Malware Analysis Report

2024-11-30 05:50

Sample ID 241120-3tsj7awbmc
Target 2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe
SHA256 2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33
Tags
44caliber spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33

Threat Level: Known bad

The file 2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe was found to be: Known bad.

Malicious Activity Summary

44caliber spyware stealer

44Caliber

44Caliber family

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Unsigned PE

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 23:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 23:48

Reported

2024-11-20 23:50

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe

"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp

Files

memory/2328-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

memory/2328-1-0x00000000010E0000-0x000000000117E000-memory.dmp

memory/2328-2-0x000000001AE50000-0x000000001AF3A000-memory.dmp

memory/2328-3-0x0000000000240000-0x0000000000246000-memory.dmp

memory/2328-4-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

C:\ProgramData\44\Process.txt

MD5 1357232bf43d13b6c747d89269606d4e
SHA1 ca60f9f4e66ae29e5e42b9a090843164ae52a97a
SHA256 fa17fdba9f99d079fa10e6de88956432911137b7cb98a8d10aa3b690664de7bd
SHA512 24982dd76cc4b4e306df046a747c28b6c0bb2f700ae70e6b669d01ca23981f63c40121e8b84ac046f575da32bc031a44a4a952554899da86ac8cdea8117f559a

C:\ProgramData\44\Process.txt

MD5 63f3b6444ac808057107c3e845b8682d
SHA1 8fad5d204c5e88195e55d90528f97c5d8daa3981
SHA256 44280d58112b1717d28583a3d72433626b7c027d3831ce9f45e45319962b7fe3
SHA512 3e273580c6be0487571f16c443cd53f5e0e8792d2661d01944a6968e38c5dee978309c52e940198813227ff7644eb7df4a18ae75350b5fa607dd54522b3c0dbb

memory/2328-54-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 23:48

Reported

2024-11-20 23:50

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe

"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2724-0-0x00007FFDF1C13000-0x00007FFDF1C15000-memory.dmp

memory/2724-1-0x00000000003C0000-0x000000000045E000-memory.dmp

memory/2724-2-0x000000001B0A0000-0x000000001B18A000-memory.dmp

memory/2724-3-0x0000000002590000-0x0000000002596000-memory.dmp

memory/2724-20-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp

C:\ProgramData\44\Process.txt

MD5 0f3e844bc73a7a287e6a9062f8daa45a
SHA1 91b664f8bd1be5ea7fee62722041c5c0ae53d8e8
SHA256 bf02fd2fe5f6f94f0ebdc1c24382060de1c37394b25851432fd1cc76e46edca5
SHA512 bbd58fd649c36b061f9a5d76ae48a7d977d65228f3a816b62c7370482b95d0e20b94bd25e143bd26f9375018693d8dfb4ee81e4f683ec120722221f7b4302440

C:\ProgramData\44\Process.txt

MD5 fc22d6fe015bd52de4a43aa81c8cba4a
SHA1 7af3a3db73313563bed56e0234d61bc3afda90d5
SHA256 af28c2530b1421edb1ffc1c7a45e0d1404d6a4cee5eff101b4e7affd3e8b2c0a
SHA512 dfb53eaa9e0af66302b6b90e33b224fdca8a958dd1b103b3d284dff7ab9d2b3ff30461793ac4269f56f8c9ab6cfef149f965e5d62cdbe38769146bb96628fd37

memory/2724-118-0x00007FFDF1C10000-0x00007FFDF26D1000-memory.dmp