44caliber | 5956fe13a88b4ee1006ba35a0c2bb1797c9d925c453c368aac628870ca8ee4ba

General

Target

loader.exe
Size

15.8MB
MD5

75941eabd47ddaa0529e6bf66068eccd
SHA1

34d7b2683a149871591d3629b4da456064331ebd
SHA256

5956fe13a88b4ee1006ba35a0c2bb1797c9d925c453c368aac628870ca8ee4ba
SHA512

6d64ee77f9f08b3843031825e110a787efe81dddc72355e636659d53cdf697d663ff9c655cd89d41b5afeab88b8a3f7e4a2b049d77eb705e3c6b7ac817ea0c03

Score

10^/10

44caliber spyware stealer

Malware Config

Extracted

Family

44caliber

C2

https://discordapp.com/api/webhooks/973580174689964083/2sajMUbGeKbojdqVMbPo-qtidMXn5a7QaYSzjXpRpUgg81vxQoCnZ2D4zH6jyVu9DL96

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Executes dropped EXE 1 IoCs

Processes:

faldiko.exe

pid process

4404 faldiko.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

loader.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation loader.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

10 freegeoip.app
11 freegeoip.app
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
4404	faldiko.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	loader.exe

flow	ioc
10	freegeoip.app
11	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

faldiko.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	faldiko.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	faldiko.exe

Modifies registry class 1 IoCs

Processes:

loader.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ loader.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

faldiko.exe

pid process

4404 faldiko.exe
4404 faldiko.exe
4404 faldiko.exe
4404 faldiko.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

faldiko.exe

description pid process

Token: SeDebugPrivilege 4404 faldiko.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	loader.exe

pid	process
4404	faldiko.exe
4404	faldiko.exe
4404	faldiko.exe
4404	faldiko.exe

description	pid	process
Token: SeDebugPrivilege	4404	faldiko.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

loader.exe

description	pid	process	target process
PID 2908 wrote to memory of 4404	2908	loader.exe	faldiko.exe
PID 2908 wrote to memory of 4404	2908	loader.exe	faldiko.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\AppData\Local\Temp\faldiko.exe
"C:\Users\Admin\AppData\Local\Temp\faldiko.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\faldiko.exe

Filesize
274KB

MD5
e8205566909635b44539a35b6361b0ae

SHA1
cbfefc9331926a8cf4dc6168b55ad61f02a1a708

SHA256
2a2f5c0dee61322166fc4015530ff20b46789af3fd82c4c7f2b678b2e63ec04c

SHA512
4c9328d55044e474e8422694f6e4b82a7ead3e5e1f4407423cf69a43d1cf1978463a8924a144a20827807d76bf2f0a44eeef8de93b8a0b4f421087e034923263

Download Submit
C:\Users\Admin\AppData\Local\Temp\faldiko.exe

Filesize
274KB

MD5
e8205566909635b44539a35b6361b0ae

SHA1
cbfefc9331926a8cf4dc6168b55ad61f02a1a708

SHA256
2a2f5c0dee61322166fc4015530ff20b46789af3fd82c4c7f2b678b2e63ec04c

SHA512
4c9328d55044e474e8422694f6e4b82a7ead3e5e1f4407423cf69a43d1cf1978463a8924a144a20827807d76bf2f0a44eeef8de93b8a0b4f421087e034923263

Download Submit
memory/2908-130-0x0000000000400000-0x00000000013C8000-memory.dmp

Filesize
15.8MB

Download
memory/4404-131-0x0000000000000000-mapping.dmp

Download
memory/4404-134-0x0000015D99140000-0x0000015D9918A000-memory.dmp

Filesize
296KB

Download
memory/4404-135-0x00007FFCAFF90000-0x00007FFCB0A51000-memory.dmp

Filesize
10.8MB

Download
memory/4404-136-0x00007FFCAFF90000-0x00007FFCB0A51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing