44caliber | 481e16bd9e829fee9cd41bd992a3287e5882a041b8306029eb7785a66bb4a1ac

Analysis

max time kernel
102s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
07/04/2025, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

proga.exe
Size

1.8MB
MD5

37d52955fa43a9b6914f81fac04f0656
SHA1

ef005ff7f596ea057022a77f111847ac8b3fb66f
SHA256

481e16bd9e829fee9cd41bd992a3287e5882a041b8306029eb7785a66bb4a1ac
SHA512

9126bcda7b7ac8b3bc0b9a31981150f8fe59bca93f17b6322d04033ff6567df47d18e2833072c06235502e8a9bf5324967d31bbfd765805dfbc083aeb0d91c24
SSDEEP

49152:1Djlabwz9DmRaIKolB7bLpEBm9ggukQ2XC+N7:ZqwRmaQ5k0ukHS+x

Score

10^/10

44caliber discovery spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1356567873270710473/EBvbgkUkr1Nt60uLTvIefHjN4cRMKBHO54aiDqafnZD_q5UFbEfTFkzb_pq5tMMbgSTy

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
44Caliber family
44caliber

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	indious.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	proga.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	EasyRAT.exe

Executes dropped EXE 4 IoCs

pid	Process
5832	EasyRAT.exe
5964	indious.exe
4640	WindowsFormsApp2.exe
4656	Insidious.exe

Loads dropped DLL 2 IoCs

pid	Process
4640	WindowsFormsApp2.exe
4640	WindowsFormsApp2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	freegeoip.app
3	freegeoip.app

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\winrаr	proga.exe
File created	C:\Program Files\EasyRAT\Guna.UI2.dll	EasyRAT.exe
File opened for modification	C:\Program Files\EasyRAT\Guna.UI2.dll	EasyRAT.exe
File opened for modification	C:\Program Files\EasyRAT\WindowsFormsApp2.exe	EasyRAT.exe
File created	C:\Program Files\winrаr\__tmp_rar_sfx_access_check_240620859	proga.exe
File created	C:\Program Files\winrаr\EasyRAT.exe	proga.exe
File opened for modification	C:\Program Files\winrаr\EasyRAT.exe	proga.exe
File opened for modification	C:\Program Files\EasyRAT	EasyRAT.exe
File created	C:\Program Files\EasyRAT\__tmp_rar_sfx_access_check_240621468	EasyRAT.exe
File created	C:\Program Files\EasyRAT\__tmp_rar_sfx_access_check_240621500	indious.exe
File opened for modification	C:\Program Files\EasyRAT\WindowsFormsApp2.pdb	EasyRAT.exe
File created	C:\Program Files\EasyRAT\WindowsFormsApp2.exe	EasyRAT.exe
File created	C:\Program Files\EasyRAT\WindowsFormsApp2.exe.config	EasyRAT.exe
File opened for modification	C:\Program Files\EasyRAT\WindowsFormsApp2.exe.config	EasyRAT.exe
File created	C:\Program Files\EasyRAT\WindowsFormsApp2.pdb	EasyRAT.exe
File opened for modification	C:\Program Files\EasyRAT\Insidious.exe	indious.exe
File opened for modification	C:\Program Files\EasyRAT\Insidious.exe.config	indious.exe
File created	C:\Program Files\EasyRAT\Insidious.pdb	indious.exe
File opened for modification	C:\Program Files\EasyRAT\Insidious.pdb	indious.exe
File created	C:\Program Files\winrаr\indious.exe	proga.exe
File opened for modification	C:\Program Files\winrаr\indious.exe	proga.exe
File created	C:\Program Files\EasyRAT\Insidious.exe	indious.exe
File created	C:\Program Files\EasyRAT\Insidious.exe.config	indious.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsFormsApp2.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Insidious.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Insidious.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	WindowsFormsApp2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	WindowsFormsApp2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	WindowsFormsApp2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4656	Insidious.exe
4656	Insidious.exe
4656	Insidious.exe
4656	Insidious.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4656	Insidious.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 5832	3088	proga.exe	86
PID 3088 wrote to memory of 5832	3088	proga.exe	86
PID 3088 wrote to memory of 5964	3088	proga.exe	88
PID 3088 wrote to memory of 5964	3088	proga.exe	88
PID 5832 wrote to memory of 4640	5832	EasyRAT.exe	91
PID 5832 wrote to memory of 4640	5832	EasyRAT.exe	91
PID 5832 wrote to memory of 4640	5832	EasyRAT.exe	91
PID 5964 wrote to memory of 4656	5964	indious.exe	92
PID 5964 wrote to memory of 4656	5964	indious.exe	92

C:\Users\Admin\AppData\Local\Temp\proga.exe
"C:\Users\Admin\AppData\Local\Temp\proga.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Program Files\winrаr\EasyRAT.exe
  "C:\Program Files\winrаr\EasyRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:5832
- - C:\Program Files\EasyRAT\WindowsFormsApp2.exe
    "C:\Program Files\EasyRAT\WindowsFormsApp2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:4640
- C:\Program Files\winrаr\indious.exe
  "C:\Program Files\winrаr\indious.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:5964
- - C:\Program Files\EasyRAT\Insidious.exe
    "C:\Program Files\EasyRAT\Insidious.exe"
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\EasyRAT\Guna.UI2.dll

Filesize
2.1MB

MD5
58459aefb74d5ff786b9efb982d44eab

SHA1
584f851c9824a27f4e2e5594ac206f8b165adf72

SHA256
6d876b257a97995d21072acd44580633468516121145cc218277edc18f971030

SHA512
80e975d2726eb1e4515a79f3ced422e61315f9b2bcb87d054aa654c1885c12c2a16f75da9aba6f8cd2dd652bb85da50579d1e618f10fab1e50c0cd29f37c7b55

Download Submit
C:\Program Files\EasyRAT\Insidious.exe

Filesize
274KB

MD5
69e87bcc519628a0910e0bbf2559baaa

SHA1
696acb30b321eb09e50b07144bfce51b290de285

SHA256
054bcd6fa76fae3606818abee25d9cceaaffc130cdf69db1e3dceb98ebc2cef5

SHA512
728c1661b9e52853ac3d3dfc0471d5a5e7ef7430d886965e439406b6010dc9393bbbf7ffc3ccf0a162398c74f72ae0b1ffe12383f4fa740b73f1e5976f1c4869

Download Submit
C:\Program Files\EasyRAT\Insidious.exe.config

Filesize
161B

MD5
c16b0746faa39818049fe38709a82c62

SHA1
3fa322fe6ed724b1bc4fd52795428a36b7b8c131

SHA256
d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad

SHA512
cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c

Download Submit
C:\Program Files\EasyRAT\Insidious.pdb

Filesize
865KB

MD5
3908ad15e3ec252640e1412fd49df07a

SHA1
bf9b1a6492c1f876249db4a01d2bdf3921913eda

SHA256
71ae41f12b290a13654adb0dfea576e10cf6e674f9caa657dec1eaabf8167b94

SHA512
e443bbd11dc25ad24a379ea8fc5dc6ce08671b1d6a148dcf50de128fcfb90b243e990cb30fa4b39b71b8e766b3b8d037b1d2eb0f8af67c82ab00965cf75ce85c

Download Submit
C:\Program Files\EasyRAT\WindowsFormsApp2.exe

Filesize
12KB

MD5
9a4014eeefa35b270e32f100cfef092c

SHA1
5c49ce183a66fd16bfaa6651482abb70f620718a

SHA256
0f332f3e60d6741579bf027f09db5de7a0bf2c28e2a265f19aaa4bc2df2fe5fe

SHA512
c1c7a1d475c3838477b6ab338424a73e4a45b017f0dfbdefc91776c086f6cc2f489eeba1873e0e7cb9698b201fbc076464d75e08503863a9db44b8ce5c4482e1

Download Submit
C:\Program Files\EasyRAT\WindowsFormsApp2.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Program Files\winrаr\EasyRAT.exe

Filesize
1.1MB

MD5
bb06d54db319bb59e11dc1be1823b4ee

SHA1
08e91ab25a204b567550a32df951388a1fbd922b

SHA256
ec27b2fa0be2d5856c8a5b1fcf216f5d5a17db8a1b0d82d850407b4d335816a6

SHA512
fab177483bc9275701cde2027a5e34ed5e7d67d606b4a6d345af6e9b5e5965acc7d2637bd4186e49e8d085be1fb2c979cf9229d7d325f2cc2100459a3b0902b2

Download Submit
C:\Program Files\winrаr\indious.exe

Filesize
683KB

MD5
649c2c983c8ec28dae7fe6b304e641dc

SHA1
e8baf34d897d268f7aeadb27dc174a5c54ccecc9

SHA256
c971ef15af9dd0da7d4abbbc8c89f4964d1ca02fb8b611618c846f3e47965059

SHA512
73b61e12d5f7263fb089f9b4e3326c8277c5d3ee6ec63fd44cfb0bf6a92b2706d696029633cac3980edf34f1a8ce13fa768dda6f76a92efba4e1beb751b34bd8

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
2318978349a6ae391e4b79dc86099590

SHA1
7e62b09fb1058444d8d6ed5697e0cf0cfa90dca6

SHA256
4a73524b0dbcb29d49c095174200eed6bc72b4e056c35c728890f162909faaa5

SHA512
e5b08bd09155ef73aeaf1dfc9120e89230627d8fa3c481e6e0c46933fe3f456f160253b3ce728e60bbb8ed3a09bf76951cfcdf615e1c12b252f8c451e3ccbe96

Download Submit
memory/4640-82-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

Filesize
40KB

Download
memory/4640-83-0x0000000006090000-0x0000000006634000-memory.dmp

Filesize
5.6MB

Download
memory/4640-84-0x00000000059F0000-0x0000000005A82000-memory.dmp

Filesize
584KB

Download
memory/4640-175-0x0000000005990000-0x000000000599A000-memory.dmp

Filesize
40KB

Download
memory/4640-179-0x0000000006640000-0x000000000685C000-memory.dmp

Filesize
2.1MB

Download
memory/4656-52-0x000002B68F450000-0x000002B68F49A000-memory.dmp

Filesize
296KB

Download