44caliber | eff592526e32ba395227cc4521588f2a3858583d66e652af84b4a5346b8104c2

Analysis

max time kernel
95s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Insidious.exe
Size

302KB
MD5

777e0fd76dce46c05e55564d8465632f
SHA1

05ca2a12ca319d20d8dfd64d46a88f88ec2a9a97
SHA256

eff592526e32ba395227cc4521588f2a3858583d66e652af84b4a5346b8104c2
SHA512

179365a7766653bd3de2f06304fbc25cb4dcac31edde723735cecd1a2f531b4692c4b9430a1f68832192f12494c6199a3e3fa6531cd09b67ff981d38cd8d7f90
SSDEEP

6144:ARlT6MDdbICydeBV9suqPmlF62Yr8RmA1D0+Tf:ART4uqPmH68b1DBf

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1262786010446696519/TF6h3fODHclXs66DoTWXW06HBQRMNnQ8AtN7KAb1UQJyUlcMqh_TPBHkwcOcPFBUoC1q

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2060	Insidious.exe
2060	Insidious.exe
2060	Insidious.exe
2060	Insidious.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	Insidious.exe

C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
e24db7c8237d9ee97380cc3820c0c134

SHA1
5db76308c1978e2084e6d1b7fb2fb3d11d758a92

SHA256
766d07a01723c0e1347e8d7f296af0d66eb5feb89b717ec504e28cd3047b2cb5

SHA512
61cc146e20d8bb8ccd40d612cf8ce0b8ef150b23c590ec4a7ee2b12b40a8d84881c477219f2b9c24be2dbb4035d30a46b5e6c88071a1b392a74e803eeb054f59

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
ecf98d2c6b442bcaaf3912356987fa60

SHA1
3f7154b9e4e2923605b1c9c8d2b862ae97a00a76

SHA256
dcf2403907f8ab28c56565edcac7b9e3d60edabf19390a7a072d3667f4a183cb

SHA512
d60d3772216c54aaea00648551f04dd8be43f70540ed55062ccd0196087937ac307aba64b18ba2f1b2c5fd44dd4492b87447c3c7b916996ee5a5a1464180e5a1

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
487B

MD5
c30894588400e753c0071f42770e98c1

SHA1
987b8e4725fafc07edcf281daaabd38249eefbe8

SHA256
c23e1f5d2ac694c7852d5acf224419dc46592067af47b07576e158d53f3ed0e0

SHA512
f3a238eb94c1e6838a1a8c41708e40edbc26ffa64e15581ec13884497f419670e695fbb12e4f5fea5609f2a5051611c43221f1b8b575aa37b51f888964c3e6d6

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
3645b5aa2b955cbefb944889a9d8b771

SHA1
27e3565851f37d957f88006dae678e0ee1f8e91b

SHA256
8299d7aa31e4a4a41d81247b324996bfaa7a438a84b9c442685c3a77b98c4e2a

SHA512
4755fabbfba3d9bea96bdd6161c05756d8c3bd38862702cadfad40a9a7f73705b6bc37f71aa051c9704887193aef1d8f3bd9f6dcc6c51a905d1f4807e73ea145

Download Submit
C:\Users\Admin\AppData\Local\44\Process.txt

Filesize
1KB

MD5
74aa5786d958406914762f451fddf60a

SHA1
7d27fc6c713bc9c65b2f05e481673afbc2f327cd

SHA256
69de6631e6a367438c8c6e76a3aaf4c80dde4e0638828af6f0ffb71d53ad0fe4

SHA512
c52f3f4cdd04c4033414d0539d92c2f0196d36d94177122ceec41eef013d73dc69353f9bcc92b29a1f3085924703e0ce6109cda04e51c3eac48108463ed58151

Download Submit
memory/2060-0-0x00007FFF0D0C3000-0x00007FFF0D0C5000-memory.dmp

Filesize
8KB

Download
memory/2060-1-0x0000028F08A90000-0x0000028F08AE2000-memory.dmp

Filesize
328KB

Download
memory/2060-32-0x00007FFF0D0C0000-0x00007FFF0DB81000-memory.dmp

Filesize
10.8MB

Download
memory/2060-118-0x00007FFF0D0C0000-0x00007FFF0DB81000-memory.dmp

Filesize
10.8MB

Download