44caliber | ac4480726395424221a325673e03466a459dac2f3168a8f15f6bf2edfb5ecf0e

Analysis

max time kernel
12s
max time network
12s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2024, 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aimware.exe
Size

1.0MB
MD5

f0aa774656a99e218a7e2fc2c82cd2f3
SHA1

68043818157f185f44cf1ee5b1096eaa65523f11
SHA256

ac4480726395424221a325673e03466a459dac2f3168a8f15f6bf2edfb5ecf0e
SHA512

20bc54f6870cf3973a5d33ce1e4377e2bb84a05b2ea525da6a325cdd3140ee57490f79ca3e6871ac70d45c66e038bccda93ca34878494f285ca6c6a149c2a8c4
SSDEEP

24576:jBkVdlYAKfUYd3/4+FjrKgF5nmsQEf21ucm:FsvHYS+FXPnyO2Icm

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discordapp.com/api/webhooks/1223534684466712578/OJzM_W-KXB6Dm5WRjG1g7FlWhDxGAwBV4ZXWD3CYjtrvY6z0qkodyZAKKulSwJIUxlGT

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation	aimware.exe

Executes dropped EXE 3 IoCs

pid	Process
1160	loader.exe
652	Insidious.exe
2760	1234.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	freegeoip.app
41	freegeoip.app

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1160	loader.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
652	Insidious.exe
652	Insidious.exe
652	Insidious.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	652	Insidious.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 1160	396	aimware.exe	84
PID 396 wrote to memory of 1160	396	aimware.exe	84
PID 396 wrote to memory of 652	396	aimware.exe	97
PID 396 wrote to memory of 652	396	aimware.exe	97
PID 396 wrote to memory of 2760	396	aimware.exe	100
PID 396 wrote to memory of 2760	396	aimware.exe	100
PID 396 wrote to memory of 2760	396	aimware.exe	100

C:\Users\Admin\AppData\Local\Temp\aimware.exe
"C:\Users\Admin\AppData\Local\Temp\aimware.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\loader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1160
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\1234.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\1234.exe"
  2⤵
  - Executes dropped EXE
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1234.exe

Filesize
93KB

MD5
47c672a1e8988431f000e8b68e9767cb

SHA1
86ae6bb62c518b082f8559547a31dd0968279af2

SHA256
9db195f3403d8ed5d3586133af733056736a45bf98d5f25c6c6eea5af1f93e2f

SHA512
cce818a43cda08c009735dc40a6ea7d9051260a6be52bf2baf55a5e5c7b3a327624b05443e204c40119a9177a0abfe7678e2a1f4764f7262553bf94092d0b6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe

Filesize
303KB

MD5
b274291ce2e012a004833bb57574729c

SHA1
65de247ae9cc760cd946d746327ab5fc5968dbd5

SHA256
fa94cc9b8728deaa172b9e2203e93395d70fdf4020b88d2b06d064f5bbf88904

SHA512
14c1a169c5025e3de79fcd60060a6b7c4d751ed0438af8ea161d1b578f8e5a486ac394b3cedab920228539df842e88086e93d516e459e87f9c56772bbf69732f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Loader.exe

Filesize
1.2MB

MD5
f7b1faf469ff40c92262042f6a2aee97

SHA1
eb8a41922518076b187cea63799876cc7fb6f3c3

SHA256
fc3f91250c78ff408ab86940b0334560d07b2f61edba9ce61abeba9a96df935e

SHA512
fe4dd456a6d2be4ba18ed435873ee3f35cd7fed912fd8de5267df78838c2ebaf6b6bc379f910f8d4cbcf6819c88d74de1a3714107d2d89e7669d712cc3c50631

Download Submit
memory/652-23-0x00000201403D0000-0x0000020140422000-memory.dmp

Filesize
328KB

Download
memory/652-50-0x00007FFE37360000-0x00007FFE37E21000-memory.dmp

Filesize
10.8MB

Download
memory/652-55-0x000002015A900000-0x000002015A910000-memory.dmp

Filesize
64KB

Download
memory/652-56-0x00007FFE37360000-0x00007FFE37E21000-memory.dmp

Filesize
10.8MB

Download
memory/2760-64-0x0000000072CB0000-0x0000000073261000-memory.dmp

Filesize
5.7MB

Download
memory/2760-65-0x0000000072CB0000-0x0000000073261000-memory.dmp

Filesize
5.7MB

Download
memory/2760-66-0x0000000001260000-0x0000000001270000-memory.dmp

Filesize
64KB

Download