44caliber | 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
Size

1.2MB
MD5

11ae8536e9968d050d0eb53ca7fe8d00
SHA1

6741c252fa36715043c3afaf6bdb9687deb08cb0
SHA256

96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87
SHA512

0f3a3603828369fc3a3323c635ea7a3556b8fdf63fc558e1b8ecdb1fba71ac15a73497fad9ae03ca968338b61b1b9e84b573ab86c1b656735359bd753a1c6f55
SSDEEP

24576:NHR0G3bY4R9SslKujAZBZPIn+klcWK8fhx0aA:NyGrY4Rg2KucZLPI+kDK8JU

Score

10^/10

44caliber spyware stealer

Malware Config

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 ident.me
10 ident.me
4 freegeoip.app
5 freegeoip.app
8 ident.me

flow	ioc
9	ident.me
10	ident.me
4	freegeoip.app
5	freegeoip.app
8	ident.me

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe

pid	process
1936	96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
1936	96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
1936	96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
1936	96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe

description pid process

Token: SeDebugPrivilege 1936 96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	1936	96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\96da391df07d68b429d07bafa4966b37030448cbffb94db56450b6792e412d87_NeikiAnalytics.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\44\Process.txt

Filesize
459B

MD5
447d756dbc8b32b48d74c3359c3159d5

SHA1
69c056479c33ce5bc92a40d91cd03cc4a53c4559

SHA256
63a672e1c3b71b80b0abf4c37a28a2106a5fc8fc89e2677b9165d7cbbe0b1b7e

SHA512
d50c0d07be0e2c80556812ee9ed8a2a925971494befc8746b8d28039ce5bb914ef4993a2488f7f618ecc6a5ceb0763eb992884c349b3486c6dbbea923c06a73d

Download Submit
memory/1936-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

Filesize
4KB

Download
memory/1936-1-0x0000000000150000-0x0000000000392000-memory.dmp

Filesize
2.3MB

Download
memory/1936-2-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1936-3-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-4-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-51-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download
memory/1936-53-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

Filesize
9.9MB

Download