44caliber | c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d

Analysis

max time kernel
4294181s
max time network
125s
platform
windows7_x64
resource
win7-20220223-en
submitted
01-03-2022 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
Size

793KB
MD5

f559e77721d8cc5bd97e037c4b3472cc
SHA1

f6dda6d685285301e23fd51338d0977fb5e03a6e
SHA256

c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d
SHA512

64d6e8d0bc9862f9eab80d0fa95fdbb42eab44efed4a90abe1a6a0c8b1a308b5940d90740beb211dd6c375b8dd1fb1706a76f484ccf439cfc3bb2ae0aacb3dd9

Score

10^/10

44caliber evasion spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/939927794656370699/MQUodH1jMxGoELXDI7vt3uVKvZAZN_FBkYRFlTiMVxHGCFnEzvPC7JNVH8-ESePeneQo

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Executes dropped EXE 2 IoCs

pid	Process
1956	loader_2.exe
1100	example.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 3 IoCs

pid	Process
1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
1128	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	freegeoip.app
7	freegeoip.app

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	loader_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	loader_2.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
1316	taskkill.exe
1348	taskkill.exe
1964	taskkill.exe
1160	taskkill.exe
1932	taskkill.exe
1500	taskkill.exe
2012	taskkill.exe
2028	taskkill.exe
1116	taskkill.exe
1496	taskkill.exe
1480	taskkill.exe
996	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1956	loader_2.exe
1956	loader_2.exe
1956	loader_2.exe
1956	loader_2.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1956	loader_2.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1096 wrote to memory of 1956	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	27
PID 1096 wrote to memory of 1956	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	27
PID 1096 wrote to memory of 1956	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	27
PID 1096 wrote to memory of 1956	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	27
PID 1096 wrote to memory of 1100	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	28
PID 1096 wrote to memory of 1100	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	28
PID 1096 wrote to memory of 1100	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	28
PID 1096 wrote to memory of 1100	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	28
PID 1100 wrote to memory of 1504	1100	example.exe	30
PID 1100 wrote to memory of 1504	1100	example.exe	30
PID 1100 wrote to memory of 1504	1100	example.exe	30
PID 1504 wrote to memory of 1500	1504	cmd.exe	31
PID 1504 wrote to memory of 1500	1504	cmd.exe	31
PID 1504 wrote to memory of 1500	1504	cmd.exe	31
PID 1100 wrote to memory of 1752	1100	example.exe	33
PID 1100 wrote to memory of 1752	1100	example.exe	33
PID 1100 wrote to memory of 1752	1100	example.exe	33
PID 1752 wrote to memory of 2012	1752	cmd.exe	34
PID 1752 wrote to memory of 2012	1752	cmd.exe	34
PID 1752 wrote to memory of 2012	1752	cmd.exe	34
PID 1100 wrote to memory of 2000	1100	example.exe	35
PID 1100 wrote to memory of 2000	1100	example.exe	35
PID 1100 wrote to memory of 2000	1100	example.exe	35
PID 2000 wrote to memory of 2028	2000	cmd.exe	36
PID 2000 wrote to memory of 2028	2000	cmd.exe	36
PID 2000 wrote to memory of 2028	2000	cmd.exe	36
PID 1100 wrote to memory of 1836	1100	example.exe	37
PID 1100 wrote to memory of 1836	1100	example.exe	37
PID 1100 wrote to memory of 1836	1100	example.exe	37
PID 1836 wrote to memory of 816	1836	cmd.exe	39
PID 1836 wrote to memory of 816	1836	cmd.exe	39
PID 1836 wrote to memory of 816	1836	cmd.exe	39
PID 1100 wrote to memory of 632	1100	example.exe	38
PID 1100 wrote to memory of 632	1100	example.exe	38
PID 1100 wrote to memory of 632	1100	example.exe	38
PID 632 wrote to memory of 1316	632	cmd.exe	40
PID 632 wrote to memory of 1316	632	cmd.exe	40
PID 632 wrote to memory of 1316	632	cmd.exe	40
PID 1100 wrote to memory of 1572	1100	example.exe	41
PID 1100 wrote to memory of 1572	1100	example.exe	41
PID 1100 wrote to memory of 1572	1100	example.exe	41
PID 1100 wrote to memory of 2044	1100	example.exe	42
PID 1100 wrote to memory of 2044	1100	example.exe	42
PID 1100 wrote to memory of 2044	1100	example.exe	42
PID 2044 wrote to memory of 1348	2044	cmd.exe	43
PID 2044 wrote to memory of 1348	2044	cmd.exe	43
PID 2044 wrote to memory of 1348	2044	cmd.exe	43
PID 1100 wrote to memory of 1352	1100	example.exe	44
PID 1100 wrote to memory of 1352	1100	example.exe	44
PID 1100 wrote to memory of 1352	1100	example.exe	44
PID 1352 wrote to memory of 1964	1352	cmd.exe	45
PID 1352 wrote to memory of 1964	1352	cmd.exe	45
PID 1352 wrote to memory of 1964	1352	cmd.exe	45
PID 1100 wrote to memory of 1328	1100	example.exe	46
PID 1100 wrote to memory of 1328	1100	example.exe	46
PID 1100 wrote to memory of 1328	1100	example.exe	46
PID 1328 wrote to memory of 1160	1328	cmd.exe	47
PID 1328 wrote to memory of 1160	1328	cmd.exe	47
PID 1328 wrote to memory of 1160	1328	cmd.exe	47
PID 1100 wrote to memory of 1536	1100	example.exe	49
PID 1100 wrote to memory of 1536	1100	example.exe	49
PID 1100 wrote to memory of 1536	1100	example.exe	49
PID 1536 wrote to memory of 1692	1536	cmd.exe	48
PID 1536 wrote to memory of 1692	1536	cmd.exe	48

C:\Users\Admin\AppData\Local\Temp\c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
"C:\Users\Admin\AppData\Local\Temp\c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\loader_2.exe
  "C:\Users\Admin\AppData\Local\Temp\loader_2.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\example.exe
  "C:\Users\Admin\AppData\Local\Temp\example.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:632
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1328
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    PID:1532
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:1472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1804
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1112
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
    3⤵
    PID:1752
  - - C:\Windows\system32\taskkill.exe
      taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
    3⤵
    PID:2000
  - - C:\Windows\system32\sc.exe
      sc stop HTTPDebuggerPro
      4⤵
      PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
    3⤵
    PID:1836
  - - C:\Windows\system32\taskkill.exe
      taskkill /IM HTTPDebuggerSvc.exe /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
    3⤵
    PID:1396

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1096-54-0x00000000757F1000-0x00000000757F3000-memory.dmp

Filesize
8KB

Download
memory/1956-61-0x0000000000B60000-0x0000000000BAA000-memory.dmp

Filesize
296KB

Download
memory/1956-62-0x000007FEF4EC3000-0x000007FEF4EC4000-memory.dmp

Filesize
4KB

Download
memory/1956-63-0x000000001B320000-0x000000001B322000-memory.dmp

Filesize
8KB

Download