44caliber | 1e7693ae47f44094b0304e65a2e9ac992e09d1c9fbe3087fa45c359b6db2a0e7

Analysis

max time kernel
71s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cheat.exe
Size

303KB
MD5

02d6afbd57a884836f0c845f9870af7f
SHA1

3543d551d9369672ad781781efcd450b0bea2bdb
SHA256

359c20f4dd6423e91635c3d6cc365959e438dc12aeb3353c17e3b1641efc4835
SHA512

110c8d9ba3fa21d9a10ceac293b447dab45e1438fc4cb509598228fc0aa7c5b8d35ea4dc55bba3afffd60e2679a60694e856efee351a152651e6d3c7d263546a
SSDEEP

6144:B5hxT6MDdbICydeBvQ26i2dVTZy6jmA1D06k5:B5dY26i2vT4Y1DW5

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/897533314720759858/2IthAY1F50e0tIWa51HPNxK5_vNppGvmSOFSU_Yq3riGW0BMzST3MUD9P7wE1B_qSnT5

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
4 freegeoip.app
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

Cheat.exe

pid process

3460 Cheat.exe
3460 Cheat.exe
3460 Cheat.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Cheat.exe

description pid process

Token: SeDebugPrivilege 3460 Cheat.exe

flow	ioc
3	freegeoip.app
4	freegeoip.app

pid	process
3460	Cheat.exe
3460	Cheat.exe
3460	Cheat.exe

description	pid	process
Token: SeDebugPrivilege	3460	Cheat.exe

C:\Users\Admin\AppData\Local\Temp\Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3460-0-0x00007FF92DA03000-0x00007FF92DA05000-memory.dmp

Filesize
8KB

Download
memory/3460-1-0x000002C8FFC10000-0x000002C8FFC62000-memory.dmp

Filesize
328KB

Download
memory/3460-32-0x00007FF92DA00000-0x00007FF92E4C1000-memory.dmp

Filesize
10.8MB

Download
memory/3460-33-0x00007FF92DA00000-0x00007FF92E4C1000-memory.dmp

Filesize
10.8MB

Download