44caliber | 1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6

Analysis

max time kernel
142s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-06-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe
Size

252KB
MD5

8f0c03643467c7db494a21edd2c18400
SHA1

8efacb614fd255331e2c46d44678981ac9d32d27
SHA256

1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6
SHA512

6eb1c273cbce340444289dbce05f87890e92024d117cb1eaa2dc2f56a8dbc457bf8fb8d426cc401da8d2ebe3d5abebdc7f6d369454b821aa4d3549b3de71a8c9
SSDEEP

3072:MO7bMqu+6juQulgpsXuZ4jB/l3jAQ9iGb9Okv5H+dU5nZUVBsf/5JCsfhI/KQ73r:TbMu6YIejB/hA2iGB7edU5eK8d

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1251114546576494723/tXNLbJKNqLuPx5ncqCYn3VLtnEirV2Nq2ZSnMIH2N-D8Y9ZGZqL60vo8KWWurw_TzBjT

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 freegeoip.app
3 freegeoip.app

flow	ioc
2	freegeoip.app
3	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe

pid	process
4416	1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe
4416	1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe
4416	1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe
4416	1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 4416 1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	4416	1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1a0d29582aa1f16cd794b95e3e257799eacef8341cceb5588ae6dbf4dfcc79d6_NeikiAnalytics.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
1⤵
PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
737B

MD5
819a7f52bd57a91f6d3012f2383e6bce

SHA1
0e7e4add971267921e1556498e107597e0073a16

SHA256
bf4d1cd85531a39708513010b31f827e4ae9b95fd23de8893621eca9989180b9

SHA512
46a1ca4c7ae98bf7822b4b7412924e749201a7ae37fc158156e46090a14aec504a79b22261f1ca5e44ce79cc9e8519531c0916697d1f1cae3e8473c870099c7a

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
e6ea5e3ba1e0ccf2e912d2471d4869b2

SHA1
e1f6e100fee9c7d39d89b013ff14d58cbbf5b19a

SHA256
8f5e4d7fd8fdd1b4c3b0c200d2d7aff2a0f7e065219c7e37511395a1511cee40

SHA512
2ce9fe7535e787d823d1412737e3c8e2387fbe8b22b70f5df061f737b58b9a4108f2726d4d242f545972a8281b4838dd3c24f735025dbe6654dd45479e905f7f

Download Submit
memory/4416-0-0x00007FF9D5CB3000-0x00007FF9D5CB5000-memory.dmp

Filesize
8KB

Download
memory/4416-1-0x0000028A91C60000-0x0000028A91CA6000-memory.dmp

Filesize
280KB

Download
memory/4416-2-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download
memory/4416-123-0x00007FF9D5CB0000-0x00007FF9D6771000-memory.dmp

Filesize
10.8MB

Download