44caliber | c383f1a8383c27fda0910a6691aa4a7561d86094e3309df7d2ad787d8e601086

Analysis

max time kernel
133s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan.exe
Size

1.4MB
MD5

04dd1f99162ef231ab0c9d28d181e9d2
SHA1

af9cb52510704981a6e3daeae61c617d711366ef
SHA256

c383f1a8383c27fda0910a6691aa4a7561d86094e3309df7d2ad787d8e601086
SHA512

701b7557e14384648fafdc58ae28f76abee5d1c9f567884c42371e722d699d923ac6df68d0a896207452a2eeea4fe65cbcd350f11a2ff519b51b776970565614
SSDEEP

24576:wBmXmo2G/nvxW3Ww0tBBlxD41ittL91eboEH2IgYAUUjZhI:wBi3bA30BBlxnioE5AW

Score

10^/10

44caliber dcrat infostealer rat spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1245420777592062054/saI81XWOLJi1mJiEEt2FK-cyIKsq2Ayc-BlexWZ-2Fj0plrNSjRsNmF63M5uf5r_C7a0

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 1 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/1868-11-0x0000000000400000-0x0000000000572000-memory.dmp	dcrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Nursultan.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Nursultan.exe

Executes dropped EXE 1 IoCs

Processes:

Insidious.exe

pid process

3244 Insidious.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
4 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Insidious.exe

pid process

3244 Insidious.exe
3244 Insidious.exe
3244 Insidious.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious.exe

description pid process

Token: SeDebugPrivilege 3244 Insidious.exe

pid	process
3244	Insidious.exe

flow	ioc
3	freegeoip.app
4	freegeoip.app

pid	process
3244	Insidious.exe
3244	Insidious.exe
3244	Insidious.exe

description	pid	process
Token: SeDebugPrivilege	3244	Insidious.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

Nursultan.exe

description	pid	process	target process
PID 1868 wrote to memory of 3244	1868	Nursultan.exe	Insidious.exe
PID 1868 wrote to memory of 3244	1868	Nursultan.exe	Insidious.exe

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Users\Admin\AppData\Local\Temp\Insidious.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4200,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:8
1⤵
PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
303KB

MD5
bf315b4f45ed1773fcf9384a004df664

SHA1
728d338d4889c1a92d4d5df7a8afb0bf2d4e73b1

SHA256
8cd6840512dac2770f4960ed7e4291bbe6b655b5905f4bb751c9383ba827a822

SHA512
f0b2cff9469f8935e0012ae68711d655c7d6d563f242da14565f153591f3d0d281c31123a99c913262915fb76cf3c2a027642bf43ff69b27289640c7e3339b6a

Download Submit
memory/1868-11-0x0000000000400000-0x0000000000572000-memory.dmp

Filesize
1.4MB

Download
memory/3244-12-0x00007FF939B93000-0x00007FF939B95000-memory.dmp

Filesize
8KB

Download
memory/3244-13-0x000001A4C81F0000-0x000001A4C8242000-memory.dmp

Filesize
328KB

Download
memory/3244-40-0x00007FF939B90000-0x00007FF93A651000-memory.dmp

Filesize
10.8MB

Download
memory/3244-41-0x00007FF939B90000-0x00007FF93A651000-memory.dmp

Filesize
10.8MB

Download