44caliber | 0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 07:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680N.exe
Size

7.5MB
MD5

013b74f725ebc6449ce2e1eb545aeb80
SHA1

5eacf5e9fc03f8641f467b82352b131e3c59ca61
SHA256

0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680
SHA512

da310873a6f23e00c859e43dbdcb11c5a0c57de1c19f1e73b6b62f6d29390fb8fdca04ea6be0f85472e8e07447ae05dce4d189b8ee9d9529a05686afe26610fb
SSDEEP

196608:OPU39DbBHnbYq2EF6sXCXheIy9uG0jaIj:b39DVYqQ9XheIyvy

Score

10^/10

44caliber discovery pyinstaller spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1122569336733835314/pV5GwZljRF3rAOixx7tojWgzH5u5ja8SHJNo4ppqYGfqU8UHwq7r31ApoYXIgDbPFYow

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680N.exe

Executes dropped EXE 2 IoCs

pid	Process
3608	2.exe
3048	updater_Insidious.exe

Loads dropped DLL 10 IoCs

pid	Process
3608	2.exe
3608	2.exe
3608	2.exe
3608	2.exe
3608	2.exe
3608	2.exe
3608	2.exe
3608	2.exe
3608	2.exe
3608	2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	freegeoip.app
7	freegeoip.app

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023456-54.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680N.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	updater_Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	updater_Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3048	updater_Insidious.exe
3048	updater_Insidious.exe
3048	updater_Insidious.exe
3048	updater_Insidious.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	updater_Insidious.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 3608	4324	0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680N.exe	82
PID 4324 wrote to memory of 3608	4324	0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680N.exe	82
PID 3608 wrote to memory of 2988	3608	2.exe	84
PID 3608 wrote to memory of 2988	3608	2.exe	84
PID 2988 wrote to memory of 3048	2988	cmd.exe	86
PID 2988 wrote to memory of 3048	2988	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680N.exe
"C:\Users\Admin\AppData\Local\Temp\0f13239f4af5dc1c7dd7fdcfe1330c02fe31410935208a57ba8e5c53e4aa2680N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\\Admin\Documents\updater_Insidious.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\Documents\updater_Insidious.exe
      C:\Users\\Admin\Documents\updater_Insidious.exe
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
730B

MD5
32b908b26f16af3eb1982009ce3f010a

SHA1
85be9f73ad4bdb35c0f350a6e1a2116ea44d7dcf

SHA256
55d92a92eae8d82ddd0c716506e780c7f641a0dddb534b204b93bba9000cdcc0

SHA512
e29fcdbeb7335e6c1002a1910dd43d60ee1e446fa12a3801b728216745ab14e11d06adfe331671de785a618c87b7af42d2207742522ad9896e23995ae9e72251

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
f9242ad916101aa5641a88df3194d484

SHA1
05b0068ce62896d8b5eab886262db51a174a0050

SHA256
8b385e59e665960f49b0f80ca0975b352cf4d652998b5e1b029b4b9e4987450f

SHA512
290d977d724f543d572c61a335ca9e7b5c332074433974cb276138b2d5334292552d425c2969f42be5f0a429e1fa8b6d99779caf583fd99fe38785dc6c0e070d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.exe

Filesize
1.3MB

MD5
e173c7cc8203d322f1581a8538c49131

SHA1
fef81703f72a03ca3bdaaa14c68437b9b8d768f8

SHA256
414cdd7f8f7be410c6fe0d8fcd3ccbc25541bf95d306c7f8cd499ddfea44195b

SHA512
300d01bd6ac8d1b9d839513a8b3169969069a0e2235d5b31938ccc5143c6afe1f5e2728b856ce8aa30222c6b92646359f9d31ece51106975698649921a4fa0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\_cffi_backend.cp310-win_amd64.pyd

Filesize
177KB

MD5
6f1b90884343f717c5dc14f94ef5acea

SHA1
cca1a4dcf7a32bf698e75d58c5f130fb3572e423

SHA256
2093e7e4f5359b38f0819bdef8314fda332a1427f22e09afc416e1edd5910fe1

SHA512
e2c673b75162d3432bab497bad3f5f15a9571910d25f1dffb655755c74457ac78e5311bd5b38d29a91aec4d3ef883ae5c062b9a3255b5800145eb997863a7d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\_hashlib.pyd

Filesize
63KB

MD5
d4674750c732f0db4c4dd6a83a9124fe

SHA1
fd8d76817abc847bb8359a7c268acada9d26bfd5

SHA256
caa4d2f8795e9a55e128409cc016e2cc5c694cb026d7058fc561e4dd131ed1c9

SHA512
97d57cfb80dd9dd822f2f30f836e13a52f771ee8485bc0fd29236882970f6bfbdfaac3f2e333bba5c25c20255e8c0f5ad82d8bc8a6b6e2f7a07ea94a9149c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\_socket.pyd

Filesize
77KB

MD5
819166054fec07efcd1062f13c2147ee

SHA1
93868ebcd6e013fda9cd96d8065a1d70a66a2a26

SHA256
e6deb751039cd5424a139708475ce83f9c042d43e650765a716cb4a924b07e4f

SHA512
da3a440c94cb99b8af7d2bc8f8f0631ae9c112bd04badf200edbf7ea0c48d012843b4a9fb9f1e6d3a9674fd3d4eb6f0fa78fd1121fad1f01f3b981028538b666

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\base_library.zip

Filesize
1.0MB

MD5
bc176d9269af256c73117f8c61a04885

SHA1
db2cf1682a6712415d97e157c37fe79d23f5c2aa

SHA256
32941f12a8185b33bfe598b77cd14e9f81b3a248fc527c77621fb065fab2b80a

SHA512
57cbee28ec68a0b4ad2bd4f48fb49a3f617fb80fdeb8e91883dfc35b462301c6936e8f048640bcd53fd9013ad1c666739a453e6858165cac164beaec186ff18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.3MB

MD5
c43b06ff74532d3f019ec49b305b6691

SHA1
536dbd74295e2de0fab50ae763d32e04e8dee4e4

SHA256
66b292e36fdb53a3b827bb23959551d4772942df2b300e99e719de29144164f1

SHA512
1f6af3f6abc231221c2dc708a6a838b5dbec5ee8e7e5bedd473ca2eb768c98783bae5660fd064c115873aedc0d5f55657b60498119a36710243d40c6c86dc37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\enc_Insidious.exe

Filesize
366KB

MD5
f5dd7e08d0d9dae82497075dfc7b65c7

SHA1
758de574ba0e49b949dba59cec107cddbbd73573

SHA256
317727bec7d85cae3e6301642fc4839b702819aa77c44506ea820baa0eaf9362

SHA512
82d6ccfb57aa3fa835c1b2bd0100eda8657083e67069d5fa9ef998eb1b915527899602b6158442d8e37f05c3f5e6afe6bae068288296f888a70f9a17b162ce89

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libcrypto-1_1.dll

Filesize
3.3MB

MD5
9d7a0c99256c50afd5b0560ba2548930

SHA1
76bd9f13597a46f5283aa35c30b53c21976d0824

SHA256
9b7b4a0ad212095a8c2e35c71694d8a1764cd72a829e8e17c8afe3a55f147939

SHA512
cb39aa99b9d98c735fdacf1c5ed68a4d09d11f30262b91f6aa48c3f8520eff95e499400d0ce7e280ca7a90ff6d7141d2d893ef0b33a8803a1cadb28ba9a9e3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python3.dll

Filesize
64KB

MD5
fd4a39e7c1f7f07cf635145a2af0dc3a

SHA1
05292ba14acc978bb195818499a294028ab644bd

SHA256
dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9

SHA512
37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\python310.dll

Filesize
4.3MB

MD5
63a1fa9259a35eaeac04174cecb90048

SHA1
0dc0c91bcd6f69b80dcdd7e4020365dd7853885a

SHA256
14b06796f288bc6599e458fb23a944ab0c843e9868058f02a91d4606533505ed

SHA512
896caa053f48b1e4102e0f41a7d13d932a746eea69a894ae564ef5a84ef50890514deca6496e915aae40a500955220dbc1b1016fe0b8bcdde0ad81b2917dea8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\select.pyd

Filesize
29KB

MD5
a653f35d05d2f6debc5d34daddd3dfa1

SHA1
1a2ceec28ea44388f412420425665c3781af2435

SHA256
db85f2f94d4994283e1055057372594538ae11020389d966e45607413851d9e9

SHA512
5aede99c3be25b1a962261b183ae7a7fb92cb0cb866065dc9cd7bb5ff6f41cc8813d2cc9de54670a27b3ad07a33b833eaa95a5b46dad7763ca97dfa0c1ce54c9

Download Submit
C:\Users\Admin\Documents\updater_Insidious.exe

Filesize
274KB

MD5
c173ea5f3a5a90f04061591a387b7694

SHA1
4adff07babe8b6b11c691f44d8726e8ba7ed03a3

SHA256
8a652390083396ecceadadae7ed48c616d62592ab0254f2fe67d26eb2111ec97

SHA512
33cf0c6b240e060beabb8c6e35af20b90abcff6bfa5846328a7729422f7ec994336200de3fb9cce262bb912c8fd7efc67571d49be188fb591eb50523c13c0311

Download Submit
memory/3048-85-0x000001DD44000000-0x000001DD4404A000-memory.dmp

Filesize
296KB

Download
memory/3048-84-0x00007FF83CA63000-0x00007FF83CA65000-memory.dmp

Filesize
8KB

Download