44caliber | 9785139b6e8bc5f53da68bed1b78f0567aa00d0de965f8e802e038a1243853e6

Analysis

max time kernel
120s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de3258d448ac5d543c996a6b4c0fd6b8.exe
Size

3.3MB
MD5

de3258d448ac5d543c996a6b4c0fd6b8
SHA1

44b4fe0e0d731011467f2f0c831f83801c0d068c
SHA256

9785139b6e8bc5f53da68bed1b78f0567aa00d0de965f8e802e038a1243853e6
SHA512

71edbb9e13fcdb5f3a86d79446dc4a87c50438b64e7b3cb108fe543be5954e06d3f6f4e9d34135f6baeb8bc19eafa32263e673fae2fdaed547354571b1cffdc7
SSDEEP

98304:1/xTTgkJENlhU7ZLsyEQrbRt64dtARJACo9x4RqsSTyIv:rTTguENAlLtPrb7Ri/ACo9mR+ys

Score

10^/10

44caliber echelon collection discovery evasion spyware stealer themida trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/877099784312328213/gbN3AhFr-HwOYeSmi-AjLnTIHhnG8GV5LfjEhIncHO-_rtFM2jafytOi5GkZCyhMgXTd

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detects Echelon Stealer payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe	family_echelon
behavioral2/memory/2140-39-0x000001802BE30000-0x000001802BEC8000-memory.dmp	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

de3258d448ac5d543c996a6b4c0fd6b8.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ de3258d448ac5d543c996a6b4c0fd6b8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	de3258d448ac5d543c996a6b4c0fd6b8.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de3258d448ac5d543c996a6b4c0fd6b8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	de3258d448ac5d543c996a6b4c0fd6b8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	de3258d448ac5d543c996a6b4c0fd6b8.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

de3258d448ac5d543c996a6b4c0fd6b8.exeRACKED.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	de3258d448ac5d543c996a6b4c0fd6b8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	RACKED.exe

Executes dropped EXE 3 IoCs

Processes:

RACKED.exeProtonHack.exeProtonHackers.exe

pid process

332 RACKED.exe
3008 ProtonHack.exe
2140 ProtonHackers.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
332	RACKED.exe
3008	ProtonHack.exe
2140	ProtonHackers.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/4344-0-0x0000000000400000-0x0000000000C12000-memory.dmp	themida
behavioral2/memory/4344-13-0x0000000000400000-0x0000000000C12000-memory.dmp	themida

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ProtonHackers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe
Key opened	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe
Key opened	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

de3258d448ac5d543c996a6b4c0fd6b8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	de3258d448ac5d543c996a6b4c0fd6b8.exe

Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

32 freegeoip.app
40 api.ipify.org
41 api.ipify.org
50 ip-api.com
31 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

de3258d448ac5d543c996a6b4c0fd6b8.exe

pid process

4344 de3258d448ac5d543c996a6b4c0fd6b8.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
32	freegeoip.app
40	api.ipify.org
41	api.ipify.org
50	ip-api.com
31	freegeoip.app

pid	process
4344	de3258d448ac5d543c996a6b4c0fd6b8.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ProtonHack.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	ProtonHack.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	ProtonHack.exe

NTFS ADS 2 IoCs

Processes:

RACKED.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\40==K5 >B 0::0.txt	RACKED.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\40==K5 >B 0::0.txt	RACKED.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

ProtonHack.exeProtonHackers.exe

pid	process
3008	ProtonHack.exe
3008	ProtonHack.exe
3008	ProtonHack.exe
3008	ProtonHack.exe
3008	ProtonHack.exe
2140	ProtonHackers.exe
2140	ProtonHackers.exe
2140	ProtonHackers.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ProtonHack.exeProtonHackers.exe

description pid process

Token: SeDebugPrivilege 3008 ProtonHack.exe
Token: SeDebugPrivilege 2140 ProtonHackers.exe

description	pid	process
Token: SeDebugPrivilege	3008	ProtonHack.exe
Token: SeDebugPrivilege	2140	ProtonHackers.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

de3258d448ac5d543c996a6b4c0fd6b8.exeRACKED.exe

description	pid	process	target process
PID 4344 wrote to memory of 332	4344	de3258d448ac5d543c996a6b4c0fd6b8.exe	RACKED.exe
PID 4344 wrote to memory of 332	4344	de3258d448ac5d543c996a6b4c0fd6b8.exe	RACKED.exe
PID 4344 wrote to memory of 332	4344	de3258d448ac5d543c996a6b4c0fd6b8.exe	RACKED.exe
PID 332 wrote to memory of 3008	332	RACKED.exe	ProtonHack.exe
PID 332 wrote to memory of 3008	332	RACKED.exe	ProtonHack.exe
PID 332 wrote to memory of 2140	332	RACKED.exe	ProtonHackers.exe
PID 332 wrote to memory of 2140	332	RACKED.exe	ProtonHackers.exe

outlook_office_path 1 IoCs

Processes:

ProtonHackers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe

outlook_win_path 1 IoCs

Processes:

ProtonHackers.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ProtonHackers.exe

C:\Users\Admin\AppData\Local\Temp\de3258d448ac5d543c996a6b4c0fd6b8.exe
"C:\Users\Admin\AppData\Local\Temp\de3258d448ac5d543c996a6b4c0fd6b8.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4344

C:\Users\Admin\AppData\Local\Temp\RACKED.exe
"C:\Users\Admin\AppData\Local\Temp\RACKED.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe"
3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
"C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe"
3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4052 --field-trial-handle=2260,i,9938964625802268469,1928462186077019554,262144 --variations-seed-version /prefetch:8
1⤵
PID:4604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ProtonHack.exe
Filesize
274KB

MD5
9df1e86f0c44b525df31975949fe225a

SHA1
a1869bd91c12f6e96339d112d2acb0f018c31f6e

SHA256
13685d73ac437d3d5f976b9f600b183a489aa8871596ee9bec5d27ceb53c0b13

SHA512
7dfe7348e4934aa5d5b21af64ed0d90397fb430ea8dd6f5b104b69edc80e51766c6150f8db37749912dc47f604fa18dff4e9cfbf7a850248d16cf8acdd2d5bb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProtonHackers.exe
Filesize
581KB

MD5
ae9fc2812c2a6d55c9f66b626963639f

SHA1
22b0e3477e075bb7fbe70121f51567d50c6d5d39

SHA256
c46ae05c8aecb322d21d504e5dc4665304c12f4a23da2222f58bc940ee53345c

SHA512
37ef5617f2fda51865f850a9d089e9e56de29508a1b153ada6fd8e32375fdd0f8750b9c5946508a5b0a7a06d61f271fc3d4ffca66d2a8ae72adfed11fc226e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\RACKED.exe
Filesize
575KB

MD5
1bedb8644adbf8aa590d04ebb31edb87

SHA1
5467bb793d56356a418c779dd2677c9ebf92a7a6

SHA256
5db197f06ea1b086ef988650989d7dc85388a1f6be6d4fc1cfa27231f05e587b

SHA512
5c56418fe8d4536d6227123df14204235f2c86276030ed6f2a420daf41b3a78614aa374916daa92a06bfdaf6a204f54f22cf97ba33f492b9376ab798313acdac

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd078BFBFF000306D2E22BA794.tmp
Filesize
92KB

MD5
fbe4c51ee21cb3ec2e3c7698c9f7bdb0

SHA1
22f78716f3ab309bb89a86dc7f2f4f71f05e5aae

SHA256
fd94eefb6e43f441bc8daafd21b51612016a8baecf93a088e91e4e3b6c0b36d0

SHA512
6185afbbb674c2dad6a737fff3e7283633595bb8aea200b1312a98967060f3e3bd93c2f51116ce5350de6d9abd78c0de8aeb31706b85e793e00e104a08353278

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
1KB

MD5
7cf2d5d272b2206b41811c6cadf1fabe

SHA1
816d7b3699644d2b7bab799160952ba1ae89c736

SHA256
ce498281ff312f74a4002d26b45af927687d9a845d36706af3f54ae6de388e29

SHA512
0e2ed1326e9fbd76428060e38af425ca314984b69e65a8b3ef7eee9a37f4454c67f5727c4ba7abcb6c3b99b6625098440c6c0cebf2b041432b8335c56cb4c08b

Download Submit
memory/2140-171-0x0000018046450000-0x0000018046460000-memory.dmp

Filesize
64KB

Download
memory/2140-39-0x000001802BE30000-0x000001802BEC8000-memory.dmp

Filesize
608KB

Download
memory/2140-71-0x00007FFA61880000-0x00007FFA62341000-memory.dmp

Filesize
10.8MB

Download
memory/2140-172-0x0000018046620000-0x0000018046696000-memory.dmp

Filesize
472KB

Download
memory/2140-209-0x00007FFA61880000-0x00007FFA62341000-memory.dmp

Filesize
10.8MB

Download
memory/3008-36-0x0000000000D10000-0x0000000000D5A000-memory.dmp

Filesize
296KB

Download
memory/3008-52-0x00007FFA61880000-0x00007FFA62341000-memory.dmp

Filesize
10.8MB

Download
memory/3008-65-0x0000000002D50000-0x0000000002D60000-memory.dmp

Filesize
64KB

Download
memory/3008-178-0x00007FFA61880000-0x00007FFA62341000-memory.dmp

Filesize
10.8MB

Download
memory/4344-13-0x0000000000400000-0x0000000000C12000-memory.dmp

Filesize
8.1MB

Download
memory/4344-0-0x0000000000400000-0x0000000000C12000-memory.dmp

Filesize
8.1MB

Download
memory/4344-1-0x00000000779C4000-0x00000000779C6000-memory.dmp

Filesize
8KB

Download