44caliber | 5956fe13a88b4ee1006ba35a0c2bb1797c9d925c453c368aac628870ca8ee4ba

General

Target

loader.exe
Size

15.8MB
MD5

75941eabd47ddaa0529e6bf66068eccd
SHA1

34d7b2683a149871591d3629b4da456064331ebd
SHA256

5956fe13a88b4ee1006ba35a0c2bb1797c9d925c453c368aac628870ca8ee4ba
SHA512

6d64ee77f9f08b3843031825e110a787efe81dddc72355e636659d53cdf697d663ff9c655cd89d41b5afeab88b8a3f7e4a2b049d77eb705e3c6b7ac817ea0c03

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/973580174689964083/2sajMUbGeKbojdqVMbPo-qtidMXn5a7QaYSzjXpRpUgg81vxQoCnZ2D4zH6jyVu9DL96

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 1 IoCs

Processes:

faldiko.exe

pid process

1956 faldiko.exe
Loads dropped DLL 1 IoCs

Processes:

loader.exe

pid process

1472 loader.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 freegeoip.app
4 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1956	faldiko.exe

pid	process
1472	loader.exe

flow	ioc
3	freegeoip.app
4	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

faldiko.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	faldiko.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	faldiko.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

faldiko.exe

pid process

1956 faldiko.exe
1956 faldiko.exe
1956 faldiko.exe
1956 faldiko.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

faldiko.exe

description pid process

Token: SeDebugPrivilege 1956 faldiko.exe

pid	process
1956	faldiko.exe
1956	faldiko.exe
1956	faldiko.exe
1956	faldiko.exe

description	pid	process
Token: SeDebugPrivilege	1956	faldiko.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

loader.exe

description	pid	process	target process
PID 1472 wrote to memory of 1956	1472	loader.exe	faldiko.exe
PID 1472 wrote to memory of 1956	1472	loader.exe	faldiko.exe
PID 1472 wrote to memory of 1956	1472	loader.exe	faldiko.exe
PID 1472 wrote to memory of 1956	1472	loader.exe	faldiko.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\AppData\Local\Temp\faldiko.exe
"C:\Users\Admin\AppData\Local\Temp\faldiko.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\faldiko.exe

Filesize
274KB

MD5
e8205566909635b44539a35b6361b0ae

SHA1
cbfefc9331926a8cf4dc6168b55ad61f02a1a708

SHA256
2a2f5c0dee61322166fc4015530ff20b46789af3fd82c4c7f2b678b2e63ec04c

SHA512
4c9328d55044e474e8422694f6e4b82a7ead3e5e1f4407423cf69a43d1cf1978463a8924a144a20827807d76bf2f0a44eeef8de93b8a0b4f421087e034923263

Download Submit
C:\Users\Admin\AppData\Local\Temp\faldiko.exe

Filesize
274KB

MD5
e8205566909635b44539a35b6361b0ae

SHA1
cbfefc9331926a8cf4dc6168b55ad61f02a1a708

SHA256
2a2f5c0dee61322166fc4015530ff20b46789af3fd82c4c7f2b678b2e63ec04c

SHA512
4c9328d55044e474e8422694f6e4b82a7ead3e5e1f4407423cf69a43d1cf1978463a8924a144a20827807d76bf2f0a44eeef8de93b8a0b4f421087e034923263

Download Submit
\Users\Admin\AppData\Local\Temp\faldiko.exe

Filesize
274KB

MD5
e8205566909635b44539a35b6361b0ae

SHA1
cbfefc9331926a8cf4dc6168b55ad61f02a1a708

SHA256
2a2f5c0dee61322166fc4015530ff20b46789af3fd82c4c7f2b678b2e63ec04c

SHA512
4c9328d55044e474e8422694f6e4b82a7ead3e5e1f4407423cf69a43d1cf1978463a8924a144a20827807d76bf2f0a44eeef8de93b8a0b4f421087e034923263

Download Submit
memory/1472-54-0x0000000000400000-0x00000000013C8000-memory.dmp

Filesize
15.8MB

Download
memory/1472-55-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1956-57-0x0000000000000000-mapping.dmp

Download
memory/1956-60-0x0000000000DF0000-0x0000000000E3A000-memory.dmp

Filesize
296KB

Download

Analysis

Sharing