44caliber | c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d

General

Target

c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
Size

793KB
MD5

f559e77721d8cc5bd97e037c4b3472cc
SHA1

f6dda6d685285301e23fd51338d0977fb5e03a6e
SHA256

c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d
SHA512

64d6e8d0bc9862f9eab80d0fa95fdbb42eab44efed4a90abe1a6a0c8b1a308b5940d90740beb211dd6c375b8dd1fb1706a76f484ccf439cfc3bb2ae0aacb3dd9

Score

10^/10

44caliber evasion spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discord.com/api/webhooks/939927794656370699/MQUodH1jMxGoELXDI7vt3uVKvZAZN_FBkYRFlTiMVxHGCFnEzvPC7JNVH8-ESePeneQo

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 2 IoCs

Processes:

loader_2.exeexample.exe

pid process

1956 loader_2.exe
1100 example.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

pid	process
1956	loader_2.exe
1100	example.exe

Loads dropped DLL 3 IoCs

Processes:

c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe

pid	process
1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
1128

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 freegeoip.app
7 freegeoip.app
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	ioc
6	freegeoip.app
7	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

loader_2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	loader_2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	loader_2.exe

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
1316	taskkill.exe
1348	taskkill.exe
1964	taskkill.exe
1160	taskkill.exe
1932	taskkill.exe
1500	taskkill.exe
2012	taskkill.exe
2028	taskkill.exe
1116	taskkill.exe
1496	taskkill.exe
1480	taskkill.exe
996	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

loader_2.exe

pid process

1956 loader_2.exe
1956 loader_2.exe
1956 loader_2.exe
1956 loader_2.exe

pid	process
1956	loader_2.exe
1956	loader_2.exe
1956	loader_2.exe
1956	loader_2.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

taskkill.exetaskkill.exeloader_2.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1500	taskkill.exe
Token: SeDebugPrivilege	2012	taskkill.exe
Token: SeDebugPrivilege	1956	loader_2.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	1316	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	1116	taskkill.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exeexample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1096 wrote to memory of 1956	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	loader_2.exe
PID 1096 wrote to memory of 1956	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	loader_2.exe
PID 1096 wrote to memory of 1956	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	loader_2.exe
PID 1096 wrote to memory of 1956	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	loader_2.exe
PID 1096 wrote to memory of 1100	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	example.exe
PID 1096 wrote to memory of 1100	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	example.exe
PID 1096 wrote to memory of 1100	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	example.exe
PID 1096 wrote to memory of 1100	1096	c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe	example.exe
PID 1100 wrote to memory of 1504	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1504	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1504	1100	example.exe	cmd.exe
PID 1504 wrote to memory of 1500	1504	cmd.exe	taskkill.exe
PID 1504 wrote to memory of 1500	1504	cmd.exe	taskkill.exe
PID 1504 wrote to memory of 1500	1504	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 1752	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1752	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1752	1100	example.exe	cmd.exe
PID 1752 wrote to memory of 2012	1752	cmd.exe	taskkill.exe
PID 1752 wrote to memory of 2012	1752	cmd.exe	taskkill.exe
PID 1752 wrote to memory of 2012	1752	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 2000	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 2000	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 2000	1100	example.exe	cmd.exe
PID 2000 wrote to memory of 2028	2000	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 2028	2000	cmd.exe	taskkill.exe
PID 2000 wrote to memory of 2028	2000	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 1836	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1836	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1836	1100	example.exe	cmd.exe
PID 1836 wrote to memory of 816	1836	cmd.exe	sc.exe
PID 1836 wrote to memory of 816	1836	cmd.exe	sc.exe
PID 1836 wrote to memory of 816	1836	cmd.exe	sc.exe
PID 1100 wrote to memory of 632	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 632	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 632	1100	example.exe	cmd.exe
PID 632 wrote to memory of 1316	632	cmd.exe	taskkill.exe
PID 632 wrote to memory of 1316	632	cmd.exe	taskkill.exe
PID 632 wrote to memory of 1316	632	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 1572	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1572	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1572	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 2044	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 2044	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 2044	1100	example.exe	cmd.exe
PID 2044 wrote to memory of 1348	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1348	2044	cmd.exe	taskkill.exe
PID 2044 wrote to memory of 1348	2044	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 1352	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1352	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1352	1100	example.exe	cmd.exe
PID 1352 wrote to memory of 1964	1352	cmd.exe	taskkill.exe
PID 1352 wrote to memory of 1964	1352	cmd.exe	taskkill.exe
PID 1352 wrote to memory of 1964	1352	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 1328	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1328	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1328	1100	example.exe	cmd.exe
PID 1328 wrote to memory of 1160	1328	cmd.exe	taskkill.exe
PID 1328 wrote to memory of 1160	1328	cmd.exe	taskkill.exe
PID 1328 wrote to memory of 1160	1328	cmd.exe	taskkill.exe
PID 1100 wrote to memory of 1536	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1536	1100	example.exe	cmd.exe
PID 1100 wrote to memory of 1536	1100	example.exe	cmd.exe
PID 1536 wrote to memory of 1692	1536	cmd.exe	sc.exe
PID 1536 wrote to memory of 1692	1536	cmd.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe
"C:\Users\Admin\AppData\Local\Temp\c6181c98720e7976fdf7356503ae8ec501136ca26028796fee8e666813bd5e5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\loader_2.exe
"C:\Users\Admin\AppData\Local\Temp\loader_2.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Users\Admin\AppData\Local\Temp\example.exe
"C:\Users\Admin\AppData\Local\Temp\example.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:1532

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
3⤵
PID:1804

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T >nul 2>&1
3⤵
PID:1112

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq wireshark*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
3⤵
PID:1752

C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
3⤵
PID:2000

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
4⤵
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM HTTPDebuggerSvc.exe /F >nul 2>&1
3⤵
PID:1836

C:\Windows\system32\taskkill.exe
taskkill /IM HTTPDebuggerSvc.exe /F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c @RD /S /Q "C:\Users\%username%\AppData\Local\Microsoft\Windows\INetCache\IE" >nul 2>&1
3⤵
PID:1396

C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
1⤵
PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\example.exe

MD5
009ea83f03fdd2d1da3fc57e118f137f

SHA1
e1f07d0577636f8df4e50d2e45b83dd1d17ef875

SHA256
a4af83b6cfeb0471b5c38a3ca3a118d5bab056dc05db1883ddc751430140bb3c

SHA512
32a0a12c3ce7046e6a2bcb45e958b2030fa158be51b3d485f9cf6b18a5c2c50e307c7ce928da74e3f0095de4c3a0999b6059deaf28a3632ce954f55fc4613fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader_2.exe

MD5
f16b30ce57b3d0678d55d91953597faa

SHA1
7348bfa2fd87b1e5f556c54fa650eb376c60006d

SHA256
d4515c61a5b8ec675d401277f69a863e6ef01875e749e027ef6bde29674fc291

SHA512
fe22efa8d7ac0688be13b3fa2e168c9adfc5afa5d39132213a45f1ea1b9d2cd550f15655885cd819c6b8f94381f69620281b38ec907c5d0070d4442baf99f448

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader_2.exe

MD5
f16b30ce57b3d0678d55d91953597faa

SHA1
7348bfa2fd87b1e5f556c54fa650eb376c60006d

SHA256
d4515c61a5b8ec675d401277f69a863e6ef01875e749e027ef6bde29674fc291

SHA512
fe22efa8d7ac0688be13b3fa2e168c9adfc5afa5d39132213a45f1ea1b9d2cd550f15655885cd819c6b8f94381f69620281b38ec907c5d0070d4442baf99f448

Download Submit
\Users\Admin\AppData\Local\Temp\example.exe

MD5
009ea83f03fdd2d1da3fc57e118f137f

SHA1
e1f07d0577636f8df4e50d2e45b83dd1d17ef875

SHA256
a4af83b6cfeb0471b5c38a3ca3a118d5bab056dc05db1883ddc751430140bb3c

SHA512
32a0a12c3ce7046e6a2bcb45e958b2030fa158be51b3d485f9cf6b18a5c2c50e307c7ce928da74e3f0095de4c3a0999b6059deaf28a3632ce954f55fc4613fd7

Download Submit
\Users\Admin\AppData\Local\Temp\example.exe

MD5
009ea83f03fdd2d1da3fc57e118f137f

SHA1
e1f07d0577636f8df4e50d2e45b83dd1d17ef875

SHA256
a4af83b6cfeb0471b5c38a3ca3a118d5bab056dc05db1883ddc751430140bb3c

SHA512
32a0a12c3ce7046e6a2bcb45e958b2030fa158be51b3d485f9cf6b18a5c2c50e307c7ce928da74e3f0095de4c3a0999b6059deaf28a3632ce954f55fc4613fd7

Download Submit
\Users\Admin\AppData\Local\Temp\loader_2.exe

MD5
f16b30ce57b3d0678d55d91953597faa

SHA1
7348bfa2fd87b1e5f556c54fa650eb376c60006d

SHA256
d4515c61a5b8ec675d401277f69a863e6ef01875e749e027ef6bde29674fc291

SHA512
fe22efa8d7ac0688be13b3fa2e168c9adfc5afa5d39132213a45f1ea1b9d2cd550f15655885cd819c6b8f94381f69620281b38ec907c5d0070d4442baf99f448

Download Submit
memory/1096-54-0x00000000757F1000-0x00000000757F3000-memory.dmp

Filesize
8KB

Download
memory/1956-61-0x0000000000B60000-0x0000000000BAA000-memory.dmp

Filesize
296KB

Download
memory/1956-62-0x000007FEF4EC3000-0x000007FEF4EC4000-memory.dmp

Filesize
4KB

Download
memory/1956-63-0x000000001B320000-0x000000001B322000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads