44caliber | cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887

General

Target

cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
Size

274KB
MD5

1fb07c2ab3bfec07b9f26be7a89a2836
SHA1

a93efbd85bf9f8c75504b5faadc338104695cbd1
SHA256

cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887
SHA512

ed2c6003fba8c691ee3440c7c16fe8eb806604920a2f2139c5569189b47eefff096b746faa1480e76197e62caa42ca4fac9af895cf0c56870c7578fc88c431fb

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/941385512646750268/UCKa4QusV4sl-ZlUe9P2KixgpDTNi6YPhenW1lF7ySWWSwpSUvmDsMY-duLhQIJ0wSpF

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 freegeoip.app
5 freegeoip.app

flow	ioc
4	freegeoip.app
5	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe

pid	process
1412	cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
1412	cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
1412	cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
1412	cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe

description pid process

Token: SeDebugPrivilege 1412 cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe

description	pid	process
Token: SeDebugPrivilege	1412	cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe

C:\Users\Admin\AppData\Local\Temp\cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe
"C:\Users\Admin\AppData\Local\Temp\cdd407dd860f8210fb50025130bbfd7371228750c1e3a1b16b6929cc314df887.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1412-55-0x0000000001270000-0x00000000012BA000-memory.dmp

Filesize
296KB

Download
memory/1412-56-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp

Filesize
4KB

Download
memory/1412-57-0x000000001AE50000-0x000000001AE52000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing