44caliber | af90a58cb631e8686b0eb7aead92e9144a67bcee347f334cb94c0ea4ff2c6fa0

Analysis

max time kernel
315s
max time network
1604s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-05-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cheat1337.exe
Size

274KB
MD5

0e456a02bce08794675f2a738832f64b
SHA1

ac62b40c94f249ff5321cbb92916bd792bea8ac3
SHA256

af90a58cb631e8686b0eb7aead92e9144a67bcee347f334cb94c0ea4ff2c6fa0
SHA512

a93e8d97a584260a7b54b49bf6270914ba16a755316f77cec535aba5a4ad0ae9565aebfb0d7482c56e29f6f475819fd01af4c71cdec7fba10dbae90c2c3780a4
SSDEEP

6144:Ef+BLtABPDs1oxNjNRScMH5cgowVafTy0lI1D0Lxv:P1AocY5cgT51DWv

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1241719653261381754/XbxjhZ4wtRoKit2nl97hNtrvDOYBLt6LEFnYyml5D9aEIZfgPQvYAFRYYrjKxr9HIlR_

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 freegeoip.app
2 freegeoip.app

flow	ioc
1	freegeoip.app
2	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cheat1337.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	cheat1337.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cheat1337.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cheat1337.exe

pid process

4184 cheat1337.exe
4184 cheat1337.exe
4184 cheat1337.exe
4184 cheat1337.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cheat1337.exe

description pid process

Token: SeDebugPrivilege 4184 cheat1337.exe

pid	process
4184	cheat1337.exe
4184	cheat1337.exe
4184	cheat1337.exe
4184	cheat1337.exe

description	pid	process
Token: SeDebugPrivilege	4184	cheat1337.exe

C:\Users\Admin\AppData\Local\Temp\cheat1337.exe
"C:\Users\Admin\AppData\Local\Temp\cheat1337.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
706B

MD5
bc049abaf5886c0d626267efbec40694

SHA1
f749e257b7b81fa15db4f8e282323a7fc1cda9fa

SHA256
7e904d24e505bf2794712bae09359f4d0a1d7fbc3272352ee69d41b7e78fdcc7

SHA512
13ca16e24d25c8513c9e3f35e4e5b9657b36b7cac48d34a6b38992f4ce7ebf8f7d8984f09ee7c2a54999752451dc9c9b9760334859bf0793f1ad5870ecc5e5ad

Download Submit
C:\Users\Admin\AppData\Roaming\44\Process.txt
Filesize
858B

MD5
24973b7672b0c369a1d11800464b6296

SHA1
86c3457924778e312ebbcf71f96489a73eb68207

SHA256
eb9b69cf9e60bc1d1223e54709dc91f97b6e4cf5f37757a73a5071de8625312e

SHA512
c5f6d614f6c8e64dc86c1ff59ea8020d5e6f5a949a2c11c075e880fe9427b19a958a0f4aa9ab2627782e4e04e90f4f7d6f67cc0222d63e89673a41c1e1489880

Download Submit
memory/4184-1-0x00000295B12D0000-0x00000295B131A000-memory.dmp

Filesize
296KB

Download
memory/4184-0-0x00007FFBE0F83000-0x00007FFBE0F84000-memory.dmp

Filesize
4KB

Download
memory/4184-12-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download
memory/4184-94-0x00007FFBE0F80000-0x00007FFBE196C000-memory.dmp

Filesize
9.9MB

Download