44caliber | bb5c467c398cbbb648668f5aaec8da190eab2de1fb2ee47d0e03b01483b4f53e

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ovisetup.exe
Size

3.7MB
MD5

706efb0990f7aa5332f8ef6f3b1c5993
SHA1

ad57d0f430a79cbd1a1fcf27907bd15894103b13
SHA256

bb5c467c398cbbb648668f5aaec8da190eab2de1fb2ee47d0e03b01483b4f53e
SHA512

3a050d8854f8b8915ccbcb79a4883547b0e408c9ca327a0793cf21c7acddab4cde3f3619b741eb37b3dc98211ae0d7b65cea0f57a11b6bfc5d054c0fd3497233
SSDEEP

98304:GVGtaEm35Jo2PTZpZq49ACYc18nxIusLz6cMlGWwH/gZGcg:SGtdz2PzA49AFcinbsLz84rfwGR

Score

10^/10

44caliber evasion spyware stealer trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1140967450750484572/9nxWu2w_HfkHC1lMMNnzNPxLArNJ-MGc7djzUyKDcKdtmuzCF7HY_Gilg6rdXdzPw-v4

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

vanishvpn.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	vanishvpn.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vanishvpn.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vanishvpn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vanishvpn.exe

Executes dropped EXE 2 IoCs

Processes:

cheats.exevanishvpn.exe

pid	Process
2432	cheats.exe
1912	vanishvpn.exe

Loads dropped DLL 2 IoCs

Processes:

ovisetup.exe

pid	Process
2364	ovisetup.exe
2364	ovisetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

vanishvpn.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	vanishvpn.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
4	freegeoip.app
5	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cheats.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	cheats.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cheats.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

vanishvpn.execheats.exe

pid	Process
1912	vanishvpn.exe
1912	vanishvpn.exe
2432	cheats.exe
2432	cheats.exe
2432	cheats.exe
2432	cheats.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

vanishvpn.execheats.exe

description	pid	Process
Token: 0	1912	vanishvpn.exe
Token: 1	1912	vanishvpn.exe
Token: SeCreateTokenPrivilege	1912	vanishvpn.exe
Token: SeAssignPrimaryTokenPrivilege	1912	vanishvpn.exe
Token: SeLockMemoryPrivilege	1912	vanishvpn.exe
Token: SeIncreaseQuotaPrivilege	1912	vanishvpn.exe
Token: SeMachineAccountPrivilege	1912	vanishvpn.exe
Token: SeTcbPrivilege	1912	vanishvpn.exe
Token: SeSecurityPrivilege	1912	vanishvpn.exe
Token: SeTakeOwnershipPrivilege	1912	vanishvpn.exe
Token: SeLoadDriverPrivilege	1912	vanishvpn.exe
Token: SeSystemProfilePrivilege	1912	vanishvpn.exe
Token: SeSystemtimePrivilege	1912	vanishvpn.exe
Token: SeProfSingleProcessPrivilege	1912	vanishvpn.exe
Token: SeIncBasePriorityPrivilege	1912	vanishvpn.exe
Token: SeCreatePagefilePrivilege	1912	vanishvpn.exe
Token: SeCreatePermanentPrivilege	1912	vanishvpn.exe
Token: SeBackupPrivilege	1912	vanishvpn.exe
Token: SeRestorePrivilege	1912	vanishvpn.exe
Token: SeShutdownPrivilege	1912	vanishvpn.exe
Token: SeDebugPrivilege	1912	vanishvpn.exe
Token: SeAuditPrivilege	1912	vanishvpn.exe
Token: SeSystemEnvironmentPrivilege	1912	vanishvpn.exe
Token: SeChangeNotifyPrivilege	1912	vanishvpn.exe
Token: SeRemoteShutdownPrivilege	1912	vanishvpn.exe
Token: SeUndockPrivilege	1912	vanishvpn.exe
Token: SeSyncAgentPrivilege	1912	vanishvpn.exe
Token: SeEnableDelegationPrivilege	1912	vanishvpn.exe
Token: SeManageVolumePrivilege	1912	vanishvpn.exe
Token: SeImpersonatePrivilege	1912	vanishvpn.exe
Token: SeCreateGlobalPrivilege	1912	vanishvpn.exe
Token: 31	1912	vanishvpn.exe
Token: 32	1912	vanishvpn.exe
Token: 33	1912	vanishvpn.exe
Token: 34	1912	vanishvpn.exe
Token: SeDebugPrivilege	2432	cheats.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ovisetup.exe

description	pid	Process	procid_target
PID 2364 wrote to memory of 2432	2364	ovisetup.exe	28
PID 2364 wrote to memory of 2432	2364	ovisetup.exe	28
PID 2364 wrote to memory of 2432	2364	ovisetup.exe	28
PID 2364 wrote to memory of 2432	2364	ovisetup.exe	28
PID 2364 wrote to memory of 1912	2364	ovisetup.exe	29
PID 2364 wrote to memory of 1912	2364	ovisetup.exe	29
PID 2364 wrote to memory of 1912	2364	ovisetup.exe	29
PID 2364 wrote to memory of 1912	2364	ovisetup.exe	29

C:\Users\Admin\AppData\Local\Temp\ovisetup.exe
"C:\Users\Admin\AppData\Local\Temp\ovisetup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\AppData\Local\Temp\cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\cheats.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\vanishvpn.exe
  "C:\Users\Admin\AppData\Local\Temp\vanishvpn.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
403B

MD5
adda14e6714a9f812f647acc2d5c3db9

SHA1
d2a2f42b216160ba5bc4c3c3ca31cc927c72d066

SHA256
9f057ee2015a55d88089e3c066dc975975756b9f43414acb02aa9c1c0e4cfd0e

SHA512
fc02c0fbb9996334522c1e99fdb86d53e14f18fd24fac6ca6e7080dde8d47b5a06c93455f053c1b6aa338bf5adc3c78b1156695d4eecd2d6cf3d34a1ea465a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\cheats.exe

Filesize
274KB

MD5
e7e9740dac490c26ac841fb3cbdcd130

SHA1
3747c1931aaf82a234b97369c58f36a98a9c8453

SHA256
d1db9e33522f50a835616658c4fd2831d87fa9db303bdf9e4571d45f94977a42

SHA512
eb12a5a86ed17ce5541d3bc3333a9b7f81fbdda99aa4f5bc5750ff83741e9678ac73d85c5d83337cb36851411a7704f9e3f72fb67216816a452694becdc8b7de

Download Submit
C:\Users\Admin\AppData\Local\Temp\vanishvpn.exe

Filesize
4.3MB

MD5
8b46261cdc4e3e422295a4d5031acf7c

SHA1
8baa5f9a0e01cfadf533d47d941e2aad779b5774

SHA256
4a3ea8123316dd531d080ebd15f50dd1448e7d443c45c81d59556efb7265900f

SHA512
20ead053166527914d2d95b5360b49093c35ba4b283fa24479bd0bc4bff426135a2076da3f2ef36bf2d875a454bd71bc785b2c79833ee46804e4cc066a25f796

Download Submit
memory/1912-13-0x000000013FCA0000-0x0000000140541000-memory.dmp

Filesize
8.6MB

Download
memory/1912-63-0x000000013FCA0000-0x0000000140541000-memory.dmp

Filesize
8.6MB

Download
memory/1912-66-0x000000013FCA0000-0x0000000140541000-memory.dmp

Filesize
8.6MB

Download
memory/2432-14-0x0000000000810000-0x000000000085A000-memory.dmp

Filesize
296KB

Download