-91-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2836-94-0x0000000000400000-0x0000000000679000-memory.dmp

Filesize
2.5MB

Download
memory/2836-97-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download