44caliber | 994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397

General

Target

nyen2eabmfb.exe
Size

1.3MB
MD5

7ce622cc13886a55bfce9bcc088c8dc6
SHA1

6aa21ea3cbd05b2727c2f7cd5328532d617c0dd0
SHA256

994d73477a5e2a22bf00a7898bc2b8ad784ec844bc27dbc43c3aa5576d3ec397
SHA512

d824d400f0663b3c7ad2a81a4fc449b78d1a01e97517168245716d2b454c7fc4e1bbc09af56a9913462626184a5db0b6f65ce77f2d5eb1ed39c5ed3bb505efad
SSDEEP

24576:fF6kcnUDuwg5tW2l8Ye01R7E/k3vy8OKtlm0PDwVOt3PAThh9qAM:0Lnw69lLeOhbq+GOt3PO5dM

Score

10^/10

44caliber credential_access discovery spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/1274462328603148298/RG8TQ5NOTPK7lllW9DXds8Z7Vj68QWZX7Duc-LfDNeqa_HouSEGlNyNzsrVH6EfQxrh8

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Executes dropped EXE 1 IoCs

Processes:

Insidious_protected.exe

pid process

2516 Insidious_protected.exe

pid	process
2516	Insidious_protected.exe

Loads dropped DLL 9 IoCs

Processes:

nyen2eabmfb.exeWerFault.exe

pid	process
2696	nyen2eabmfb.exe
2696	nyen2eabmfb.exe
2696	nyen2eabmfb.exe
2696	nyen2eabmfb.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

Insidious_protected.exe

pid process

2516 Insidious_protected.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2648 2516 WerFault.exe Insidious_protected.exe

pid	process
2516	Insidious_protected.exe

pid	pid_target	process	target process
2648	2516	WerFault.exe	Insidious_protected.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

nyen2eabmfb.exeInsidious_protected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyen2eabmfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Insidious_protected.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Insidious_protected.exe

pid process

2516 Insidious_protected.exe
2516 Insidious_protected.exe
2516 Insidious_protected.exe
2516 Insidious_protected.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Insidious_protected.exe

description pid process

Token: SeDebugPrivilege 2516 Insidious_protected.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Insidious_protected.exe

pid process

2516 Insidious_protected.exe

pid	process
2516	Insidious_protected.exe
2516	Insidious_protected.exe
2516	Insidious_protected.exe
2516	Insidious_protected.exe

description	pid	process
Token: SeDebugPrivilege	2516	Insidious_protected.exe

pid	process
2516	Insidious_protected.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

nyen2eabmfb.exeInsidious_protected.exe

description	pid	process	target process
PID 2696 wrote to memory of 2516	2696	nyen2eabmfb.exe	Insidious_protected.exe
PID 2696 wrote to memory of 2516	2696	nyen2eabmfb.exe	Insidious_protected.exe
PID 2696 wrote to memory of 2516	2696	nyen2eabmfb.exe	Insidious_protected.exe
PID 2696 wrote to memory of 2516	2696	nyen2eabmfb.exe	Insidious_protected.exe
PID 2696 wrote to memory of 2516	2696	nyen2eabmfb.exe	Insidious_protected.exe
PID 2696 wrote to memory of 2516	2696	nyen2eabmfb.exe	Insidious_protected.exe
PID 2696 wrote to memory of 2516	2696	nyen2eabmfb.exe	Insidious_protected.exe
PID 2516 wrote to memory of 2648	2516	Insidious_protected.exe	WerFault.exe
PID 2516 wrote to memory of 2648	2516	Insidious_protected.exe	WerFault.exe
PID 2516 wrote to memory of 2648	2516	Insidious_protected.exe	WerFault.exe
PID 2516 wrote to memory of 2648	2516	Insidious_protected.exe	WerFault.exe
PID 2516 wrote to memory of 2648	2516	Insidious_protected.exe	WerFault.exe
PID 2516 wrote to memory of 2648	2516	Insidious_protected.exe	WerFault.exe
PID 2516 wrote to memory of 2648	2516	Insidious_protected.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\nyen2eabmfb.exe
"C:\Users\Admin\AppData\Local\Temp\nyen2eabmfb.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\Insidious_protected.exe
  "C:\Users\Admin\AppData\Local\Temp\Insidious_protected.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1208
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

2

T1552

Credentials In Files

2

T1552.001

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
\Users\Admin\AppData\Local\Temp\Insidious_protected.exe

Filesize
1.2MB

MD5
d9ccde3b728fba6d6e3f1b92c75a11a8

SHA1
b0bbe87ae7519b5d6dcd7f6282e891922971942d

SHA256
d5a18b44a40e9bc1952bce6e187b81926ffd358aa5ebe95921cde2b9a72b172f

SHA512
738f1b568009a6df2fcaf2f1c8aba6aee91b4a66474e095d6e483b72ebf1d5309d33908dd1531407a69520b657bdfa75c6b3eda796c20bf1542b632030e58db4

Download Submit
memory/2516-17-0x0000000000290000-0x000000000064A000-memory.dmp

Filesize
3.7MB

Download
memory/2516-19-0x0000000000290000-0x000000000064A000-memory.dmp

Filesize
3.7MB

Download
memory/2696-6-0x0000000003B60000-0x0000000003F1A000-memory.dmp

Filesize
3.7MB

Download
memory/2696-15-0x0000000003B60000-0x0000000003F1A000-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads