Malware Analysis Report

2024-11-30 05:50

Sample ID 241120-3zwh2awmcz
Target 2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe
SHA256 2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33
Tags
44caliber spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33

Threat Level: Known bad

The file 2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe was found to be: Known bad.

Malicious Activity Summary

44caliber spyware stealer

44Caliber

44Caliber family

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-20 23:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-20 23:57

Reported

2024-11-21 00:00

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe

"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4860-0-0x00007FFC0F873000-0x00007FFC0F875000-memory.dmp

memory/4860-1-0x0000000000AD0000-0x0000000000B6E000-memory.dmp

memory/4860-2-0x000000001B920000-0x000000001BA0A000-memory.dmp

memory/4860-3-0x00000000012F0000-0x00000000012F6000-memory.dmp

memory/4860-34-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

C:\Users\Admin\AppData\Roaming\44\Process.txt

MD5 7af0fcb2bc6365a97066fa771faf0710
SHA1 a0f0b5751ecb3c820a2d49685a38a4da26da81f7
SHA256 530b3cfe11feef4e019825c97a2260cbd39df4257a57f0d449ca898f49562e1c
SHA512 da81d7af301497fb2d002269a09b6af818e97efcfa636d9b5f48f7c870b66a53186fb78aead5f9c93dbd9e89de1955ed07c9cb0c927b40175be35a37af10c70b

memory/4860-122-0x00007FFC0F870000-0x00007FFC10331000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-20 23:57

Reported

2024-11-21 00:00

Platform

win7-20241010-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe

"C:\Users\Admin\AppData\Local\Temp\2d936a38e8c1094b42769f128030b1dc3c110c7a5abb8fa1ac3842a76dba7b33.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp

Files

memory/1692-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

memory/1692-1-0x00000000012F0000-0x000000000138E000-memory.dmp

memory/1692-2-0x000000001ADF0000-0x000000001AEDA000-memory.dmp

memory/1692-3-0x00000000003A0000-0x00000000003A6000-memory.dmp

memory/1692-4-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

C:\Users\Admin\AppData\Local\44\Process.txt

MD5 29573c990fc92333f6449eb23563d8d1
SHA1 3f97c7b46f23cc73be779cd81774f7dd57bc27f3
SHA256 6fcddb4989fbaf0df90de2b2d47b03fb23a2c92f1f9d73fbe38f4eb63934b042
SHA512 d8b180487cb6b3186f801eb6a9beea521b93ef23b44871656b3d0b7dd9856c1a02adfb4e1b9f2f7ba760af1c485ec3cc1e0ea3e12d7f53353ac17119e21026ec

memory/1692-53-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp